[Kimchi-devel] [PATCH 2/2] Modify Fedora spec file to build and install selinux policy file

Rodrigo Trujillo rodrigo.trujillo at linux.vnet.ibm.com
Thu Oct 30 16:44:46 UTC 2014 

This patch changes kimchi.fedora.spec.in in order to build, install
and remove kimchid.pp, which contains selinux rules to open ports to
Kimchi.

Signed-off-by: Rodrigo Trujillo <rodrigo.trujillo at linux.vnet.ibm.com>
---
 contrib/kimchi.spec.fedora.in | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
index d58f3eb..37ec4a7 100644
--- a/contrib/kimchi.spec.fedora.in
+++ b/contrib/kimchi.spec.fedora.in
@@ -27,12 +27,14 @@ Requires:	python-lxml
 Requires:	nfs-utils
 Requires:	nginx
 Requires:	iscsi-initiator-utils
+Requires:	policycoreutils
 Requires:	policycoreutils-python
 Requires:	python-libguestfs
 Requires:	libguestfs-tools
 BuildRequires:	libxslt
 BuildRequires:	python-lxml
 BuildRequires:	python-requests
+BuildRequires:	selinux-policy-devel
 
 %if 0%{?rhel} == 6 || 0%{?fedora} >= 19
 Requires:	spice-html5
@@ -75,7 +77,9 @@ Web server application to manage KVM/Qemu virtual machines
 %configure --with-spice-html5
 %endif
 make
-
+# Build "kimchi.pp"
+cd selinux
+make -f /usr/share/selinux/devel/Makefile
 
 %install
 rm -rf %{buildroot}
@@ -83,6 +87,8 @@ make DESTDIR=%{buildroot} install
 install -Dm 0644 src/kimchi/sos.py \
                  %{buildroot}/%{python_sitelib}/sos/plugins/kimchi.py
 
+install -Dm 0744 selinux/kimchid.pp %{buildroot}%{_datadir}/kimchi/selinux/kimchid.pp
+
 %if 0%{?with_systemd}
 # Install the systemd scripts
 install -Dm 0644 contrib/kimchid.service.fedora %{buildroot}%{_unitdir}/kimchid.service
@@ -120,8 +126,8 @@ iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
 iptables -I INPUT -p tcp --dport 64667 -j ACCEPT
 service iptables save >/dev/null 2>&1
 %endif
-# Add SELinux rules to "open" Kimchi ports
-semanage permissive -a httpd_t
+# Install SELinux policy
+semodule -i %{_datadir}/kimchi/selinux/kimchid.pp
 
 %preun
 
@@ -146,9 +152,10 @@ if [ "$1" -ge 1 ] ; then
     /bin/systemctl try-restart kimchid.service >/dev/null 2>&1 || :
 fi
 exit 0
-# Rollback SELinux rules
-semanage permissive -d httpd_t
-
+if [ $1 -eq 0 ] ; then
+    # Remove the SELinux policy, only during uninstall of the package
+    semodule -r kimchid
+fi
 
 %clean
 rm -rf $RPM_BUILD_ROOT
@@ -183,6 +190,7 @@ rm -rf $RPM_BUILD_ROOT
 %if 0%{?with_systemd}
 %{_unitdir}/kimchid.service
 %{_prefix}/lib/firewalld/services/kimchid.xml
+%{_datadir}/kimchi/selinux/kimchid.pp
 %endif
 %if 0%{?rhel} == 6
 /etc/init/kimchid.conf
-- 
1.9.3

More information about the Kimchi-devel mailing list