copr-backend: custom SELinux rules for copr-backend extended/fixed

2018-03-02 09:54:22 +01:00 · 2018-03-02 09:54:22 +01:00 · a5bbf1583f
commit a5bbf1583f
parent 8c4faccea3
9 changed files with 41 additions and 25 deletions
--- a/roles/copr/backend/files/selinux/compile.sh
+++ b/roles/copr/backend/files/selinux/compile.sh
@ -1,4 +1,4 @@
 #!/bin/sh

-checkmodule -M -m -o nrpe_copr.mod nrpe_copr.te
-semodule_package -o nrpe_copr.pp -m nrpe_copr.mod
+checkmodule -M -m -o copr_rules.mod copr_rules.te
+semodule_package -o copr_rules.pp -m copr_rules.mod
--- a/roles/copr/backend/files/selinux/copr_rules.mod
+++ b/roles/copr/backend/files/selinux/copr_rules.mod
--- a/roles/copr/backend/files/selinux/copr_rules.pp
+++ b/roles/copr/backend/files/selinux/copr_rules.pp
--- a/roles/copr/backend/files/selinux/copr_rules.te
+++ b/roles/copr/backend/files/selinux/copr_rules.te
@ -0,0 +1,27 @@
+
+module copr_rules 1.0;
+
+require {
+	type redis_port_t;
+	type nrpe_t;
+	type httpd_t;
+	type copr_data_t;
+	type logrotate_t;
+	class tcp_socket name_connect;
+    class file ioctl;
+    class lnk_file read;
+    class process execmem;
+}
+
+#============= nrpe_t ==============
+# nagios
+allow nrpe_t redis_port_t:tcp_socket name_connect;
+
+#============= httpd_t ==============
+# custom lighttpd dir script template
+allow httpd_t copr_data_t:file ioctl;
+allow httpd_t copr_data_t:lnk_file read;
+
+#============= logrotate_t ==============
+# https://bugzilla.redhat.com/show_bug.cgi?id=1535689
+allow logrotate_t self:process execmem;
--- a/roles/copr/backend/files/selinux/nrpe_copr.mod
+++ b/roles/copr/backend/files/selinux/nrpe_copr.mod
--- a/roles/copr/backend/files/selinux/nrpe_copr.pp
+++ b/roles/copr/backend/files/selinux/nrpe_copr.pp
--- a/roles/copr/backend/files/selinux/nrpe_copr.te
+++ b/roles/copr/backend/files/selinux/nrpe_copr.te
@ -1,11 +0,0 @@
-
-module copr_nrpe 1.0;
-
-require {
-	type redis_port_t;
-	type nrpe_t;
-	class tcp_socket name_connect;
-}
-
-#============= nrpe_t ==============
-allow nrpe_t redis_port_t:tcp_socket name_connect;
--- a/roles/copr/backend/tasks/main.yml
+++ b/roles/copr/backend/tasks/main.yml
@ -193,3 +193,15 @@

 - name: setup monitoring
  import_tasks: "monitoring.yml"
+
+# Three tasks for handling our custom selinux module
+- name: ensure a directory exists for our custom selinux module
+  file: dest=/usr/local/share/copr state=directory
+
+- name: copy over our custom selinux module
+  copy: src=selinux/copr_rules.pp dest=/usr/local/share/copr/copr_rules.pp
+  register: selinux_module
+
+- name: install our custom selinux module
+  command: semodule -i /usr/local/share/copr/copr_rules.pp
+  when: selinux_module|changed
--- a/roles/copr/backend/tasks/monitoring.yml
+++ b/roles/copr/backend/tasks/monitoring.yml
@ -10,15 +10,3 @@

 - name: set acl for nrpe on /etc/copr/copr-be.conf
  acl: name=/etc/copr/copr-be.conf entity=nrpe etype=user permissions=r state=present
-
-# Three tasks for handling our custom selinux module
- name: ensure a directory exists for our custom selinux module
-  file: dest=/usr/local/share/copr state=directory
-
- name: copy over our custom selinux module
-  copy: src=selinux/nrpe_copr.pp dest=/usr/local/share/copr/fedmsg.pp
-  register: selinux_module
-
- name: install our custom selinux module
-  command: semodule -i /usr/local/share/copr/fedmsg.pp
-  when: selinux_module|changed