Merge pull request #583 from ylei-tsubame/issues/364-enable-selinux

Enable SELinux
9 months ago · 1d9057001a
parent b3fbba8b49 9c84817a4f
commit 1d9057001a
6 changed files with 135 additions and 9 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -21,7 +21,7 @@ TARFILES		= $(PACKAGE_NAME)-$(VERSION).tar.bz2 \
 ACLOCAL_AMFLAGS		= -I m4
 SUBDIRS			= Anvil cgi-bin html journald.conf.d libvirt man ocf \
-			  pxe scancore-agents scripts share striker-ui \
+			  pxe scancore-agents scripts selinux share striker-ui \
 			  striker-ui-api tools units
 anvilconfdir		= ${sysconfdir}/anvil
--- a/anvil.spec.in
+++ b/anvil.spec.in
@ -7,6 +7,11 @@
 %define anvilgroup    admin
 %define suiapi        striker-ui-api
 # selinux variables
 %define selinuxtype             targeted
 %define selinuxsubnodemodule    anvil-subnode
 %define selinuxdir              %{_datadir}/selinux/packages/%{selinuxtype}
 Name:           anvil
 Version:        @version@
 Release:        1%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
@ -24,6 +29,8 @@ BuildRequires:  systemd autoconf automake make
 BuildRequires:  fence-agents-common
 # OCFROOT
 BuildRequires:  resource-agents
 # required to build SELinux policy
 BuildRequires:  selinux-policy-devel
 %description
 This package generates the anvil-core, anvil-striker, anvil-node and anvil-dr 
@ -104,6 +111,7 @@ Requires:       postgresql-contrib
 Requires:       postgresql-plperl 
 Requires:       rsync 
 Requires:       screen
 Requires:       selinux-policy >= %{_selinux_policy_version}
 Requires:       smartmontools
 Requires:       strace
 Requires:       syslinux
@ -231,6 +239,8 @@ rm -rf %{buildroot}
 make install DESTDIR=%{buildroot}
 %pre core
 %selinux_relabel_pre -s %{selinuxtype}
 if [ ! -d /usr/share/anvil ];
 then
    mkdir /usr/share/anvil
@ -240,11 +250,15 @@ getent passwd %{anviluser} >/dev/null || useradd --create-home \
    --gid %{anvilgroup}  --comment "Anvil! user account" %{anviluser}
 %post core
-# TODO: Remove this!! This is only for use during development, all SELinux 
+# Always try to install in-case of update
-#       issues must be resolved before final release!
+%selinux_modules_install -s %{selinuxtype} -p 200 %{selinuxdir}/%{selinuxsubnodemodule}.pp
-echo "WARNING: Setting SELinux to 'permissive' during development."
+
-sed -i.anvil 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config 
+%if 0%{?rhel} < 9
 echo "WARNING: setting SELinux to 'permissive' on rhel < 9."
 sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
 setenforce 0
 %endif
 # Enable and start the anvil-daemon
 ### TODO: check it if was disabled (if it existed before) and, if so, leave it disabled.
 systemctl enable --now chronyd.service
@ -351,9 +365,11 @@ touch /etc/anvil/type.dr
 ##                                       when re-enabling)
 #getent passwd %%{anviluser} >/dev/null && userdel %%{anviluser}
 #getent group %%{anvilgroup} >/dev/null && groupdel %%{anvilgroup}
-# echo "NOTE: Re-enabling SELinux."
+
-# sed -i.anvil 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config 
+# Only uninstall the policy when the package is actually being removed
-# setenforce 1
+if [ $1 == 0 ]; then
 	%selinux_modules_uninstall -s %{selinuxtype} -p 200 %{selinuxsubnodemodule}
 fi
 %preun striker
 if [ $1 == 0 ]; then # 0=Uninstall, 1=First install, >1=Upgrade (version count)
@ -399,6 +415,11 @@ then
 fi
 %posttrans core
 # Relabel in posttrans makes sure files are in-place
 %selinux_relabel_post -s %{selinuxtype}
 %files core
 %doc README.md
 %config(noreplace) %{_sysconfdir}/anvil/anvil.conf
@ -411,6 +432,10 @@ fi
 %{_datadir}/perl5/*
 %{_mandir}/*
 # selinux
 %attr(0644, root, root) %{selinuxdir}/%{selinuxsubnodemodule}.pp
 %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{selinuxsubnodemodule}
 %files striker
 %{_localstatedir}/www/*/*
 %{_datadir}/anvil/striker-auto-initialize-all.example
--- a/configure.ac
+++ b/configure.ac
@ -165,6 +165,7 @@ AC_CONFIG_FILES([Makefile
 		 pxe/Makefile
 		 scancore-agents/Makefile
 		 scripts/Makefile
 		 selinux/Makefile
 		 share/Makefile
 		 striker-ui/Makefile
 		 striker-ui-api/Makefile
--- a/selinux/Makefile.am
+++ b/selinux/Makefile.am
@ -0,0 +1,47 @@
 MAINTAINERCLEANFILES    = Makefile.in
 SE_DIR			= /usr/share/selinux
 SE_MAKEFILE_PATH	= $(SE_DIR)/devel/Makefile
 SE_TYPE			= targeted
 SE_SRC_SUBNODE_TE	= anvil-subnode.te
 EXTRA_DIST		= \
 			$(SE_SRC_SUBNODE_TE).in
 # Magic variables:
 # $@ : target name
 # $< : first prerequisite
 # $^ : all prerequisites
 #
 # Command prefixes:
 # - : ignore errors
 # @ : don't print command
 #
 # Notes:
 # - Environment variable DESTDIR is set at make call.
 .PHONY: se-makefile
 se-makefile:
 	if ! test -r "$(SE_MAKEFILE_PATH)"; then \
 	  printf "\n*** %s\n*** %s\n\n" \
 	    "Missing makefile from selinux devel." \
 	    "Did you forget to install the selinux-policy-devel package?" >&2; \
 	  exit 1; \
 	fi
 $(SE_SRC_SUBNODE_TE): $(SE_SRC_SUBNODE_TE).in
 	cp --preserve=ownership,timestamps "$<" "$@"
 anvil-subnode.pp: se-makefile $(SE_SRC_SUBNODE_TE)
 	make -f "$(SE_MAKEFILE_PATH)" "$@"
 install-data-hook: anvil-subnode.pp
 	install -D -m 0644 -t "$(DESTDIR)/$(SE_DIR)/packages/$(SE_TYPE)/" "anvil-subnode.pp"
 uninstall-hook:
 	rm -f "$(DESTDIR)/$(SE_DIR)/packages/$(SE_TYPE)/anvil-subnode.pp"
 clean-local:
 	rm -f *.fc *.if *.pp *.te
 	rm -rf tmp
--- a/selinux/anvil-subnode.te.in
+++ b/selinux/anvil-subnode.te.in
@ -0,0 +1,29 @@
 policy_module(anvil-subnode, 1.0.0)
 ########################################
 #
 # Declarations
 #
 ########################################
 #
 # Local policy
 #
 # Use existing types; don't declare unless it's new.
 #
 require {
 	type mnt_t;
 	type virsh_t;
 	class file { open read };
 }
 #============= drbd_t ==============
 # drbd rules will be provided by drbd-utils package.
 #============= virsh_t ==============
 # Needed for virsh to access the domain XMLs under /mnt.
 allow virsh_t mnt_t:file { open read };
--- a/tools/striker-collect-debug
+++ b/tools/striker-collect-debug
@ -570,7 +570,31 @@ sub collect_remote_data
 			backup    => 0,
 		});
 	}
-	
+
 	print "- Grabbing audit logs... ";
 	$anvil->Storage->rsync({
 		debug       => 2,
 		source      => "root\@".$anvil->data->{peer}{$short_host_name}{access}{ip}.":/var/log/audit/audit*",
 		destination => $target_directory."/",
 	});
 	$test_file = $target_directory."/audit.log";
 	$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { test_file => $test_file }});
 	if (-e $test_file)
 	{
 		print "Done.\n";
 	}
 	else
 	{
 		print "Failed!\n";
 		print "- For some reason, this file was not collected.\n";
 		$anvil->Storage->write_file({
 			file      => $test_file,
 			body      => $failed_body,
 			overwrite => 1,
 			backup    => 0,
 		});
 	}
 	# If this is a node, grab the shared files.
 	if ($this_host_type eq "node")
 	{