From edc4caa83323aade31c75d52bb9e4f1bfa218c80 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Tue, 14 Dec 2021 15:48:34 -0800 Subject: [PATCH] openqa/server: use custom SELinux policy instead of boolean We've been using the httpd_can_network_connect boolean for years to allow httpd to connect to the openQA server processes. This is an unnecessarily large hammer when we only need it to be able to connect to exactly the two openQA ports. This uses a custom SELinux policy to allow connecting to those ports only, and ensures the boolean is set back to off. Signed-off-by: Adam Williamson --- roles/openqa/server/files/httpd-openqa.pp | Bin 0 -> 1158 bytes roles/openqa/server/files/httpd-openqa.te | 17 +++++++++++++++++ roles/openqa/server/tasks/main.yml | 20 ++++++++++++++------ 3 files changed, 31 insertions(+), 6 deletions(-) create mode 100644 roles/openqa/server/files/httpd-openqa.pp create mode 100644 roles/openqa/server/files/httpd-openqa.te diff --git a/roles/openqa/server/files/httpd-openqa.pp b/roles/openqa/server/files/httpd-openqa.pp new file mode 100644 index 0000000000000000000000000000000000000000..3d666e65860fde26bfe271939acc9757b15c512b GIT binary patch literal 1158 zcmb_bOHM;E3>-cZ2!UY1f@LoNf*Y`52P+N`wP_^2$)imLi(Ub7-mZ#KkiVrW}CUOf(@Y74TJdVG-Z0r6CubIeH$p8QV literal 0 HcmV?d00001 diff --git a/roles/openqa/server/files/httpd-openqa.te b/roles/openqa/server/files/httpd-openqa.te new file mode 100644 index 0000000000..bf06367e03 --- /dev/null +++ b/roles/openqa/server/files/httpd-openqa.te @@ -0,0 +1,17 @@ + +module httpd-openqa 1.0; + +require { + type openqa_port_t; + type httpd_t; + type openqa_websockets_port_t; + class tcp_socket name_connect; +} + +#============= httpd_t ============== + +#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect' +allow httpd_t openqa_port_t:tcp_socket name_connect; + +#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect' +allow httpd_t openqa_websockets_port_t:tcp_socket name_connect; diff --git a/roles/openqa/server/tasks/main.yml b/roles/openqa/server/tasks/main.yml index cdd9f3afb4..0db7607b97 100644 --- a/roles/openqa/server/tasks/main.yml +++ b/roles/openqa/server/tasks/main.yml @@ -161,14 +161,14 @@ - name: Install various other required packages package: name: - - python3-libselinux # for custom SELinux policy + - python3-libselinux # for using seboolean module - git # for checking out tests/tools - jq # for checking if tests changed after template load - - libselinux-utils # custom SELinux policy - - python3-libsemanage # custom SELinux policy + - python3-libsemanage # for using seboolean module - nfs-utils # for configuring/running NFS server - perl(Class::DBI::Pg) # for using postgresql DB - genisoimage # for building cloud-init ISO + - policycoreutils # for loading SELinux policy module state: present tags: - packages @@ -288,9 +288,17 @@ - openqa-websockets - openqa-gru -# This is using a big hammer until #1277312 is resolved -- name: Allow Apache to connect to openQA - seboolean: name=httpd_can_network_connect state=yes persistent=yes +# we used to set this as a bigger hammer to let httpd connect to openQA +- name: Unset httpd_can_network_connect SELinux boolean + seboolean: name=httpd_can_network_connect state=no persistent=yes + +- name: Copy over custom SELinux module allowing httpd to connect to openQA + copy: src=httpd-openqa.pp dest=/usr/local/share/selinux/httpd-openqa.pp owner=root group=root mode=0644 + register: selinux_module + +- name: Load our custom SELinux module + command: semodule -i /usr/local/share/selinux/httpd-openqa.pp + when: selinux_module is changed - name: Allow Apache to read from NFS (as we store test data files there now) seboolean: name=httpd_use_nfs state=yes persistent=yes