pagure: update the selinux configuration for pagure

Split all the selinux tasks in a different file so it's easier to read/find. Adjust the custom policy based on our latest findings. Build and compile the policy directly on the host. Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
2020-10-01 12:35:29 +02:00 · 2020-10-01 12:35:29 +02:00 · c4431d0a21
commit c4431d0a21
parent aaf335d680
6 changed files with 142 additions and 88 deletions
--- a/roles/pagure/frontend/files/selinux/pagure.fc
+++ b/roles/pagure/frontend/files/selinux/pagure.fc
--- a/roles/pagure/frontend/files/selinux/pagure.if
+++ b/roles/pagure/frontend/files/selinux/pagure.if
@ -1 +0,0 @@
-## <summary></summary>
--- a/roles/pagure/frontend/files/selinux/pagure.pp
+++ b/roles/pagure/frontend/files/selinux/pagure.pp
--- a/roles/pagure/frontend/files/selinux/pagure.te
+++ b/roles/pagure/frontend/files/selinux/pagure.te
@ -1,11 +1,42 @@
-module pagure 1.0;
+module pagure 1.1;

 require {
-        type httpd_t;
-	type gitosis_var_lib_t;
+    type var_t;
+    type var_log_t;
+    type http_port_t;
+    type httpd_t;
+    type postfix_smtpd_t;
+    type postfix_cleanup_t;
+    type ldconfig_exec_t;
+    type gitosis_var_lib_t;
+    type httpd_log_t;
+    type var_run_t;
 	class dir { add_name remove_name write };
-	class file { create link setattr unlink write };
+    class file { execute execute_no_trans getattr map open read rename unlink };
+    class sock_file write;
+    class process execmem;
 }

 allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write };
 allow httpd_t gitosis_var_lib_t:file { create link setattr unlink write };
+
+#============= httpd_t ==============
+
+#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
+allow httpd_t gitosis_var_lib_t:file map;
+allow httpd_t httpd_log_t:file { rename unlink };
+
+#!!!! This avc is allowed in the current policy
+allow httpd_t self:process execmem;
+allow httpd_t var_log_t:file { open rename };
+
+#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
+allow httpd_t var_t:file map;
+allow httpd_t var_t:file { getattr open read };
+
+#============= postfix_cleanup_t ==============
+allow postfix_cleanup_t var_run_t:sock_file write;
+
+#============= postfix_smtpd_t ==============
+allow postfix_smtpd_t var_run_t:sock_file write;
+
--- a/roles/pagure/frontend/tasks/main.yml
+++ b/roles/pagure/frontend/tasks/main.yml
@ -472,91 +472,9 @@
  tags:
  - pagure

- name: check the selinux context of the git repo directory
-  command: matchpathcon /srv/git
-  register: distgitcontext
-  check_mode: no
-  changed_when: false
-  tags:
-  - config
-  - pagure
-  - selinux
-
- name: set the SELinux policy for the distgit root directory
-  command: semanage fcontext -a -t gitosis_var_lib_t "/srv/git(/.*)?"
-  when: distgitcontext.stdout.find('gitosis_var_lib_t') == -1
-  tags:
-  - config
-  - pagure
-  - selinux
-
- name: check the selinux context of the releases directory
-  command: matchpathcon /var/www/releases
-  register: distgitcontext
-  check_mode: no
-  changed_when: false
-  tags:
-  - config
-  - pagure
-  - selinux
-
-# Note: On Fedora its httpd_sys_content_rw_t - Don't we love confusions?
- name: set the SELinux policy for the releases directory
-  command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/releases(/.*)?"
-  when: distgitcontext.stdout.find('httpd_sys_rw_content_t') == -1
-  tags:
-  - config
-  - pagure
-  - selinux
-
- name: copy over our custom selinux module
-  copy: src=selinux/pagure.pp dest=/usr/local/share/pagure.pp
-  register: selinux_module
-  tags:
-  - pagure
-
- name: install our custom selinux module
-  command: semodule -i /usr/local/share/pagure.pp
-  when: selinux_module is changed
-  tags:
-  - pagure
-
- name: set sebooleans so pagure can talk to the network (db + redis)
-  seboolean: name=httpd_can_network_connect
-                    state=true
-                    persistent=true
+- import_tasks: selinux.yml
  tags:
  - selinux
-  - web
-  - pagure
-
- name: set sebooleans so apache can send emails
-  seboolean: name=httpd_can_sendmail
-                    state=true
-                    persistent=true
-  tags:
-  - selinux
-  - web
-  - pagure
-
- name: set sebooleans so pygit2 can read the git repos
-  seboolean: name=httpd_execmem
-                    state=true
-                    persistent=true
-  tags:
-  - selinux
-  - web
-  - pagure
-
- name: set sebooleans so ssh can retrieve access info from apache
-  seboolean: name=nise_enabled
-                    state=true
-                    persistent=true
-  tags:
-  - selinux
-  - web
-  - pagure
-

 # Ensure all the services are up and running

--- a/roles/pagure/frontend/tasks/selinux.yml
+++ b/roles/pagure/frontend/tasks/selinux.yml
@ -0,0 +1,106 @@
+---
+- name: check the selinux context of the git repo directory
+  command: matchpathcon /srv/git
+  register: distgitcontext
+  check_mode: no
+  changed_when: false
+  tags:
+  - config
+  - pagure
+  - selinux
+
+- name: set the SELinux policy for the distgit root directory
+  command: semanage fcontext -a -t gitosis_var_lib_t "/srv/git(/.*)?"
+  when: distgitcontext.stdout.find('gitosis_var_lib_t') == -1
+  tags:
+  - config
+  - pagure
+  - selinux
+
+- name: check the selinux context of the releases directory
+  command: matchpathcon /var/www/releases
+  register: distgitcontext
+  check_mode: no
+  changed_when: false
+  tags:
+  - config
+  - pagure
+  - selinux
+
+# Note: On Fedora its httpd_sys_content_rw_t - Don't we love confusions?
+- name: set the SELinux policy for the releases directory
+  command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/releases(/.*)?"
+  when: distgitcontext.stdout.find('httpd_sys_rw_content_t') == -1
+  tags:
+  - config
+  - pagure
+  - selinux
+
+- name: copy over our custom selinux module
+  copy: src=selinux/pagure.te dest=/usr/local/share/pagure.te
+  register: selinux_module
+  tags:
+  - config
+  - pagure
+  - selinux
+
+- name: Build our custom selinux module
+  command: checkmodule -M -m -o /usr/local/share/pagure.mod /usr/local/share/pagure.te
+  when: selinux_module is changed
+  tags:
+  - config
+  - pagure
+  - selinux
+
+- name: Compile our custom selinux module
+  command: semodule_package -o /usr/local/share/pagure.pp -m /usr/local/share/pagure.mod
+  when: selinux_module is changed
+  tags:
+  - config
+  - pagure
+  - selinux
+
+- name: install our custom selinux module
+  command: semodule -i /usr/local/share/pagure.pp
+  when: selinux_module is changed
+  tags:
+  - config
+  - pagure
+  - selinux
+
+- name: set sebooleans so pagure can talk to the network (db + redis)
+  seboolean: name=httpd_can_network_connect
+                    state=true
+                    persistent=true
+  tags:
+  - config
+  - selinux
+  - pagure
+
+- name: set sebooleans so apache can send emails
+  seboolean: name=httpd_can_sendmail
+                    state=true
+                    persistent=true
+  tags:
+  - config
+  - selinux
+  - pagure
+
+- name: set sebooleans so pygit2 can read the git repos
+  seboolean: name=httpd_execmem
+                    state=true
+                    persistent=true
+  tags:
+  - config
+  - selinux
+  - pagure
+
+- name: set sebooleans so ssh can retrieve access info from apache
+  seboolean: name=nise_enabled
+                    state=true
+                    persistent=true
+  tags:
+  - config
+  - selinux
+  - pagure
+