Merge pull request #583 from ylei-tsubame/issues/364-enable-selinux

Enable SELinux
9 months ago · 1d9057001a
parent b3fbba8b49 9c84817a4f
commit 1d9057001a
6 changed files with 135 additions and 9 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -21,7 +21,7 @@ TARFILES		= $(PACKAGE_NAME)-$(VERSION).tar.bz2 \
 ACLOCAL_AMFLAGS		= -I m4

 SUBDIRS			= Anvil cgi-bin html journald.conf.d libvirt man ocf \
-			  pxe scancore-agents scripts share striker-ui \
+			  pxe scancore-agents scripts selinux share striker-ui \
 			  striker-ui-api tools units

 anvilconfdir		= ${sysconfdir}/anvil
--- a/anvil.spec.in
+++ b/anvil.spec.in
@ -7,6 +7,11 @@
 %define anvilgroup    admin
 %define suiapi        striker-ui-api

+# selinux variables
+%define selinuxtype             targeted
+%define selinuxsubnodemodule    anvil-subnode
+%define selinuxdir              %{_datadir}/selinux/packages/%{selinuxtype}
+
 Name:           anvil
 Version:        @version@
 Release:        1%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
@ -24,6 +29,8 @@ BuildRequires:  systemd autoconf automake make
 BuildRequires:  fence-agents-common
 # OCFROOT
 BuildRequires:  resource-agents
+# required to build SELinux policy
+BuildRequires:  selinux-policy-devel

 %description
 This package generates the anvil-core, anvil-striker, anvil-node and anvil-dr 
@ -104,6 +111,7 @@ Requires:       postgresql-contrib
 Requires:       postgresql-plperl 
 Requires:       rsync 
 Requires:       screen
+Requires:       selinux-policy >= %{_selinux_policy_version}
 Requires:       smartmontools
 Requires:       strace
 Requires:       syslinux
@ -231,6 +239,8 @@ rm -rf %{buildroot}
 make install DESTDIR=%{buildroot}

 %pre core
+%selinux_relabel_pre -s %{selinuxtype}
+
 if [ ! -d /usr/share/anvil ];
 then
    mkdir /usr/share/anvil
@ -240,11 +250,15 @@ getent passwd %{anviluser} >/dev/null || useradd --create-home \
    --gid %{anvilgroup}  --comment "Anvil! user account" %{anviluser}

 %post core
-# TODO: Remove this!! This is only for use during development, all SELinux 
-#       issues must be resolved before final release!
-echo "WARNING: Setting SELinux to 'permissive' during development."
-sed -i.anvil 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config 
+# Always try to install in-case of update
+%selinux_modules_install -s %{selinuxtype} -p 200 %{selinuxdir}/%{selinuxsubnodemodule}.pp
+
+%if 0%{?rhel} < 9
+echo "WARNING: setting SELinux to 'permissive' on rhel < 9."
+sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
 setenforce 0
+%endif
+
 # Enable and start the anvil-daemon
 ### TODO: check it if was disabled (if it existed before) and, if so, leave it disabled.
 systemctl enable --now chronyd.service
@ -351,9 +365,11 @@ touch /etc/anvil/type.dr
 ##                                       when re-enabling)
 #getent passwd %%{anviluser} >/dev/null && userdel %%{anviluser}
 #getent group %%{anvilgroup} >/dev/null && groupdel %%{anvilgroup}
-# echo "NOTE: Re-enabling SELinux."
-# sed -i.anvil 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config 
-# setenforce 1
+
+# Only uninstall the policy when the package is actually being removed
+if [ $1 == 0 ]; then
+	%selinux_modules_uninstall -s %{selinuxtype} -p 200 %{selinuxsubnodemodule}
+fi

 %preun striker
 if [ $1 == 0 ]; then # 0=Uninstall, 1=First install, >1=Upgrade (version count)
@ -399,6 +415,11 @@ then
 fi


+%posttrans core
+# Relabel in posttrans makes sure files are in-place
+%selinux_relabel_post -s %{selinuxtype}
+
+
 %files core
 %doc README.md
 %config(noreplace) %{_sysconfdir}/anvil/anvil.conf
@ -411,6 +432,10 @@ fi
 %{_datadir}/perl5/*
 %{_mandir}/*

+# selinux
+%attr(0644, root, root) %{selinuxdir}/%{selinuxsubnodemodule}.pp
+%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{selinuxsubnodemodule}
+
 %files striker
 %{_localstatedir}/www/*/*
 %{_datadir}/anvil/striker-auto-initialize-all.example
--- a/configure.ac
+++ b/configure.ac
@ -165,6 +165,7 @@ AC_CONFIG_FILES([Makefile
 		 pxe/Makefile
 		 scancore-agents/Makefile
 		 scripts/Makefile
+		 selinux/Makefile
 		 share/Makefile
 		 striker-ui/Makefile
 		 striker-ui-api/Makefile
--- a/selinux/Makefile.am
+++ b/selinux/Makefile.am
@ -0,0 +1,47 @@
+MAINTAINERCLEANFILES    = Makefile.in
+
+SE_DIR			= /usr/share/selinux
+SE_MAKEFILE_PATH	= $(SE_DIR)/devel/Makefile
+SE_TYPE			= targeted
+
+SE_SRC_SUBNODE_TE	= anvil-subnode.te
+
+EXTRA_DIST		= \
+			$(SE_SRC_SUBNODE_TE).in
+
+# Magic variables:
+# $@ : target name
+# $< : first prerequisite
+# $^ : all prerequisites
+#
+# Command prefixes:
+# - : ignore errors
+# @ : don't print command
+#
+# Notes:
+# - Environment variable DESTDIR is set at make call.
+
+.PHONY: se-makefile
+se-makefile:
+	if ! test -r "$(SE_MAKEFILE_PATH)"; then \
+	  printf "\n*** %s\n*** %s\n\n" \
+	    "Missing makefile from selinux devel." \
+	    "Did you forget to install the selinux-policy-devel package?" >&2; \
+	  exit 1; \
+	fi
+
+$(SE_SRC_SUBNODE_TE): $(SE_SRC_SUBNODE_TE).in
+	cp --preserve=ownership,timestamps "$<" "$@"
+
+anvil-subnode.pp: se-makefile $(SE_SRC_SUBNODE_TE)
+	make -f "$(SE_MAKEFILE_PATH)" "$@"
+
+install-data-hook: anvil-subnode.pp
+	install -D -m 0644 -t "$(DESTDIR)/$(SE_DIR)/packages/$(SE_TYPE)/" "anvil-subnode.pp"
+
+uninstall-hook:
+	rm -f "$(DESTDIR)/$(SE_DIR)/packages/$(SE_TYPE)/anvil-subnode.pp"
+
+clean-local:
+	rm -f *.fc *.if *.pp *.te
+	rm -rf tmp
--- a/selinux/anvil-subnode.te.in
+++ b/selinux/anvil-subnode.te.in
@ -0,0 +1,29 @@
+policy_module(anvil-subnode, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+
+########################################
+#
+# Local policy
+#
+
+# Use existing types; don't declare unless it's new.
+#
+require {
+	type mnt_t;
+	type virsh_t;
+	class file { open read };
+}
+
+
+#============= drbd_t ==============
+# drbd rules will be provided by drbd-utils package.
+
+
+#============= virsh_t ==============
+# Needed for virsh to access the domain XMLs under /mnt.
+allow virsh_t mnt_t:file { open read };
--- a/tools/striker-collect-debug
+++ b/tools/striker-collect-debug
@ -570,7 +570,31 @@ sub collect_remote_data
 			backup    => 0,
 		});
 	}
-	
+
+	print "- Grabbing audit logs... ";
+	$anvil->Storage->rsync({
+		debug       => 2,
+		source      => "root\@".$anvil->data->{peer}{$short_host_name}{access}{ip}.":/var/log/audit/audit*",
+		destination => $target_directory."/",
+	});
+	$test_file = $target_directory."/audit.log";
+	$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { test_file => $test_file }});
+	if (-e $test_file)
+	{
+		print "Done.\n";
+	}
+	else
+	{
+		print "Failed!\n";
+		print "- For some reason, this file was not collected.\n";
+		$anvil->Storage->write_file({
+			file      => $test_file,
+			body      => $failed_body,
+			overwrite => 1,
+			backup    => 0,
+		});
+	}
+
 	# If this is a node, grab the shared files.
 	if ($this_host_type eq "node")
 	{