diff --git a/roles/pagure/frontend/files/selinux/pagure.fc b/roles/pagure/frontend/files/selinux/pagure.fc deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/roles/pagure/frontend/files/selinux/pagure.if b/roles/pagure/frontend/files/selinux/pagure.if deleted file mode 100644 index 3eb6a3057b..0000000000 --- a/roles/pagure/frontend/files/selinux/pagure.if +++ /dev/null @@ -1 +0,0 @@ -## diff --git a/roles/pagure/frontend/files/selinux/pagure.pp b/roles/pagure/frontend/files/selinux/pagure.pp deleted file mode 100644 index a6248e7014..0000000000 Binary files a/roles/pagure/frontend/files/selinux/pagure.pp and /dev/null differ diff --git a/roles/pagure/frontend/files/selinux/pagure.te b/roles/pagure/frontend/files/selinux/pagure.te index d661e611e9..1352e85ac1 100644 --- a/roles/pagure/frontend/files/selinux/pagure.te +++ b/roles/pagure/frontend/files/selinux/pagure.te @@ -1,11 +1,42 @@ -module pagure 1.0; +module pagure 1.1; require { - type httpd_t; - type gitosis_var_lib_t; + type var_t; + type var_log_t; + type http_port_t; + type httpd_t; + type postfix_smtpd_t; + type postfix_cleanup_t; + type ldconfig_exec_t; + type gitosis_var_lib_t; + type httpd_log_t; + type var_run_t; class dir { add_name remove_name write }; - class file { create link setattr unlink write }; + class file { execute execute_no_trans getattr map open read rename unlink }; + class sock_file write; + class process execmem; } allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write }; allow httpd_t gitosis_var_lib_t:file { create link setattr unlink write }; + +#============= httpd_t ============== + +#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' +allow httpd_t gitosis_var_lib_t:file map; +allow httpd_t httpd_log_t:file { rename unlink }; + +#!!!! This avc is allowed in the current policy +allow httpd_t self:process execmem; +allow httpd_t var_log_t:file { open rename }; + +#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' +allow httpd_t var_t:file map; +allow httpd_t var_t:file { getattr open read }; + +#============= postfix_cleanup_t ============== +allow postfix_cleanup_t var_run_t:sock_file write; + +#============= postfix_smtpd_t ============== +allow postfix_smtpd_t var_run_t:sock_file write; + diff --git a/roles/pagure/frontend/tasks/main.yml b/roles/pagure/frontend/tasks/main.yml index 35c292d540..d0f9485217 100644 --- a/roles/pagure/frontend/tasks/main.yml +++ b/roles/pagure/frontend/tasks/main.yml @@ -472,91 +472,9 @@ tags: - pagure -- name: check the selinux context of the git repo directory - command: matchpathcon /srv/git - register: distgitcontext - check_mode: no - changed_when: false - tags: - - config - - pagure - - selinux - -- name: set the SELinux policy for the distgit root directory - command: semanage fcontext -a -t gitosis_var_lib_t "/srv/git(/.*)?" - when: distgitcontext.stdout.find('gitosis_var_lib_t') == -1 - tags: - - config - - pagure - - selinux - -- name: check the selinux context of the releases directory - command: matchpathcon /var/www/releases - register: distgitcontext - check_mode: no - changed_when: false - tags: - - config - - pagure - - selinux - -# Note: On Fedora its httpd_sys_content_rw_t - Don't we love confusions? -- name: set the SELinux policy for the releases directory - command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/releases(/.*)?" - when: distgitcontext.stdout.find('httpd_sys_rw_content_t') == -1 - tags: - - config - - pagure - - selinux - -- name: copy over our custom selinux module - copy: src=selinux/pagure.pp dest=/usr/local/share/pagure.pp - register: selinux_module - tags: - - pagure - -- name: install our custom selinux module - command: semodule -i /usr/local/share/pagure.pp - when: selinux_module is changed - tags: - - pagure - -- name: set sebooleans so pagure can talk to the network (db + redis) - seboolean: name=httpd_can_network_connect - state=true - persistent=true +- import_tasks: selinux.yml tags: - selinux - - web - - pagure - -- name: set sebooleans so apache can send emails - seboolean: name=httpd_can_sendmail - state=true - persistent=true - tags: - - selinux - - web - - pagure - -- name: set sebooleans so pygit2 can read the git repos - seboolean: name=httpd_execmem - state=true - persistent=true - tags: - - selinux - - web - - pagure - -- name: set sebooleans so ssh can retrieve access info from apache - seboolean: name=nise_enabled - state=true - persistent=true - tags: - - selinux - - web - - pagure - # Ensure all the services are up and running diff --git a/roles/pagure/frontend/tasks/selinux.yml b/roles/pagure/frontend/tasks/selinux.yml new file mode 100644 index 0000000000..d38c86d74e --- /dev/null +++ b/roles/pagure/frontend/tasks/selinux.yml @@ -0,0 +1,106 @@ +--- +- name: check the selinux context of the git repo directory + command: matchpathcon /srv/git + register: distgitcontext + check_mode: no + changed_when: false + tags: + - config + - pagure + - selinux + +- name: set the SELinux policy for the distgit root directory + command: semanage fcontext -a -t gitosis_var_lib_t "/srv/git(/.*)?" + when: distgitcontext.stdout.find('gitosis_var_lib_t') == -1 + tags: + - config + - pagure + - selinux + +- name: check the selinux context of the releases directory + command: matchpathcon /var/www/releases + register: distgitcontext + check_mode: no + changed_when: false + tags: + - config + - pagure + - selinux + +# Note: On Fedora its httpd_sys_content_rw_t - Don't we love confusions? +- name: set the SELinux policy for the releases directory + command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/releases(/.*)?" + when: distgitcontext.stdout.find('httpd_sys_rw_content_t') == -1 + tags: + - config + - pagure + - selinux + +- name: copy over our custom selinux module + copy: src=selinux/pagure.te dest=/usr/local/share/pagure.te + register: selinux_module + tags: + - config + - pagure + - selinux + +- name: Build our custom selinux module + command: checkmodule -M -m -o /usr/local/share/pagure.mod /usr/local/share/pagure.te + when: selinux_module is changed + tags: + - config + - pagure + - selinux + +- name: Compile our custom selinux module + command: semodule_package -o /usr/local/share/pagure.pp -m /usr/local/share/pagure.mod + when: selinux_module is changed + tags: + - config + - pagure + - selinux + +- name: install our custom selinux module + command: semodule -i /usr/local/share/pagure.pp + when: selinux_module is changed + tags: + - config + - pagure + - selinux + +- name: set sebooleans so pagure can talk to the network (db + redis) + seboolean: name=httpd_can_network_connect + state=true + persistent=true + tags: + - config + - selinux + - pagure + +- name: set sebooleans so apache can send emails + seboolean: name=httpd_can_sendmail + state=true + persistent=true + tags: + - config + - selinux + - pagure + +- name: set sebooleans so pygit2 can read the git repos + seboolean: name=httpd_execmem + state=true + persistent=true + tags: + - config + - selinux + - pagure + +- name: set sebooleans so ssh can retrieve access info from apache + seboolean: name=nise_enabled + state=true + persistent=true + tags: + - config + - selinux + - pagure +