From c2b46df877b4a983b6c225130d4c8cf0cf8cb0fb Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Sun, 2 Jul 2017 18:45:49 +0000
Subject: [PATCH] initial selinux policy to allow logrotate to rotate
 mirrorlist container log files

---
 .../files/selinux/mirrorlist-logrotate.mod    | Bin 0 -> 1204 bytes
 .../files/selinux/mirrorlist-logrotate.pp     | Bin 0 -> 1220 bytes
 .../files/selinux/mirrorlist-logrotate.te     |  12 ++++++++++
 .../mirrorlist_proxy/tasks/main.yml           |  21 ++++++++++++++++++
 4 files changed, 33 insertions(+)
 create mode 100644 roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.mod
 create mode 100644 roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.pp
 create mode 100644 roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.te

diff --git a/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.mod b/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.mod
new file mode 100644
index 0000000000000000000000000000000000000000..49ca37b8d4e43431ea086fcd61a1d83687dd1a47
GIT binary patch
literal 1204
zcmb_b%Sr?>5NzLq2NC>${Q*V)z>7CM`2iuji4vKaK&E%ygTLShds1pmEzL0FLAM~}
z(bZMykpB33|2!9wr~BDM>Xz%-V-CwE?u*EUi0p~Tsr=wlMA}qJE=}t7s>v@UtJioS
zBDdE!ca>%V84OSWuDK7X995UMk~E%GZi#JPMc4T@!X0Togw6i2O5tXZq11C~;&J6J
zO7t3`jOa%Bq}udRy=p-=Yr_oW`D<LLE4GlSHDTi{7DZ5>+LpI{IH!10q>&C-YQIWF
zUGKXv&ufPgozi*=)S@*&4*>cYjB~cWV?1c^+yeQC@rB9RwFi9QF@(K0*4CGw<1ZXy
zm`kAMp&#$}+c`0%`=9e&0kz@nLfUo;o*%u3Pl&Z0=uvhLQW?V<-C%w^LzwaV$9}lw
GjNuy+R#b`r

literal 0
HcmV?d00001

diff --git a/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.pp b/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.pp
new file mode 100644
index 0000000000000000000000000000000000000000..f4be1215e3c3fb0c4c15381f8d1c4c5495c70e9b
GIT binary patch
literal 1220
zcmb_b%TB{E5M16!8~}+A=nsJ454doH6CYr?jj4>1SaP<dhyDWMdwVLH;;B|q$^kl(
zm9=*~lU;eg*2~p_h+tib$me>wx)hPur_pn4XN%EGs%CXK6p`yfJC`5ah)5H2PPvYq
z-qvZFlX?wDBJyx||5#`ikih~4V9b3L^GR{}$Wg;Z;pWh!d2p?70^D)USJh^JT%=F{
zWGM9(>u_4QlN`JTC?mU3J}Wj|P_LTV0;nSf()c}0)MZ=9u9&cS7K<XNPi@QFHqI$p
zifg0;mfFo@R@eEq8mEOriB4&~3)G@DKo0==Sj_WleTR6^;JF3vBgYPtvu_Xhz@rcQ
z--xX*AID!fME@><n)`nIzu(S@UAq4{-xp9DdRN8mq@ewnJv>6hc43M*J-EsoVoZa1
P@l4^1*FW^aEoTVdy`EQ}

literal 0
HcmV?d00001

diff --git a/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.te b/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.te
new file mode 100644
index 0000000000..1028deb976
--- /dev/null
+++ b/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.te
@@ -0,0 +1,12 @@
+module mirrorlist-logrotate 1.0;
+
+require {
+	type logrotate_t;
+	type svirt_sandbox_file_t;
+	class file { setattr create write };
+	class dir { write add_name remove_name };
+}
+
+#============= logrotate_t ==============
+allow logrotate_t svirt_sandbox_file_t:dir { add_name remove_name write };
+allow logrotate_t svirt_sandbox_file_t:file { setattr create write };
diff --git a/roles/mirrormanager/mirrorlist_proxy/tasks/main.yml b/roles/mirrormanager/mirrorlist_proxy/tasks/main.yml
index ebec1299ea..37c45a0e52 100644
--- a/roles/mirrormanager/mirrorlist_proxy/tasks/main.yml
+++ b/roles/mirrormanager/mirrorlist_proxy/tasks/main.yml
@@ -97,3 +97,24 @@
         cron_file=restart-mirrorlist-containers
   tags:
   - mirrorlist_proxy
+
+# Custom selinux policy to allow logrotate to rotate our mirrorlist logs
+- name: ensure a directory exists for our custom selinux module
+  file: dest=/usr/local/share/mirrorlist-logrotate state=directory
+  tags:
+  - selinux
+  - mirrorlist_proxy
+
+- name: copy over our custom selinux module
+  copy: src=selinux/mirrorlist-logrotate.pp dest=/usr/local/share/mirrorlist-logrotate/mirrorlist-logrotate.pp
+  register: selinux_module
+  tags:
+  - selinux
+  - mirrorlist_proxy
+
+- name: install our custom selinux module
+  command: semodule -i /usr/local/share/mirrorlist-logrotate/mirrorlist-logrotate.pp
+  when: selinux_module|changed
+  tags:
+  - selinux
+  - mirrorlist_proxy