Join this patch with "[PATCH 1/2] SELinux policy to allow nginx and kimchid." And more comments below: On 10/30/2014 02:44 PM, Rodrigo Trujillo wrote:
This patch changes kimchi.fedora.spec.in in order to build, install and remove kimchid.pp, which contains selinux rules to open ports to Kimchi.
Signed-off-by: Rodrigo Trujillo <rodrigo.trujillo@linux.vnet.ibm.com> --- contrib/kimchi.spec.fedora.in | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index d58f3eb..37ec4a7 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -27,12 +27,14 @@ Requires: python-lxml Requires: nfs-utils Requires: nginx Requires: iscsi-initiator-utils +Requires: policycoreutils Requires: policycoreutils-python Requires: python-libguestfs Requires: libguestfs-tools BuildRequires: libxslt BuildRequires: python-lxml BuildRequires: python-requests +BuildRequires: selinux-policy-devel
%if 0%{?rhel} == 6 || 0%{?fedora} >= 19 Requires: spice-html5 @@ -75,7 +77,9 @@ Web server application to manage KVM/Qemu virtual machines %configure --with-spice-html5 %endif make - +# Build "kimchi.pp" +cd selinux +make -f /usr/share/selinux/devel/Makefile
%install rm -rf %{buildroot} @@ -83,6 +87,8 @@ make DESTDIR=%{buildroot} install install -Dm 0644 src/kimchi/sos.py \ %{buildroot}/%{python_sitelib}/sos/plugins/kimchi.py
+install -Dm 0744 selinux/kimchid.pp %{buildroot}%{_datadir}/kimchi/selinux/kimchid.pp + %if 0%{?with_systemd} # Install the systemd scripts install -Dm 0644 contrib/kimchid.service.fedora %{buildroot}%{_unitdir}/kimchid.service @@ -120,8 +126,8 @@ iptables -I INPUT -p tcp --dport 8001 -j ACCEPT iptables -I INPUT -p tcp --dport 64667 -j ACCEPT service iptables save >/dev/null 2>&1 %endif
-# Add SELinux rules to "open" Kimchi ports -semanage permissive -a httpd_t +# Install SELinux policy +semodule -i %{_datadir}/kimchi/selinux/kimchid.pp
The idea on spec file is only install files and don't run any additional commands. I know there are a lot of commands in our spec files but the idea is remove all them.
%preun
@@ -146,9 +152,10 @@ if [ "$1" -ge 1 ] ; then /bin/systemctl try-restart kimchid.service >/dev/null 2>&1 || : fi exit 0
-# Rollback SELinux rules -semanage permissive -d httpd_t - +if [ $1 -eq 0 ] ; then + # Remove the SELinux policy, only during uninstall of the package + semodule -r kimchid +fi
Same commented above.
%clean rm -rf $RPM_BUILD_ROOT @@ -183,6 +190,7 @@ rm -rf $RPM_BUILD_ROOT %if 0%{?with_systemd} %{_unitdir}/kimchid.service %{_prefix}/lib/firewalld/services/kimchid.xml +%{_datadir}/kimchi/selinux/kimchid.pp %endif %if 0%{?rhel} == 6 /etc/init/kimchid.conf