From a5bbf1583fb02c7037f9bb240e6cb1661a6a9a95 Mon Sep 17 00:00:00 2001
From: clime <clime@redhat.com>
Date: Fri, 2 Mar 2018 09:54:22 +0100
Subject: [PATCH] copr-backend: custom SELinux rules for copr-backend
 extended/fixed

---
 roles/copr/backend/files/selinux/compile.sh   |   4 +--
 .../copr/backend/files/selinux/copr_rules.mod | Bin 0 -> 1700 bytes
 .../copr/backend/files/selinux/copr_rules.pp  | Bin 0 -> 1716 bytes
 .../copr/backend/files/selinux/copr_rules.te  |  27 ++++++++++++++++++
 .../copr/backend/files/selinux/nrpe_copr.mod  | Bin 939 -> 0 bytes
 roles/copr/backend/files/selinux/nrpe_copr.pp | Bin 955 -> 0 bytes
 roles/copr/backend/files/selinux/nrpe_copr.te |  11 -------
 roles/copr/backend/tasks/main.yml             |  12 ++++++++
 roles/copr/backend/tasks/monitoring.yml       |  12 --------
 9 files changed, 41 insertions(+), 25 deletions(-)
 create mode 100644 roles/copr/backend/files/selinux/copr_rules.mod
 create mode 100644 roles/copr/backend/files/selinux/copr_rules.pp
 create mode 100644 roles/copr/backend/files/selinux/copr_rules.te
 delete mode 100644 roles/copr/backend/files/selinux/nrpe_copr.mod
 delete mode 100644 roles/copr/backend/files/selinux/nrpe_copr.pp
 delete mode 100644 roles/copr/backend/files/selinux/nrpe_copr.te

diff --git a/roles/copr/backend/files/selinux/compile.sh b/roles/copr/backend/files/selinux/compile.sh
index f37b46c00f..5eec166609 100644
--- a/roles/copr/backend/files/selinux/compile.sh
+++ b/roles/copr/backend/files/selinux/compile.sh
@@ -1,4 +1,4 @@
 #!/bin/sh
 
-checkmodule -M -m -o nrpe_copr.mod nrpe_copr.te
-semodule_package -o nrpe_copr.pp -m nrpe_copr.mod
+checkmodule -M -m -o copr_rules.mod copr_rules.te
+semodule_package -o copr_rules.pp -m copr_rules.mod
diff --git a/roles/copr/backend/files/selinux/copr_rules.mod b/roles/copr/backend/files/selinux/copr_rules.mod
new file mode 100644
index 0000000000000000000000000000000000000000..d626da39141d7d21b15d92c0233ea96a8cc2636f
GIT binary patch
literal 1700
zcmb_cOHRWu5FP#qkU-)9^aKcQz=j>HIDi$L0ZP+2a;8!jT!90#0=+f^PZnWApJc_I
z-y4tJ_x}0zaVjDYx0AbRyI4-{Q@v<(TSU%9WJ^R2WsM^diK)vWFB<K4MCAJN>Sk~<
zc12bT2>^=t0xWi+PjRMpGI-i*t|6wj)o4x!0?umMS$LW@it4aut?GkSy)_%hb~#1u
zd$?iNrN+6=kqO{%9F3}bgKe6kHSR<!*aPYDRilN>2Oiry*bf4%<KgQZ0LL}yIVY=3
zgYEy)D~GnZ)9^jRv4UCaX&<_jEf~msets~nxVqlDvMLy6S6%^!zL<4&FhA-Tyenq|
zyaNCwvD}ZlaXX`o^LTCvU_Opv4u1z_Zpq;<v5Z6A@(q=_o8aK_gR|r~8wOPN$G>^+
z^Wph3I2L;>pCL2?_$%gOB*szZI?zwa=e(P=JI4C>k9||XETEe|8i`5x!i#hrbQ`|-
xvkscaW)y?Cu?>5aaXsUQ?D|9+#HrAuwdSxD8qONSKIjc;3cJwqpdoDj4PXCdZ*Kqq

literal 0
HcmV?d00001

diff --git a/roles/copr/backend/files/selinux/copr_rules.pp b/roles/copr/backend/files/selinux/copr_rules.pp
new file mode 100644
index 0000000000000000000000000000000000000000..ae34d742e0488a36fbc0f4159a6102ca35722130
GIT binary patch
literal 1716
zcmb_cOHRWu5FP#qkU-)9^aKcQz=j>HIDi$LDTJnR<hW87y#nIAT@}4H15Z}NhCa!P
zGru>UIPYt<Sni1k)|H5St`^Hn5qWtWJyp$YK6(!2tk!)Ix$eVGWrH&j@u7__&T8!r
zMCAVV?xA-w4n@`r34rn82_)aTF8GP2i{9H5Q*}NxjrwGCAh1lJZYFMA)r#t{M=i>e
zwP(Y|v26@qyAE!cb*_G@Q)B`-97m(-QE#h)PqjJG3id#F{ZOA=<O2`w4eSR2)_MOl
z4uIq8@D@WVlDc%frB@DZVyo_FhC>CTmR0B45R*$FxB1z@xZ?WrmPIOD!tC--z@hIc
zwWUjT)FD_`#s*ji07_z+AK%98j6BZbxg~)4IEFdw9^|<>huy?H4t4W8l;`e(gU1if
zoCE(akoU*$ya!N+=g;6+?6GWy&<NnKn45tZL!N6uKRKWA?$T};>f=B5T>-OzZvJW{
zCSeOV(sa;lc;aX6HIL0G261B>_9$a|#uwT2i8P2)p+_6dVJkG8HHLlA8`2bZq2*pf
H*t`wjqsDTC

literal 0
HcmV?d00001

diff --git a/roles/copr/backend/files/selinux/copr_rules.te b/roles/copr/backend/files/selinux/copr_rules.te
new file mode 100644
index 0000000000..8a50654083
--- /dev/null
+++ b/roles/copr/backend/files/selinux/copr_rules.te
@@ -0,0 +1,27 @@
+
+module copr_rules 1.0;
+
+require {
+	type redis_port_t;
+	type nrpe_t;
+	type httpd_t;
+	type copr_data_t;
+	type logrotate_t;
+	class tcp_socket name_connect;
+    class file ioctl;
+    class lnk_file read;
+    class process execmem;
+}
+
+#============= nrpe_t ==============
+# nagios
+allow nrpe_t redis_port_t:tcp_socket name_connect;
+
+#============= httpd_t ==============
+# custom lighttpd dir script template
+allow httpd_t copr_data_t:file ioctl;
+allow httpd_t copr_data_t:lnk_file read;
+
+#============= logrotate_t ==============
+# https://bugzilla.redhat.com/show_bug.cgi?id=1535689
+allow logrotate_t self:process execmem;
diff --git a/roles/copr/backend/files/selinux/nrpe_copr.mod b/roles/copr/backend/files/selinux/nrpe_copr.mod
deleted file mode 100644
index 5ebf1b7fa39959c5a1ee952876607f5401cd2957..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 939
zcmb`F!D>P=5Jj&Rq?UsC2Yx}(KXBu&UG)P(jak@g^2m$Og}>kjcV)Twt`3g|y6`~A
zdowpP6LL@I<Ie=Z`)c;Ojfd~qTiP6UVF+LfU;y9|7sdd5YO;&D2@e1kFY{%Wv+xYp
zQy0`fcT#-g+T_1NdG3_)V;`JPF$Q0xW>=j^>(Ahe%eGtXTi85r!!_!5^&nQqi@EDm
zHB}CqZR?tpi!16@Lp5|0q8MR!F6B9;;+DQndOJN)ZRIUi`=5G!4WFF!>xf#Mv-E3e
nzS^04#qR~@rJrx!WyCJ}RX*h_DktAvyrn32y5D-q=KkUrzhgMD

diff --git a/roles/copr/backend/files/selinux/nrpe_copr.pp b/roles/copr/backend/files/selinux/nrpe_copr.pp
deleted file mode 100644
index ee51973408274b85416cda3c2fc54fe1422d7c69..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 955
zcmb`FK}v%$5QSeAib_GfK~Es{25#Kdl?Mnm&7!qUe$o_N^a|p6yQ(~zSBD=1UG#&H
z|DSo8nUME$*zE@ZxE=s}A9nkD0PnBk=^}2w#&2o9U4<(Ek5zVqBewv2>avTu3)cXi
zpC&IgXHogP8q_~`Qhet&$$y42svY9TIyj$V48BOst~!xs%ixR4wp;64*gS8;HLSaO
z5Ub<G+-a(oDu?-E<GPfKE9%xlHFOiA7-4rV<vFF|mcCAUJ3Uct<t<iwPQAW{Pfq%E
uL@Ul&`n5D)>&&I%mxA-s&wt)!#4h?(KIJPaC*K{tr6_m0-+IaB{^J)p&^yKe

diff --git a/roles/copr/backend/files/selinux/nrpe_copr.te b/roles/copr/backend/files/selinux/nrpe_copr.te
deleted file mode 100644
index 9eccd7a589..0000000000
--- a/roles/copr/backend/files/selinux/nrpe_copr.te
+++ /dev/null
@@ -1,11 +0,0 @@
-
-module copr_nrpe 1.0;
-
-require {
-	type redis_port_t;
-	type nrpe_t;
-	class tcp_socket name_connect;
-}
-
-#============= nrpe_t ==============
-allow nrpe_t redis_port_t:tcp_socket name_connect;
diff --git a/roles/copr/backend/tasks/main.yml b/roles/copr/backend/tasks/main.yml
index acdc92cdbe..639e0431c2 100644
--- a/roles/copr/backend/tasks/main.yml
+++ b/roles/copr/backend/tasks/main.yml
@@ -193,3 +193,15 @@
 
 - name: setup monitoring
   import_tasks: "monitoring.yml"
+
+# Three tasks for handling our custom selinux module
+- name: ensure a directory exists for our custom selinux module
+  file: dest=/usr/local/share/copr state=directory
+
+- name: copy over our custom selinux module
+  copy: src=selinux/copr_rules.pp dest=/usr/local/share/copr/copr_rules.pp
+  register: selinux_module
+
+- name: install our custom selinux module
+  command: semodule -i /usr/local/share/copr/copr_rules.pp
+  when: selinux_module|changed
diff --git a/roles/copr/backend/tasks/monitoring.yml b/roles/copr/backend/tasks/monitoring.yml
index 938b7e7b9b..e75619d273 100644
--- a/roles/copr/backend/tasks/monitoring.yml
+++ b/roles/copr/backend/tasks/monitoring.yml
@@ -10,15 +10,3 @@
 
 - name: set acl for nrpe on /etc/copr/copr-be.conf
   acl: name=/etc/copr/copr-be.conf entity=nrpe etype=user permissions=r state=present
-
-# Three tasks for handling our custom selinux module
-- name: ensure a directory exists for our custom selinux module
-  file: dest=/usr/local/share/copr state=directory
-
-- name: copy over our custom selinux module
-  copy: src=selinux/nrpe_copr.pp dest=/usr/local/share/copr/fedmsg.pp
-  register: selinux_module
-
-- name: install our custom selinux module
-  command: semodule -i /usr/local/share/copr/fedmsg.pp
-  when: selinux_module|changed