[node-patches] Change in ovirt-node[ovirt-3.5]: persist: fix owner/group copy to /config

fabiand at redhat.com fabiand at redhat.com
Fri Mar 27 11:14:57 UTC 2015 

Hello Douglas Schilling Landgraf,

I'd like you to do a code review.  Please visit

    https://gerrit.ovirt.org/39265

to review the following change.

Change subject: persist: fix owner/group copy to /config
......................................................................

persist: fix owner/group copy to /config

In commit 9a1986a8 the ovirt_store_config has been ported
to new ovirt/node package. This new persist function uses
shutil.copy2() to copy the new persisted file to /config but
on POSIX platforms[1], this means that file owner and
group are lost as well as ACLs affecting the permissions
of the persisted file during the mount bind.
This patch make sure the owner/group/selinux context are correct when
ovirt-node store a peristed file for later use with correct attributes.
[1] https://docs.python.org/2/library/shutil.html

Change-Id: I4ec3dc1773a0e84eb82c2682f9e145c15216dd91
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1204535
Signed-off-by: Douglas Schilling Landgraf <dougsland at redhat.com>
---
M src/ovirt/node/utils/fs/__init__.py
M src/ovirt/node/utils/security.py
2 files changed, 34 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/65/39265/1

diff --git a/src/ovirt/node/utils/fs/__init__.py b/src/ovirt/node/utils/fs/__init__.py
index 965aac2..7297135 100644
--- a/src/ovirt/node/utils/fs/__init__.py
+++ b/src/ovirt/node/utils/fs/__init__.py
@@ -27,6 +27,7 @@
 import shutil
 import errno
 import os
+import stat
 import StringIO
 import re
 import hashlib
@@ -433,6 +434,21 @@
 
             restorecon(abspath)
 
+    def copy_attributes(self, abspath, destpath):
+        """Copy the owner/group, selinux context from abspath to destpath"""
+
+        if not os.path.exists(abspath) or not os.path.exists(destpath):
+            raise RuntimeError("Cannot proceed, check if paths exist!")
+
+        abspath_stat = os.stat(abspath)
+        owner = abspath_stat[stat.ST_UID]
+        group = abspath_stat[stat.ST_GID]
+        os.chown(destpath, owner, group)
+
+        from ...utils import security
+        security.Selinux().chcon(destpath,
+                                 security.Selinux().getcon(abspath))
+
     def _persist_dir(self, abspath):
         """Persist directory and bind mount it back to its current location
         """
@@ -443,6 +459,7 @@
             return
 
         shutil.copytree(abspath, persisted_path, symlinks=True)
+        self.copy_attributes(abspath, persisted_path)
         mount.mount(persisted_path, abspath, flags=mount.MS_BIND)
         self._logger.info('Directory "%s" successfully persisted', abspath)
         self._add_path_entry(abspath)
@@ -484,6 +501,7 @@
                                        '"%s": %s', abspath, ose.message)
         self._prepare_dir(abspath, persisted_path)
         shutil.copy2(abspath, persisted_path)
+        self.copy_attributes(abspath, persisted_path)
         mount.mount(persisted_path, abspath, flags=mount.MS_BIND)
         self._logger.info('File "%s" successfully persisted', abspath)
         self._add_path_entry(abspath)
@@ -514,6 +532,7 @@
             self._prepare_dir(abspath, persisted_path)
             os.symlink(current_target, persisted_path)
 
+        self.copy_attributes(abspath, persisted_path)
         self._logger.info('Symbolic link "%s" successfully persisted', abspath)
         self._add_path_entry(abspath)
 
diff --git a/src/ovirt/node/utils/security.py b/src/ovirt/node/utils/security.py
index 946913b..d979d30 100644
--- a/src/ovirt/node/utils/security.py
+++ b/src/ovirt/node/utils/security.py
@@ -106,6 +106,21 @@
         except OSError:
             self._logger.debug('No default label: "%s"', abspath)
 
+    def getcon(self, abspath):
+        """ Return context of file, symlink or dir """
+        try:
+            return selinux.getfilecon(abspath)[1]
+        except OSError:
+            self._logger.warning('Cannot get selinux context: "%s"', abspath)
+
+    def chcon(self, abspath, context):
+        """ Change selinux security context """
+        try:
+            return selinux.chcon(abspath, context)
+        except OSError:
+            self._logger.warning('Cannot change selinux context: "%s" "%s"',
+                                 (abspath, context))
+
 
 class Ssh(base.Base):
     def __init__(self):


-- 
To view, visit https://gerrit.ovirt.org/39265
To unsubscribe, visit https://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I4ec3dc1773a0e84eb82c2682f9e145c15216dd91
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: ovirt-3.5
Gerrit-Owner: Fabian Deutsch <fabiand at redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland at redhat.com>
Gerrit-Reviewer: Fabian Deutsch <fabiand at redhat.com>

More information about the node-patches mailing list