8:41 p.m.
Join this patch with "[PATCH 1/2] SELinux policy to allow nginx and
kimchid."
And more comments below:
On 10/30/2014 02:44 PM, Rodrigo Trujillo wrote:
This patch changes kimchi.fedora.spec.in in order to build, install
and remove kimchid.pp, which contains selinux rules to open ports to
Kimchi.
Signed-off-by: Rodrigo Trujillo <rodrigo.trujillo(a)linux.vnet.ibm.com>
---
contrib/kimchi.spec.fedora.in | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
index d58f3eb..37ec4a7 100644
--- a/contrib/kimchi.spec.fedora.in
+++ b/contrib/kimchi.spec.fedora.in
@@ -27,12 +27,14 @@ Requires: python-lxml
Requires: nfs-utils
Requires: nginx
Requires: iscsi-initiator-utils
+Requires: policycoreutils
Requires: policycoreutils-python
Requires: python-libguestfs
Requires: libguestfs-tools
BuildRequires: libxslt
BuildRequires: python-lxml
BuildRequires: python-requests
+BuildRequires: selinux-policy-devel
%if 0%{?rhel} == 6 || 0%{?fedora} >= 19
Requires: spice-html5
@@ -75,7 +77,9 @@ Web server application to manage KVM/Qemu virtual machines
%configure --with-spice-html5
%endif
make
-
+# Build "kimchi.pp"
+cd selinux
+make -f /usr/share/selinux/devel/Makefile
%install
rm -rf %{buildroot}
@@ -83,6 +87,8 @@ make DESTDIR=%{buildroot} install
install -Dm 0644 src/kimchi/sos.py \
%{buildroot}/%{python_sitelib}/sos/plugins/kimchi.py
+install -Dm 0744 selinux/kimchid.pp %{buildroot}%{_datadir}/kimchi/selinux/kimchid.pp
+
%if 0%{?with_systemd}
# Install the systemd scripts
install -Dm 0644 contrib/kimchid.service.fedora
%{buildroot}%{_unitdir}/kimchid.service
@@ -120,8 +126,8 @@ iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
iptables -I INPUT -p tcp --dport 64667 -j ACCEPT
service iptables save >/dev/null 2>&1
%endif
-# Add SELinux rules to "open" Kimchi ports
-semanage permissive -a httpd_t
+# Install SELinux policy
+semodule -i %{_datadir}/kimchi/selinux/kimchid.pp
The idea on spec file is only install files and don't run any additional
commands.
I know there are a lot of commands in our spec files but the idea is
remove all them.
%preun
@@ -146,9 +152,10 @@ if [ "$1" -ge 1 ] ; then
/bin/systemctl try-restart kimchid.service >/dev/null 2>&1 || :
fi
exit 0
-# Rollback SELinux rules
-semanage permissive -d httpd_t
-
+if [ $1 -eq 0 ] ; then
+ # Remove the SELinux policy, only during uninstall of the package
+ semodule -r kimchid
+fi
Same commented above.
%clean
rm -rf $RPM_BUILD_ROOT
@@ -183,6 +190,7 @@ rm -rf $RPM_BUILD_ROOT
%if 0%{?with_systemd}
%{_unitdir}/kimchid.service
%{_prefix}/lib/firewalld/services/kimchid.xml
+%{_datadir}/kimchi/selinux/kimchid.pp
%endif
%if 0%{?rhel} == 6
/etc/init/kimchid.conf