infrastructure/ansible
1
0
Fork 0
Code Pull requests 7 Activity Actions

openqa/server: use custom SELinux policy instead of boolean

Browse source 
We've been using the httpd_can_network_connect boolean for years
to allow httpd to connect to the openQA server processes. This
is an unnecessarily large hammer when we only need it to be
able to connect to exactly the two openQA ports. This uses a
custom SELinux policy to allow connecting to those ports only,
and ensures the boolean is set back to off.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
This commit is contained in:
Adam Williamson 2021-12-14 15:48:34 -08:00
parent 67eb9bb288
commit edc4caa833
3 changed files with 31 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
roles/openqa/server/files/httpd-openqa.pp Normal file
View file

Binary file not shown.

17
roles/openqa/server/files/httpd-openqa.te Normal file
View file

@ -0,0 +1,17 @@
module httpd-openqa 1.0;
require {
type openqa_port_t;
type httpd_t;
type openqa_websockets_port_t;
class tcp_socket name_connect;
}
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
allow httpd_t openqa_port_t:tcp_socket name_connect;
#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
allow httpd_t openqa_websockets_port_t:tcp_socket name_connect;

20
roles/openqa/server/tasks/main.yml
View file

@ -161,14 +161,14 @@
- name: Install various other required packages - name: Install various other required packages
package: package:
name: name:
- python3-libselinux # for custom SELinux policy - python3-libselinux # for using seboolean module
- git # for checking out tests/tools - git # for checking out tests/tools
- jq # for checking if tests changed after template load - jq # for checking if tests changed after template load
- libselinux-utils # custom SELinux policy - python3-libsemanage # for using seboolean module
- python3-libsemanage # custom SELinux policy
- nfs-utils # for configuring/running NFS server - nfs-utils # for configuring/running NFS server
- perl(Class::DBI::Pg) # for using postgresql DB - perl(Class::DBI::Pg) # for using postgresql DB
- genisoimage # for building cloud-init ISO - genisoimage # for building cloud-init ISO
- policycoreutils # for loading SELinux policy module
state: present state: present
tags: tags:
- packages - packages
@ -288,9 +288,17 @@
- openqa-websockets - openqa-websockets
- openqa-gru - openqa-gru
# This is using a big hammer until #1277312 is resolved # we used to set this as a bigger hammer to let httpd connect to openQA
- name: Allow Apache to connect to openQA - name: Unset httpd_can_network_connect SELinux boolean
seboolean: name=httpd_can_network_connect state=yes persistent=yes seboolean: name=httpd_can_network_connect state=no persistent=yes
- name: Copy over custom SELinux module allowing httpd to connect to openQA
copy: src=httpd-openqa.pp dest=/usr/local/share/selinux/httpd-openqa.pp owner=root group=root mode=0644
register: selinux_module
- name: Load our custom SELinux module
command: semodule -i /usr/local/share/selinux/httpd-openqa.pp
when: selinux_module is changed
- name: Allow Apache to read from NFS (as we store test data files there now) - name: Allow Apache to read from NFS (as we store test data files there now)
seboolean: name=httpd_use_nfs state=yes persistent=yes seboolean: name=httpd_use_nfs state=yes persistent=yes