[node-patches] Change in ovirt-node[master]: selinux: Introduce ovirt-node-selinux sub-package

fabiand at fedoraproject.org fabiand at fedoraproject.org
Thu Apr 18 14:39:14 UTC 2013 

Fabian Deutsch has uploaded a new change for review.

Change subject: selinux: Introduce ovirt-node-selinux sub-package
......................................................................

selinux: Introduce ovirt-node-selinux sub-package

Previously the selinux module was compiled and installed during the KS
post section. Now it's generated at build time and installed during
installation.
Additionally to the extraction the policy module was also radically
simplified by dwalsh.

Change-Id: Ie1bfd54fd914ce740a93cd21ad6406e0e230d1d7
Signed-off-by: Fabian Deutsch <fabiand at fedoraproject.org>
---
M Makefile.am
M ovirt-node.spec.in
M recipe/common-pkgs.ks
M recipe/ovirt17-post.ks
A semodule/ovirt.fc
A semodule/ovirt.te
6 files changed, 97 insertions(+), 94 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/52/14052/1

diff --git a/Makefile.am b/Makefile.am
index cac5f1f..9145e0b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -38,7 +38,8 @@
   libvirtd.service \
   libvirtd.upstart \
   ovirt-node.spec \
-  ovirt-node.spec.in
+  ovirt-node.spec.in \
+  semodule
 
 DISTCLEANFILES = $(PACKAGE)-$(VERSION).tar.gz
 
diff --git a/ovirt-node.spec.in b/ovirt-node.spec.in
index a6b6a90..8e80611 100644
--- a/ovirt-node.spec.in
+++ b/ovirt-node.spec.in
@@ -152,6 +152,47 @@
 # set read-only
 echo "readonly = true;" > /etc/libvirt-cim.conf
 
+#
+# SELinux subpackage
+#
+%global selinux_variants targeted
+%global selinux_policyver %(%{__sed} -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp || echo 0.0.0)
+%global modulename ovirt
+
+%package selinux
+Summary:          SELinux policy module supporting %{product_family}
+Group:            System Environment/Base
+BuildRequires:    checkpolicy, selinux-policy-devel, /usr/share/selinux/devel/policyhelp, hardlink
+%if "%{selinux_policyver}" != ""
+Requires:         selinux-policy >= %{selinux_policyver}
+%endif
+Requires:         %{name} = %{version}-%{release}
+Requires(post):   /usr/sbin/semodule, /sbin/restorecon
+Requires(postun): /usr/sbin/semodule, /sbin/restorecon
+
+%description selinux
+SELinux policy module supporting %{product_family}
+
+%post selinux
+for selinuxvariant in %{selinux_variants}
+do
+  /usr/sbin/semodule -s ${selinuxvariant} -i \
+    %{_datadir}/selinux/${selinuxvariant}/%{modulename}.pp &> /dev/null || :
+done
+# Is this to greedy?
+/sbin/restorecon -R / || :
+
+%postun selinux
+if [ $1 -eq 0 ] ; then
+  for selinuxvariant in %{selinux_variants}
+  do
+     /usr/sbin/semodule -s ${selinuxvariant} -r %{modulename} &> /dev/null || :
+  done
+  # Is this to greedy?
+  /sbin/restorecon -R / &> /dev/null || :
+fi
+
+
 %prep
 %setup -q
 
@@ -163,6 +204,15 @@
 %configure --with-image-minimizer @ARCHIPEL_FLAGS@
 make
 
+# Build SELinux policy module
+cd semodule
+for selinuxvariant in %{selinux_variants}
+do
+    %{__make} NAME=${selinuxvariant} \
+        -f %{?policy_devel_root}%{_datadir}/selinux/devel/Makefile
+    mv -v %{modulename}.pp %{modulename}.pp.${selinuxvariant}
+done
+cd -
 
 %install
 %{__rm} -rf %{buildroot}
@@ -187,6 +237,19 @@
 # python-augeas is not in RHEL-6
 # specific version of python-augeas is not available in Fedora yet
 %{__install} -p -m0644 scripts/augeas.py %{buildroot}%{python_sitelib}
+
+# Install SELinux policy module
+cd semodule
+%{__install} -d %{buildroot}%{_datadir}/selinux
+for selinuxvariant in %{selinux_variants}
+do
+    %{__install} -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
+    %{__install} -p -m 644 %{modulename}.pp.${selinuxvariant} \
+               %{buildroot}%{_datadir}/selinux/${selinuxvariant}/%{modulename}.pp
+done
+cd -
+
+/usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux
 
 
 %clean
@@ -301,6 +364,10 @@
 %endif
 
 
+%files selinux
+%defattr(-,root,root,0755)
+%doc semodule/*.fc semodule/*.te
+%{_datadir}/selinux/*/%{modulename}.pp
 
 
 %files
diff --git a/recipe/common-pkgs.ks b/recipe/common-pkgs.ks
index e041eab..8211282 100644
--- a/recipe/common-pkgs.ks
+++ b/recipe/common-pkgs.ks
@@ -14,6 +14,7 @@
 kvm
 libmlx4
 ovirt-node
+ovirt-node-selinux
 selinux-policy-targeted
 vim-minimal
 sudo
diff --git a/recipe/ovirt17-post.ks b/recipe/ovirt17-post.ks
index 5369ded..e009ab6 100644
--- a/recipe/ovirt17-post.ks
+++ b/recipe/ovirt17-post.ks
@@ -53,99 +53,6 @@
 
 python -m compileall /usr/share/virt-manager
 
-echo "Configuring SELinux"
-# custom module for node specific rules
-mkdir /tmp/SELinux
-cd /tmp/SELinux
-cat > ovirt.te << \EOF_OVIRT_TE
-module ovirt 1.0;
-require {
-    type initrc_t;
-    type initrc_tmp_t;
-    type mount_t;
-    type setfiles_t;
-    type shadow_t;
-    type unconfined_t;
-    type passwd_t;
-    type user_tmp_t;
-    type var_log_t;
-    type net_conf_t;
-    type collectd_t;
-    type virt_etc_t;
-    type loadkeys_t;
-    type initrc_tmp_t;
-    class file { append mounton open getattr read execute ioctl lock entrypoint write };
-    class fd { use };
-    class process { sigchld signull transition noatsecure siginh rlimitinh getattr };
-    class fifo_file { getattr open read write append lock ioctl };
-    class filesystem getattr;
-    class dir { getattr search open read lock ioctl };
-    class socket { read write };
-    class tcp_socket { read write };
-    class udp_socket { read write };
-    class rawip_socket { read write };
-    class netlink_socket { read write };
-    class packet_socket { read write };
-    class unix_stream_socket { read write create ioctl getattr lock setattr append bind connect getopt setopt shutdown connectto };
-    class unix_dgram_socket { read write };
-    class appletalk_socket { read write };
-    class netlink_route_socket { read write };
-    class netlink_firewall_socket { read write };
-    class netlink_tcpdiag_socket { read write };
-    class netlink_nflog_socket { read write };
-    class netlink_xfrm_socket { read write };
-    class netlink_selinux_socket { read write };
-    class netlink_audit_socket { read write };
-    class netlink_ip6fw_socket { read write };
-    class netlink_dnrt_socket { read write };
-    class netlink_kobject_uevent_socket { read write };
-    class tun_socket { read write };
-    class chr_file { getattr read write append ioctl lock open };
-    class lnk_file { getattr read };
-    class sock_file { getattr write open append };
-}
-allow mount_t shadow_t:file mounton;
-allow setfiles_t net_conf_t:file read;
-# Unknown on F18:
-#allow setfiles_t initrc_tmp_t:file append;
-#allow consoletype_t var_log_t:file append;
-#allow passwd_t user_tmp_t:file write;
-# Unknown on F17 brctl_t:
-#allow brctl_t net_conf_t:file read;
-
-#============= collectd_t ==============
-allow collectd_t passwd_file_t:file read;
-allow collectd_t virtd_exec_t:file getattr;
-# Suppose because of collectd libvirt plugin
-allow collectd_t virt_etc_t:file read;
-
-#============= loadkeys_t ==============
-allow loadkeys_t initrc_tmp_t:file { open read };
-
-#============= systemd_localed_t ==============
-allow systemd_localed_t etc_t:file { write rename create setattr };
-allow systemd_localed_t init_t:dbus send_msg;
-allow systemd_localed_t initrc_t:dbus send_msg;
-
-type ovirt_exec_t;
-init_daemon_domain(unconfined_t,ovirt_exec_t)
-EOF_OVIRT_TE
-cat > ovirt.fc << \EOF_OVIRT_FC
-/etc/rc\.d/init\.d/ovirt-firstboot             -- gen_context(system_u:object_r:ovirt_exec_t)
-/etc/rc\.d/init\.d/ovirt-post             -- gen_context(system_u:object_r:ovirt_exec_t)
-EOF_OVIRT_FC
-cat > ovirtmount.te << \EOF_OVIRT_MOUNT_TE
-policy_module(ovirtmount, 1.0)
-gen_require(`
-     type mount_t;
-')
-unconfined_domain(mount_t)
-EOF_OVIRT_MOUNT_TE
-make NAME=targeted -f /usr/share/selinux/devel/Makefile
-semodule -v -i ovirt.pp
-semodule -v -i ovirtmount.pp
-cd /
-rm -rf /tmp/SELinux
 echo "-w /etc/shadow -p wa" >> /etc/audit/audit.rules
 
 # Workaround for packages needing /etc/ovirt-node-image-release
diff --git a/semodule/ovirt.fc b/semodule/ovirt.fc
new file mode 100644
index 0000000..b4d0a2b
--- /dev/null
+++ b/semodule/ovirt.fc
@@ -0,0 +1,4 @@
+/etc/rc\.d/init\.d/ovirt-firstboot    -- gen_context(system_u:object_r:ovirt_exec_t)
+/etc/rc\.d/init\.d/ovirt-post         -- gen_context(system_u:object_r:ovirt_exec_t)
+
+/usr/libexec/ovirt-init-functions.sh  -- gen_context(system_u:object_r:ovirt_exec_t)
diff --git a/semodule/ovirt.te b/semodule/ovirt.te
new file mode 100644
index 0000000..f59925c
--- /dev/null
+++ b/semodule/ovirt.te
@@ -0,0 +1,23 @@
+policy_module(ovirt, 1.0)
+
+gen_require(`
+    type initrc_tmp_t;
+    type mount_t;
+    type setfiles_t;
+    type net_conf_t;
+    type collectd_t;
+    type virt_etc_t;
+    type loadkeys_t;
+    type shadow_t;
+')
+
+allow mount_t shadow_t:file mounton;
+allow setfiles_t net_conf_t:file read;
+allow collectd_t virt_etc_t:file read;
+allow loadkeys_t initrc_tmp_t:file read;
+
+type ovirt_t;
+type ovirt_exec_t;
+init_daemon_domain(ovirt_t, ovirt_exec_t)
+unconfined_domain(ovirt_t)
+unconfined_domain(mount_t)


--
To view, visit http://gerrit.ovirt.org/14052
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie1bfd54fd914ce740a93cd21ad6406e0e230d1d7
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: master
Gerrit-Owner: Fabian Deutsch <fabiand at fedoraproject.org>

More information about the node-patches mailing list