From 1666f6257a77fb3e668a86c1dbde1d740ab32fdb Mon Sep 17 00:00:00 2001 From: clime Date: Sun, 22 Apr 2018 00:31:50 +0200 Subject: [PATCH] copr-keygen: set selinux to enforcing, add custom policy --- roles/copr/keygen/selinux/compile.sh | 4 ++++ roles/copr/keygen/selinux/copr_rules.mod | Bin 0 -> 968 bytes roles/copr/keygen/selinux/copr_rules.pp | Bin 0 -> 984 bytes roles/copr/keygen/selinux/copr_rules.te | 12 ++++++++++++ roles/copr/keygen/tasks/main.yml | 21 ++++++++++++++------- 5 files changed, 30 insertions(+), 7 deletions(-) create mode 100644 roles/copr/keygen/selinux/compile.sh create mode 100644 roles/copr/keygen/selinux/copr_rules.mod create mode 100644 roles/copr/keygen/selinux/copr_rules.pp create mode 100644 roles/copr/keygen/selinux/copr_rules.te diff --git a/roles/copr/keygen/selinux/compile.sh b/roles/copr/keygen/selinux/compile.sh new file mode 100644 index 0000000000..5eec166609 --- /dev/null +++ b/roles/copr/keygen/selinux/compile.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +checkmodule -M -m -o copr_rules.mod copr_rules.te +semodule_package -o copr_rules.pp -m copr_rules.mod diff --git a/roles/copr/keygen/selinux/copr_rules.mod b/roles/copr/keygen/selinux/copr_rules.mod new file mode 100644 index 0000000000000000000000000000000000000000..b65038ad848c6004e28ab382284b0e95425f9eb7 GIT binary patch literal 968 zcmb_aOHKko6f892XXC;PZ~`MYVB=0#9-sq5s|}qQ(!5a@UV#I%!c>?dZHF-~sO05! z-nZUNZFb+=TL3SQqo+`}U!&({-bQ~0;10k5z!mnm0Z=uoD(?qix<3^Qk9_IJ5yV;|J6YY4>%GN36hpEEmF$4eB?q1mKgBA@x6 zy=9GlY&l2hi<471OZ@tJP8B~Dcmsug5VbzEJS8is<}#D?3VErGp5J1h{uMrkAAHO{ AL;wH) literal 0 HcmV?d00001 diff --git a/roles/copr/keygen/selinux/copr_rules.pp b/roles/copr/keygen/selinux/copr_rules.pp new file mode 100644 index 0000000000000000000000000000000000000000..0642cc91e692c56fb547a20fb7b4abbc549f551f GIT binary patch literal 984 zcmb_a%T5C^3>-i_FCg&){Q?Akz=a!}_<*S01_+IItJDh|`U{Bf?Wt(g3<^;fap*{v zv$kW8v-7oHuJ!=XE&zP4m#cFCk9VW{(Domrhi=+OzYpLtmz`jPGXPCDPcHS*FAf0Q zTwUMhWC`^@%|U*%oJK6VX6Bwk^oKe4o`U%!036%5F|@PeJp9?)*et0fx$sPMlULuE zOC^P&vry(ajK=lpHG?SYUd-lG_cl&0hKVyV`@7sUaR|DuZ3x8(GN36hUozWP$4wM3 zq28olqwM*gxpj?xY~4o~ijz~_OZ?*!1a0d$gN7Q;~c}iANEoCO@Rr1m`dcMUb I{VTi;-%y%CSpWb4 literal 0 HcmV?d00001 diff --git a/roles/copr/keygen/selinux/copr_rules.te b/roles/copr/keygen/selinux/copr_rules.te new file mode 100644 index 0000000000..42d15bbd61 --- /dev/null +++ b/roles/copr/keygen/selinux/copr_rules.te @@ -0,0 +1,12 @@ +module copr_rules 1.0; + +require { + type httpd_t; + type httpd_var_lib_t; + class sock_file getattr; + class sock_file unlink; + class sock_file write; +} + +#============= httpd_t ============== +allow httpd_t httpd_var_lib_t:sock_file { getattr unlink write }; diff --git a/roles/copr/keygen/tasks/main.yml b/roles/copr/keygen/tasks/main.yml index 1390f01494..3f2a900864 100644 --- a/roles/copr/keygen/tasks/main.yml +++ b/roles/copr/keygen/tasks/main.yml @@ -23,13 +23,6 @@ - name: change owner of data to copr-signer file: path=/var/lib/copr-keygen owner=copr-signer group=copr-signer recurse=yes -- selinux: policy=targeted state=permissive - -#- name: install keygen specific packages -# dnf: name="{{ item }}" state=present -# with_items: -# - gnupg2 - - name: put keygen vhost for httpd copy: src="httpd/copr-keygen.conf" dest="/etc/httpd/conf.d/copr-keygen.conf" notify: @@ -57,3 +50,17 @@ - name: setup backup when: not devel import_tasks: "setup_backup.yml" + +# Three tasks for handling our custom selinux module +- name: ensure a directory exists for our custom selinux module + file: dest=/usr/local/share/copr state=directory + +- name: copy over our custom selinux module + copy: src=selinux/copr_rules.pp dest=/usr/local/share/copr/copr_rules.pp + register: selinux_module + +- name: install our custom selinux module + command: semodule -i /usr/local/share/copr/copr_rules.pp + when: selinux_module|changed + +- selinux: policy=targeted state=enforcing