From f72aaa6d190e9b6c941898c17faae883b414387b Mon Sep 17 00:00:00 2001
From: Jake Hunsaker <jhunsake@redhat.com>
Date: Fri, 12 Jan 2018 10:08:54 -0500
Subject: [selinux] Use semanage and only run if selinux is not disabled

Updates the selinux plugin to only run the builk of selinux commands if
selinux is not in a disabled state, as otherwise these commands do not
produce useful output. The output of sestatus is still collected even if
selinux is disabled so analysts still have a reference point for that
information.

Additionally, change to using semanage to collect the bulk of the data
given that that is the recommended practice. Collection of semanage list
output is now always collected, instead of being enabled by the 'list'
option.

Resolves: #1209

Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
---
 sos/plugins/selinux.py | 48 ++++++++++++++++++++++++++++++------------------
 1 file changed, 30 insertions(+), 18 deletions(-)

diff --git a/sos/plugins/selinux.py b/sos/plugins/selinux.py
index 22835bb8..f9140699 100644
--- a/sos/plugins/selinux.py
+++ b/sos/plugins/selinux.py
@@ -23,30 +23,42 @@ class SELinux(Plugin, RedHatPlugin):
     profiles = ('system', 'security', 'openshift')
 
     option_list = [("fixfiles", 'Print incorrect file context labels',
-                    'slow', False),
-                   ("list", 'List objects and their context', 'slow', False)]
+                    'slow', False)]
     packages = ('libselinux',)
 
     def setup(self):
-        self.add_copy_spec("/etc/selinux")
-        self.add_cmd_output([
-            "sestatus -b",
-            "semodule -l",
-            "selinuxdefcon root",
-            "selinuxconlist root",
-            "selinuxexeccon /bin/passwd",
-            "semanage -o -",
-            "ps axuZww"
+        self.add_copy_spec([
+            '/etc/sestatus.conf',
+            '/etc/selinux'
         ])
-        if self.get_option('fixfiles'):
-            self.add_cmd_output("restorecon -Rvn /", stderr=False)
-        if self.get_option('list'):
+        self.add_cmd_output('sestatus')
+
+        state = self.get_command_output('getenforce')['output']
+        if state is not 'Disabled':
             self.add_cmd_output([
-                "semanage fcontext -l",
-                "semanage user -l",
-                "semanage login -l",
-                "semanage port -l"
+                'ps auxZww',
+                'sestatus -v',
+                'sestatus -b',
+                'selinuxdefcon root',
+                'selinuxconlist root',
+                'selinuxexeccon /bin/passwd',
+                'semanage -o'  # deprecated, may disappear at some point
             ])
 
+            subcmds = [
+                'fcontext',
+                'user',
+                'port',
+                'login',
+                'node',
+                'interface',
+                'module'
+            ]
+
+            for subcmd in subcmds:
+                self.add_cmd_output("semanage %s -l" % subcmd)
+
+            if self.get_option('fixfiles'):
+                self.add_cmd_output("restorecon -Rvn /", stderr=False)
 
 # vim: set et ts=4 sw=4 :
-- 
cgit