[Kimchi-devel] [PATCH 2/2] Modify Fedora spec file to build and install selinux policy file

Thu Oct 30 18:41:57 UTC 2014

Join this patch with "[PATCH 1/2] SELinux policy to allow nginx and 
kimchid."

And more comments below:

On 10/30/2014 02:44 PM, Rodrigo Trujillo wrote:
> This patch changes kimchi.fedora.spec.in in order to build, install
> and remove kimchid.pp, which contains selinux rules to open ports to
> Kimchi.
>
> Signed-off-by: Rodrigo Trujillo <rodrigo.trujillo at linux.vnet.ibm.com>
> ---
>   contrib/kimchi.spec.fedora.in | 20 ++++++++++++++------
>   1 file changed, 14 insertions(+), 6 deletions(-)
>
> diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
> index d58f3eb..37ec4a7 100644
> --- a/contrib/kimchi.spec.fedora.in
> +++ b/contrib/kimchi.spec.fedora.in
> @@ -27,12 +27,14 @@ Requires:	python-lxml
>   Requires:	nfs-utils
>   Requires:	nginx
>   Requires:	iscsi-initiator-utils
> +Requires:	policycoreutils
>   Requires:	policycoreutils-python
>   Requires:	python-libguestfs
>   Requires:	libguestfs-tools
>   BuildRequires:	libxslt
>   BuildRequires:	python-lxml
>   BuildRequires:	python-requests
> +BuildRequires:	selinux-policy-devel
>
>   %if 0%{?rhel} == 6 || 0%{?fedora} >= 19
>   Requires:	spice-html5
> @@ -75,7 +77,9 @@ Web server application to manage KVM/Qemu virtual machines
>   %configure --with-spice-html5
>   %endif
>   make
> -
> +# Build "kimchi.pp"
> +cd selinux
> +make -f /usr/share/selinux/devel/Makefile
>
>   %install
>   rm -rf %{buildroot}
> @@ -83,6 +87,8 @@ make DESTDIR=%{buildroot} install
>   install -Dm 0644 src/kimchi/sos.py \
>                    %{buildroot}/%{python_sitelib}/sos/plugins/kimchi.py
>
> +install -Dm 0744 selinux/kimchid.pp %{buildroot}%{_datadir}/kimchi/selinux/kimchid.pp
> +
>   %if 0%{?with_systemd}
>   # Install the systemd scripts
>   install -Dm 0644 contrib/kimchid.service.fedora %{buildroot}%{_unitdir}/kimchid.service
> @@ -120,8 +126,8 @@ iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
>   iptables -I INPUT -p tcp --dport 64667 -j ACCEPT
>   service iptables save >/dev/null 2>&1
>   %endif

> -# Add SELinux rules to "open" Kimchi ports
> -semanage permissive -a httpd_t
> +# Install SELinux policy
> +semodule -i %{_datadir}/kimchi/selinux/kimchid.pp

The idea on spec file is only install files and don't run any additional 
commands.
I know there are a lot of commands in our spec files but the idea is 
remove all them.

>
>   %preun
>
> @@ -146,9 +152,10 @@ if [ "$1" -ge 1 ] ; then
>       /bin/systemctl try-restart kimchid.service >/dev/null 2>&1 || :
>   fi
>   exit 0

> -# Rollback SELinux rules
> -semanage permissive -d httpd_t
> -
> +if [ $1 -eq 0 ] ; then
> +    # Remove the SELinux policy, only during uninstall of the package
> +    semodule -r kimchid
> +fi

Same commented above.

>   %clean
>   rm -rf $RPM_BUILD_ROOT
> @@ -183,6 +190,7 @@ rm -rf $RPM_BUILD_ROOT
>   %if 0%{?with_systemd}
>   %{_unitdir}/kimchid.service
>   %{_prefix}/lib/firewalld/services/kimchid.xml
> +%{_datadir}/kimchi/selinux/kimchid.pp
>   %endif
>   %if 0%{?rhel} == 6
>   /etc/init/kimchid.conf