Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

pagure: update the selinux configuration for pagure

Browse source 
Split all the selinux tasks in a different file so it's easier to
read/find.
Adjust the custom policy based on our latest findings.
Build and compile the policy directly on the host.

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
This commit is contained in:
Pierre-Yves Chibon 2020-10-01 12:35:29 +02:00
parent aaf335d680
commit c4431d0a21
6 changed files with 142 additions and 88 deletions
Download patch file Download diff file Expand all files Collapse all files

0
roles/pagure/frontend/files/selinux/pagure.fc
View file

1
roles/pagure/frontend/files/selinux/pagure.if
View file

@ -1 +0,0 @@
## <summary></summary>

BIN
roles/pagure/frontend/files/selinux/pagure.pp
View file

Binary file not shown.

35
roles/pagure/frontend/files/selinux/pagure.te
View file

@ -1,11 +1,42 @@
module pagure 1.0; module pagure 1.1;
require { require {
type var_t;
type var_log_t;
type http_port_t;
type httpd_t; type httpd_t;
type postfix_smtpd_t;
type postfix_cleanup_t;
type ldconfig_exec_t;
type gitosis_var_lib_t; type gitosis_var_lib_t;
type httpd_log_t;
type var_run_t;
class dir { add_name remove_name write }; class dir { add_name remove_name write };
class file { create link setattr unlink write }; class file { execute execute_no_trans getattr map open read rename unlink };
class sock_file write;
class process execmem;
} }
allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write }; allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write };
allow httpd_t gitosis_var_lib_t:file { create link setattr unlink write }; allow httpd_t gitosis_var_lib_t:file { create link setattr unlink write };
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow httpd_t gitosis_var_lib_t:file map;
allow httpd_t httpd_log_t:file { rename unlink };
#!!!! This avc is allowed in the current policy
allow httpd_t self:process execmem;
allow httpd_t var_log_t:file { open rename };
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow httpd_t var_t:file map;
allow httpd_t var_t:file { getattr open read };
#============= postfix_cleanup_t ==============
allow postfix_cleanup_t var_run_t:sock_file write;
#============= postfix_smtpd_t ==============
allow postfix_smtpd_t var_run_t:sock_file write;

84
roles/pagure/frontend/tasks/main.yml
View file

@ -472,91 +472,9 @@
tags: tags:
- pagure - pagure
- name: check the selinux context of the git repo directory - import_tasks: selinux.yml
command: matchpathcon /srv/git
register: distgitcontext
check_mode: no
changed_when: false
tags:
- config
- pagure
- selinux
- name: set the SELinux policy for the distgit root directory
command: semanage fcontext -a -t gitosis_var_lib_t "/srv/git(/.*)?"
when: distgitcontext.stdout.find('gitosis_var_lib_t') == -1
tags:
- config
- pagure
- selinux
- name: check the selinux context of the releases directory
command: matchpathcon /var/www/releases
register: distgitcontext
check_mode: no
changed_when: false
tags:
- config
- pagure
- selinux
# Note: On Fedora its httpd_sys_content_rw_t - Don't we love confusions?
- name: set the SELinux policy for the releases directory
command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/releases(/.*)?"
when: distgitcontext.stdout.find('httpd_sys_rw_content_t') == -1
tags:
- config
- pagure
- selinux
- name: copy over our custom selinux module
copy: src=selinux/pagure.pp dest=/usr/local/share/pagure.pp
register: selinux_module
tags:
- pagure
- name: install our custom selinux module
command: semodule -i /usr/local/share/pagure.pp
when: selinux_module is changed
tags:
- pagure
- name: set sebooleans so pagure can talk to the network (db + redis)
seboolean: name=httpd_can_network_connect
state=true
persistent=true
tags: tags:
- selinux - selinux
- web
- pagure
- name: set sebooleans so apache can send emails
seboolean: name=httpd_can_sendmail
state=true
persistent=true
tags:
- selinux
- web
- pagure
- name: set sebooleans so pygit2 can read the git repos
seboolean: name=httpd_execmem
state=true
persistent=true
tags:
- selinux
- web
- pagure
- name: set sebooleans so ssh can retrieve access info from apache
seboolean: name=nise_enabled
state=true
persistent=true
tags:
- selinux
- web
- pagure
# Ensure all the services are up and running # Ensure all the services are up and running

106
roles/pagure/frontend/tasks/selinux.yml Normal file
View file

@ -0,0 +1,106 @@
---
- name: check the selinux context of the git repo directory
command: matchpathcon /srv/git
register: distgitcontext
check_mode: no
changed_when: false
tags:
- config
- pagure
- selinux
- name: set the SELinux policy for the distgit root directory
command: semanage fcontext -a -t gitosis_var_lib_t "/srv/git(/.*)?"
when: distgitcontext.stdout.find('gitosis_var_lib_t') == -1
tags:
- config
- pagure
- selinux
- name: check the selinux context of the releases directory
command: matchpathcon /var/www/releases
register: distgitcontext
check_mode: no
changed_when: false
tags:
- config
- pagure
- selinux
# Note: On Fedora its httpd_sys_content_rw_t - Don't we love confusions?
- name: set the SELinux policy for the releases directory
command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/releases(/.*)?"
when: distgitcontext.stdout.find('httpd_sys_rw_content_t') == -1
tags:
- config
- pagure
- selinux
- name: copy over our custom selinux module
copy: src=selinux/pagure.te dest=/usr/local/share/pagure.te
register: selinux_module
tags:
- config
- pagure
- selinux
- name: Build our custom selinux module
command: checkmodule -M -m -o /usr/local/share/pagure.mod /usr/local/share/pagure.te
when: selinux_module is changed
tags:
- config
- pagure
- selinux
- name: Compile our custom selinux module
command: semodule_package -o /usr/local/share/pagure.pp -m /usr/local/share/pagure.mod
when: selinux_module is changed
tags:
- config
- pagure
- selinux
- name: install our custom selinux module
command: semodule -i /usr/local/share/pagure.pp
when: selinux_module is changed
tags:
- config
- pagure
- selinux
- name: set sebooleans so pagure can talk to the network (db + redis)
seboolean: name=httpd_can_network_connect
state=true
persistent=true
tags:
- config
- selinux
- pagure
- name: set sebooleans so apache can send emails
seboolean: name=httpd_can_sendmail
state=true
persistent=true
tags:
- config
- selinux
- pagure
- name: set sebooleans so pygit2 can read the git repos
seboolean: name=httpd_execmem
state=true
persistent=true
tags:
- config
- selinux
- pagure
- name: set sebooleans so ssh can retrieve access info from apache
seboolean: name=nise_enabled
state=true
persistent=true
tags:
- config
- selinux
- pagure