Revision e5f5436b
Added by Alexis Mousset over 7 years ago
rudder-server-relay/SOURCES/rudder-relay.fc | ||
---|---|---|
/var/rudder/inventories/accepted-nodes-updates gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||
/var/rudder/inventories/incoming gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||
/var/log/rudder/apache2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||
/opt/rudder/etc/uuid.hive gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||
|
rudder-server-relay/SOURCES/rudder-relay.te | ||
---|---|---|
# Source file for rudder-webapp.pp
|
||
# # Generate rudder-webapp.pp by running:
|
||
# # make -f /usr/share/selinux/devel/Makefile
|
||
|
||
module rudder-relay 1.0;
|
||
|
||
require {
|
||
type httpd_log_t;
|
||
type httpd_sys_rw_content_t;
|
||
type httpd_sys_content_t;
|
||
}
|
||
|
rudder-server-relay/SPECS/rudder-server-relay.spec | ||
---|---|---|
Source4: rudder-relay-vhost-ssl.conf
|
||
Source5: rudder-relay-apache-common.conf
|
||
Source6: rudder-relay-apache
|
||
Source7: rudder-relay.fc
|
||
Source8: rudder-relay.te
|
||
|
||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||
BuildArch: noarch
|
||
... | ... | |
Requires: mod_ssl
|
||
%endif
|
||
|
||
## SELinux
|
||
%if 0%{?rhel} && 0%{?rhel} == 6
|
||
BuildRequires: selinux-policy
|
||
%endif
|
||
|
||
%if 0%{?rhel} && 0%{?rhel} >= 7
|
||
BuildRequires: selinux-policy-devel
|
||
%endif
|
||
|
||
%if 0%{?fedora}
|
||
BuildRequires: selinux-policy-devel
|
||
%endif
|
||
|
||
%description
|
||
Rudder is an open source configuration management and audit solution.
|
||
|
||
... | ... | |
#=================================================
|
||
%prep
|
||
|
||
cp -f %{SOURCE7} %{_builddir}
|
||
cp -f %{SOURCE8} %{_builddir}
|
||
|
||
#=================================================
|
||
# Building
|
||
#=================================================
|
||
%build
|
||
|
||
%if 0%{?rhel} || 0%{?fedora}
|
||
# Build SELinux policy package
|
||
# Compiles rudder-relay.te and rudder-relay.fc into rudder-relay.pp
|
||
cd %{_builddir} && make -f /usr/share/selinux/devel/Makefile
|
||
%endif
|
||
|
||
#=================================================
|
||
# Installation
|
||
#=================================================
|
||
... | ... | |
cp %{SOURCE2} %{buildroot}%{rudderdir}/etc/
|
||
cp %{SOURCE3} %{buildroot}%{rudderdir}/etc/
|
||
|
||
%if 0%{?rhel} || 0%{?fedora}
|
||
# Install SELinux policy
|
||
install -m 644 %{_builddir}/rudder-relay.pp %{buildroot}%{rudderdir}/share/selinux/
|
||
%endif
|
||
|
||
%post -n rudder-server-relay
|
||
#=================================================
|
||
# Post Installation
|
||
... | ... | |
/bin/systemctl start %{apache}.service && echo " Done"
|
||
%endif
|
||
|
||
%if 0%{?rhel} || 0%{?fedora}
|
||
# SELinux support
|
||
# Check "sestatus" presence, and if here tweak our installation to be
|
||
# SELinux compliant
|
||
if type sestatus >/dev/null 2>&1 && sestatus | grep -q "enabled"; then
|
||
# Add/Update the rudder-relay SELinux policy
|
||
semodule -i /opt/rudder/share/selinux/rudder-relay.pp
|
||
# Ensure inventory directories context is set by resetting
|
||
# their context to the contexts defined in SELinux configuration,
|
||
# including the file contexts defined in the rudder-relay module
|
||
restorecon -R /var/rudder/inventories
|
||
restorecon -R /var/log/rudder/apache2
|
||
fi
|
||
%endif
|
||
|
||
# Do this ONLY at first install
|
||
if [ $1 -eq 1 ]
|
||
... | ... | |
echo "*****************************************************************************************"
|
||
fi
|
||
|
||
%postun -n rudder-server-relay
|
||
#=================================================
|
||
# Post Uninstallation
|
||
#=================================================
|
||
|
||
%if 0%{?rhel} || 0%{?fedora}
|
||
# Do it only during uninstallation
|
||
if [ $1 -eq 0 ]; then
|
||
if type sestatus >/dev/null 2>&1 && sestatus | grep -q "enabled"; then
|
||
if semodule -l | grep -q rudder-relay; then
|
||
# Remove the rudder-relay SELinux policy
|
||
semanage fcontext -d '/var/rudder/configuration-repository/techniques(/.*)?'
|
||
restorecon -RF /var/rudder/configuration-repository/techniques
|
||
semodule -r rudder-relay
|
||
fi
|
||
fi
|
||
fi
|
||
%endif
|
||
|
||
#=================================================
|
||
# Cleaning
|
||
#=================================================
|
rudder-webapp/SOURCES/rudder-webapp.fc | ||
---|---|---|
/var/rudder/inventories/accepted-nodes-updates gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||
/var/rudder/inventories/incoming gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||
/var/log/rudder/apache2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||
/opt/rudder/etc/uuid.hive gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||
|
rudder-webapp/SOURCES/rudder-webapp.te | ||
---|---|---|
# Generate rudder-webapp.pp by running:
|
||
# make -f /usr/share/selinux/devel/Makefile
|
||
|
||
module rudder-webapp 1.1;
|
||
module rudder-webapp 1.2;
|
||
|
||
require {
|
||
type httpd_t;
|
||
... | ... | |
|
||
# Allow httpd daemon to access 8080:tcp via connect method
|
||
allow httpd_t http_cache_port_t:tcp_socket name_connect;
|
||
|
Also available in: Unified diff
Fixes #9913: Add SELinux config to relay package