Freeze Break Request - selinux policy for mirrorlist containers to
allow logrotate to work.
by Kevin Fenzi
Greetings.
Currently our mirrorlist containers on proxies aren't getting their logs rotated due to selinux policy. This patch hopefully fixes that and allows them to be rotated.
I have tested this on proxy01.stg and it seems to work there now.
+1s?
--
From 7b0ebec7dbc1085977a727298648516c7198555e Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin(a)scrye.com>
Date: Sun, 2 Jul 2017 18:45:49 +0000
Subject: [PATCH] initial selinux policy to allow logrotate to rotate
mirrorlist container log files
Signed-off-by: Kevin Fenzi <kevin(a)scrye.com>
---
.../files/selinux/mirrorlist-logrotate.mod | Bin 0 -> 1204 bytes
.../files/selinux/mirrorlist-logrotate.pp | Bin 0 -> 1220 bytes
.../files/selinux/mirrorlist-logrotate.te | 12 ++++++++++++
.../mirrormanager/mirrorlist_proxy/tasks/main.yml | 21 +++++++++++++++++++++
4 files changed, 33 insertions(+)
create mode 100644 roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.mod
create mode 100644 roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.pp
create mode 100644 roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.te
diff --git a/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.mod b/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.mod
new file mode 100644
index 0000000000000000000000000000000000000000..49ca37b8d4e43431ea086fcd61a1d83687dd1a47
GIT binary patch
literal 1204
zcmb`GOHRWu6h%Y%N(>MZ3+M(wumew+!H5M!X=6}OT1$>wI$#Sdm=U}aa;a6Q7|<(S
zzxzIZ{>Xm&czr)BisIpReAmnutMPrP7p)&z=-jwxJTZa`<E)7>#J1_uWgDJiNLBLt
z7QeZ=c4js~8%PO|mR~pV(88?p5}V{tO^}Oz7M8x8S2NG*Osnd;_YX`1=1{6uk4@{3
z%%^r5z3q$6Wc$v?CYaKB+j5FXNOvp<lV?9oWpuswHEh!=$@8oXIfVMFcV72>ab@C4
znWA!&g<}}dEt{CiuA0}AuqruXnUvdR)k{lLr!~-Spz^ZBb2xLL^7H_%AJ+qUa=KwM
zZlLDM63^kxfy&bdxPDv@<RNQp!es$8R6jiqVuCXP|EjT)9&WIhT#p8yn0je{#J0sP
z)x!-Ivn!po{Fmfx+@1YTjwbT=c!ct0`9=CYOjR7sZ^&M}QdnO9Z!bKrv63J71QJ$M
AiU0rr
literal 0
HcmV?d00001
diff --git a/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.pp b/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.pp
new file mode 100644
index 0000000000000000000000000000000000000000..f4be1215e3c3fb0c4c15381f8d1c4c5495c70e9b
GIT binary patch
literal 1220
zcmb`GOHRWu6h%Y%N(=yr1+W1S?7$OdFk%5w+87j+Hj?9(4%h->y^P=;lS{2a#Q?5!
z{qFnt`6K)F{rPRHC<=INd@=vX?A`U*O*5M>&u+VV-ujV+PK=Zt7{RG=+Jw-Bw&~+}
z+dYIXR?%-;{OaP;nOO&IASFOre%*v!3$w~oXrezfK`!`dxA5hxntE1eT2<G{-!ToC
zL#bNbH?7|@pV~?Awl6x9O`Z2mFs1jl<rt8V?pV-`AN?ej!6ol=*rZjG=UEwY2=!O*
zyzcAb%E*;6Mdc<7$1tE@G$EFKHLJ(nvgC+mRBn@1FD*@-)<C;~%F7bZ;mm=`(*w9P
zt_Jetbi-uaK+TmUp2L{~m8TDIX<QBDA#1F|WdSr)KRpg&f-?bstFe*<H&{%rM}tpH
zy|h1Ko8p#AaD&DCm(E)LNpd#s&i*Gy6Zv~QLiw`%BK;nwDvstiWG`MREU*8k7oOKx
H$v1oey`EQ}
literal 0
HcmV?d00001
diff --git a/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.te b/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.te
new file mode 100644
index 0000000..1028deb
--- /dev/null
+++ b/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.te
@@ -0,0 +1,12 @@
+module mirrorlist-logrotate 1.0;
+
+require {
+ type logrotate_t;
+ type svirt_sandbox_file_t;
+ class file { setattr create write };
+ class dir { write add_name remove_name };
+}
+
+#============= logrotate_t ==============
+allow logrotate_t svirt_sandbox_file_t:dir { add_name remove_name write };
+allow logrotate_t svirt_sandbox_file_t:file { setattr create write };
diff --git a/roles/mirrormanager/mirrorlist_proxy/tasks/main.yml b/roles/mirrormanager/mirrorlist_proxy/tasks/main.yml
index ebec129..37c45a0 100644
--- a/roles/mirrormanager/mirrorlist_proxy/tasks/main.yml
+++ b/roles/mirrormanager/mirrorlist_proxy/tasks/main.yml
@@ -97,3 +97,24 @@
cron_file=restart-mirrorlist-containers
tags:
- mirrorlist_proxy
+
+# Custom selinux policy to allow logrotate to rotate our mirrorlist logs
+- name: ensure a directory exists for our custom selinux module
+ file: dest=/usr/local/share/mirrorlist-logrotate state=directory
+ tags:
+ - selinux
+ - mirrorlist_proxy
+
+- name: copy over our custom selinux module
+ copy: src=selinux/mirrorlist-logrotate.pp dest=/usr/local/share/mirrorlist-logrotate/mirrorlist-logrotate.pp
+ register: selinux_module
+ tags:
+ - selinux
+ - mirrorlist_proxy
+
+- name: install our custom selinux module
+ command: semodule -i /usr/local/share/mirrorlist-logrotate/mirrorlist-logrotate.pp
+ when: selinux_module|changed
+ tags:
+ - selinux
+ - mirrorlist_proxy
--
1.8.3.1
6 years, 9 months
Weekly Koji Infra Tag Report
by Nobody
This is a list of packages in the various infrastructure koji tags
Please check and make sure there are not any that can be removed/dropped
epel6-infra
(no matching packages)
epel7-infra
Package Tag Extra Arches Owner
----------------------- ----------------------- ---------------- ---------------
pkgdb2 epel7-infra pingou
freeipa-ktutils epel7-infra puiterwijk
compose-utils epel7-infra ausil
fedmsg-beaker-repoupdate epel7-infra tflink
anitya epel7-infra jcline
the-new-hotness epel7-infra jcline
fedocal epel7-infra pingou
pdc-updater epel7-infra ralph
python-IPy epel7-infra kevin
python-robosignatory epel7-infra puiterwijk
pagure-dist-git epel7-infra pingou
python-pdc epel7-infra ralph
glusterfs epel7-infra kevin
kerneltest epel7-infra pingou
mirrormanager2 epel7-infra puiterwijk
blockerbugs epel7-infra tflink
python-django-jsonfield epel7-infra ralph
f23-infra
Package Tag Extra Arches Owner
----------------------- ----------------------- ---------------- ---------------
libphutil, f23-infra tflink
arcanist, f23-infra tflink
phabricator f23-infra tflink
phabricator-extension-ipsilonauth f23-infra tflink
libphutil f23-infra tflink
arcanist f23-infra tflink
f24-infra
Package Tag Extra Arches Owner
----------------------- ----------------------- ---------------- ---------------
mediawiki-openid f24-infra kevin
phabricator-extension-oauth f24-infra tflink
python-twill f24-infra codeblock
stickynotes2modernpaste f24-infra codeblock
python-flask-testing f24-infra codeblock
modern-paste f24-infra codeblock
mediawiki-skin-fedora f24-infra puiterwijk
mediawiki-FedoraBadges f24-infra kevin
basset f24-infra puiterwijk
phabricator f24-infra tflink
mediawiki-Lockdown f24-infra kevin
libphutil f24-infra tflink
arcanist f24-infra tflink
mediawiki-RSS f24-infra kevin
mirrormanager2 f24-infra puiterwijk
f25-infra
Package Tag Extra Arches Owner
----------------------- ----------------------- ---------------- ---------------
python-flask-testing f25-infra codeblock
modern-paste f25-infra codeblock
python-coveralls f25-infra codeblock
mdapi f25-infra pingou
basset f25-infra puiterwijk
mediawiki-FedoraBadges f25-infra kevin
mediawiki-Lockdown f25-infra kevin
mediawiki-RSS f25-infra kevin
mediawiki-openid f25-infra kevin
plus-plus-service f25-infra pingou
python-pdc f25-infra ralph
python-django-cors-headers f25-infra ralph
python-django-rest-framework-composed-permissions f25-infra ralph
patternfly1 f25-infra ralph
piwik f25-infra codeblock
fas f25-infra kevin
libphutil, f25-infra tflink
arcanist, f25-infra tflink
phabricator f25-infra tflink
phabricator-extension-ipsilonauth f25-infra tflink
libphutil f25-infra tflink
arcanist f25-infra tflink
python-twill f25-infra codeblock
stickynotes2modernpaste f25-infra codeblock
mediawiki-skin-fedora f25-infra kevin
f26-infra
Package Tag Extra Arches Owner
----------------------- ----------------------- ---------------- ---------------
piwik f26-infra codeblock
f27-infra
Package Tag Extra Arches Owner
----------------------- ----------------------- ---------------- ---------------
piwik f27-infra codeblock
6 years, 9 months