Project

General

Profile

« Previous | Next » 

Revision e5f5436b

Added by Alexis Mousset over 7 years ago

Fixes #9913: Add SELinux config to relay package

View differences:

rudder-server-relay/SOURCES/rudder-relay.fc
/var/rudder/inventories/accepted-nodes-updates gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/rudder/inventories/incoming gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/log/rudder/apache2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/opt/rudder/etc/uuid.hive gen_context(system_u:object_r:httpd_sys_content_t,s0)
rudder-server-relay/SOURCES/rudder-relay.te
# Source file for rudder-webapp.pp
# # Generate rudder-webapp.pp by running:
# # make -f /usr/share/selinux/devel/Makefile
module rudder-relay 1.0;
require {
type httpd_log_t;
type httpd_sys_rw_content_t;
type httpd_sys_content_t;
}
rudder-server-relay/SPECS/rudder-server-relay.spec
Source4: rudder-relay-vhost-ssl.conf
Source5: rudder-relay-apache-common.conf
Source6: rudder-relay-apache
Source7: rudder-relay.fc
Source8: rudder-relay.te
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
......
Requires: mod_ssl
%endif
## SELinux
%if 0%{?rhel} && 0%{?rhel} == 6
BuildRequires: selinux-policy
%endif
%if 0%{?rhel} && 0%{?rhel} >= 7
BuildRequires: selinux-policy-devel
%endif
%if 0%{?fedora}
BuildRequires: selinux-policy-devel
%endif
%description
Rudder is an open source configuration management and audit solution.
......
#=================================================
%prep
cp -f %{SOURCE7} %{_builddir}
cp -f %{SOURCE8} %{_builddir}
#=================================================
# Building
#=================================================
%build
%if 0%{?rhel} || 0%{?fedora}
# Build SELinux policy package
# Compiles rudder-relay.te and rudder-relay.fc into rudder-relay.pp
cd %{_builddir} && make -f /usr/share/selinux/devel/Makefile
%endif
#=================================================
# Installation
#=================================================
......
cp %{SOURCE2} %{buildroot}%{rudderdir}/etc/
cp %{SOURCE3} %{buildroot}%{rudderdir}/etc/
%if 0%{?rhel} || 0%{?fedora}
# Install SELinux policy
install -m 644 %{_builddir}/rudder-relay.pp %{buildroot}%{rudderdir}/share/selinux/
%endif
%post -n rudder-server-relay
#=================================================
# Post Installation
......
/bin/systemctl start %{apache}.service && echo " Done"
%endif
%if 0%{?rhel} || 0%{?fedora}
# SELinux support
# Check "sestatus" presence, and if here tweak our installation to be
# SELinux compliant
if type sestatus >/dev/null 2>&1 && sestatus | grep -q "enabled"; then
# Add/Update the rudder-relay SELinux policy
semodule -i /opt/rudder/share/selinux/rudder-relay.pp
# Ensure inventory directories context is set by resetting
# their context to the contexts defined in SELinux configuration,
# including the file contexts defined in the rudder-relay module
restorecon -R /var/rudder/inventories
restorecon -R /var/log/rudder/apache2
fi
%endif
# Do this ONLY at first install
if [ $1 -eq 1 ]
......
echo "*****************************************************************************************"
fi
%postun -n rudder-server-relay
#=================================================
# Post Uninstallation
#=================================================
%if 0%{?rhel} || 0%{?fedora}
# Do it only during uninstallation
if [ $1 -eq 0 ]; then
if type sestatus >/dev/null 2>&1 && sestatus | grep -q "enabled"; then
if semodule -l | grep -q rudder-relay; then
# Remove the rudder-relay SELinux policy
semanage fcontext -d '/var/rudder/configuration-repository/techniques(/.*)?'
restorecon -RF /var/rudder/configuration-repository/techniques
semodule -r rudder-relay
fi
fi
fi
%endif
#=================================================
# Cleaning
#=================================================
rudder-webapp/SOURCES/rudder-webapp.fc
/var/rudder/inventories/accepted-nodes-updates gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/rudder/inventories/incoming gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/log/rudder/apache2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/opt/rudder/etc/uuid.hive gen_context(system_u:object_r:httpd_sys_content_t,s0)
rudder-webapp/SOURCES/rudder-webapp.te
# Generate rudder-webapp.pp by running:
# make -f /usr/share/selinux/devel/Makefile
module rudder-webapp 1.1;
module rudder-webapp 1.2;
require {
type httpd_t;
......
# Allow httpd daemon to access 8080:tcp via connect method
allow httpd_t http_cache_port_t:tcp_socket name_connect;

Also available in: Unified diff