[openstack-selinux/el6] Initial import of openstack-selinux

Wed Jul 10 18:51:12 UTC 2013

commit d5f6e001c5d772ba6466d73bb0196c7a62a45c59
Author: Lon Hohberger <lhh at redhat.com>
Date:   Wed Jul 10 14:50:27 2013 -0400

    Initial import of openstack-selinux
    
    Resolves: rhbz#975590

 .gitignore                                         |    1 +
 bz885529-allow_rsync_to_deal_with_lock_files.patch |   69 +++++++++
 ...d_to_shelling_out_of_dnsmasq_from_quantum.patch |   22 +++
 ...sq_t_to_write_to_quantum_s_dhcp_directory.patch |   34 ++++
 ..._type_and_path_for_swift_when_using_rsync.patch |   89 +++++++++++
 openstack-selinux.spec                             |  158 ++++++++++++++++++++
 sources                                            |    1 +
 7 files changed, 374 insertions(+), 0 deletions(-)
---

diff --git a/.gitignore b/.gitignore
index e69de29..5ad6bd5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+/openstack-selinux-0.1.2.tar.gz
diff --git a/bz885529-allow_rsync_to_deal_with_lock_files.patch b/bz885529-allow_rsync_to_deal_with_lock_files.patch
new file mode 100644
index 0000000..262e375
--- /dev/null
+++ b/bz885529-allow_rsync_to_deal_with_lock_files.patch
@@ -0,0 +1,69 @@
+From 6fa94c476c307427dff99ecac1199e2730e33a07 Mon Sep 17 00:00:00 2001
+From: Dan Walsh <dwalsh at redhat.com>
+Date: Fri, 22 Feb 2013 11:40:02 -0500
+Subject: [PATCH] Allow rsync to deal with lock files
+
+Signed-off-by: Lon Hohberger <lhh at redhat.com>
+Tested-by: Martina Kollarova <mkollaro at redhat.com>
+---
+ Makefile           |    2 +-
+ openstack-rsync.te |   37 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 38 insertions(+), 1 deletions(-)
+ create mode 100644 openstack-rsync.te
+
+diff --git a/Makefile b/Makefile
+index c3b68b1..0360d9f 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,4 +1,4 @@
+-TARGETS?=openstack-selinux-nova openstack-selinux-quantum swift
++TARGETS?=openstack-selinux-nova openstack-selinux-quantum swift openstack-rsync
+ MODULES?=${TARGETS:=.pp.bz2}
+ SHAREDIR?=/usr/share
+ #INSTALL=?=install
+diff --git a/openstack-rsync.te b/openstack-rsync.te
+new file mode 100644
+index 0000000..be11804
+--- /dev/null
++++ b/openstack-rsync.te
+@@ -0,0 +1,37 @@
++#
++# SELinux policy module for OpenStack Swift running rsync
++# Copyright 2013 Red Hat, Inc.
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation version 2.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License along
++# with this program; if not, write to the Free Software Foundation, Inc.,
++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++#
++
++#
++# Allow rsync operating under swift to deal with rsync lock files
++# Author: Dan Walsh <dwalsh at redhat.com>
++#
++policy_module(openstack-rsync, 0.4)
++
++require {
++	type rsync_t;
++}
++ 
++
++files_manage_generic_locks(rsync_t)
++
++# Compile with:
++#  make -f /usr/share/selinux/devel/Makefile 
++# Install:
++#  semodule -i openstack-selinux-nova.pp
++# Remove:
++#  semodule -r openstack-selinux-nova
+-- 
+1.7.7.6
+
diff --git a/bz889782-fix_avc_related_to_shelling_out_of_dnsmasq_from_quantum.patch b/bz889782-fix_avc_related_to_shelling_out_of_dnsmasq_from_quantum.patch
new file mode 100644
index 0000000..17f14e3
--- /dev/null
+++ b/bz889782-fix_avc_related_to_shelling_out_of_dnsmasq_from_quantum.patch
@@ -0,0 +1,22 @@
+From 445458c62cabb0dde961f8e915314ffe207d2028 Mon Sep 17 00:00:00 2001
+From: Dan Walsh <dwalsh at redhat.com>
+Date: Tue, 19 Feb 2013 16:48:04 -0500
+Subject: [PATCH] Fix AVC related to shelling out of dnsmasq from Quantum
+
+Signed-off-by: Lon Hohberger <lhh at redhat.com>
+---
+ openstack-selinux-quantum.te |    1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/openstack-selinux-quantum.te b/openstack-selinux-quantum.te
+index 8d971ff..14e6d59 100644
+--- a/openstack-selinux-quantum.te
++++ b/openstack-selinux-quantum.te
+@@ -27,3 +27,4 @@ require {
+ }
+ 
+ corecmd_exec_bin(dnsmasq_t)
++corecmd_exec_shell(dnsmasq_t)
+-- 
+1.7.7.6
+
diff --git a/bz915906-allow_dnsmasq_t_to_write_to_quantum_s_dhcp_directory.patch b/bz915906-allow_dnsmasq_t_to_write_to_quantum_s_dhcp_directory.patch
new file mode 100644
index 0000000..2620a7f
--- /dev/null
+++ b/bz915906-allow_dnsmasq_t_to_write_to_quantum_s_dhcp_directory.patch
@@ -0,0 +1,34 @@
+From 3b55a291f86df680ae8800016519c778f707ddd8 Mon Sep 17 00:00:00 2001
+From: Lon Hohberger <lhh at redhat.com>
+Date: Tue, 5 Mar 2013 10:49:18 -0500
+Subject: [PATCH] Allow dnsmasq_t to write to quantum's DHCP directory
+
+Signed-off-by: Lon Hohberger <lhh at redhat.com>
+Signed-off-by: Miroslav Grepl <mgrepl at redhat.com>
+---
+ openstack-selinux-quantum.te |    5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+diff --git a/openstack-selinux-quantum.te b/openstack-selinux-quantum.te
+index 14e6d59..3a30499 100644
+--- a/openstack-selinux-quantum.te
++++ b/openstack-selinux-quantum.te
+@@ -20,11 +20,14 @@
+ # Author: Miroslav Grepl 
+ #
+ 
+-policy_module(openstack-selinux-quantum,0.2)
++policy_module(openstack-selinux-quantum,0.2.1)
+ 
+ require {
+ 	type dnsmasq_t;
++	type quantum_var_lib_t;
+ }
+ 
+ corecmd_exec_bin(dnsmasq_t)
+ corecmd_exec_shell(dnsmasq_t)
++
++rw_files_pattern(dnsmasq_t, quantum_var_lib_t, quantum_var_lib_t)
+-- 
+1.7.7.6
+
diff --git a/bz918721-add_a_type_and_path_for_swift_when_using_rsync.patch b/bz918721-add_a_type_and_path_for_swift_when_using_rsync.patch
new file mode 100644
index 0000000..62e8b98
--- /dev/null
+++ b/bz918721-add_a_type_and_path_for_swift_when_using_rsync.patch
@@ -0,0 +1,89 @@
+From 7ba61201c4d327ba3938902adf3a690a068a83f3 Mon Sep 17 00:00:00 2001
+From: Lon Hohberger <lhh at redhat.com>
+Date: Wed, 6 Mar 2013 16:07:27 -0500
+Subject: [PATCH] Add a type and path for swift when using rsync
+
+Allow swift-account-* to run as swift_exec_t
+Allow swift-container-* to run as swift_exec_t
+
+Signed-off-by: Lon Hohberger <lhh at redhat.com>
+---
+ swift.fc |   17 +++++++++++++++++
+ swift.te |   15 +++++++++++++++
+ 2 files changed, 32 insertions(+), 0 deletions(-)
+
+diff --git a/swift.fc b/swift.fc
+index 52d945a..a2edd55 100644
+--- a/swift.fc
++++ b/swift.fc
+@@ -20,6 +20,15 @@
+ # Author: Miroslav Grepl 
+ #
+ 
++/usr/bin/swift-account-auditor		--	gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-account-reaper		--	gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-account-replicator	--	gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-account-server		--	gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-container-auditor	--	gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-container-replicator	--	gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-container-server		--	gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-container-sync		--	gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-container-updater	--	gen_context(system_u:object_r:swift_exec_t,s0)
+ /usr/bin/swift-object-auditor		--	gen_context(system_u:object_r:swift_exec_t,s0)
+ /usr/bin/swift-object-info		--	gen_context(system_u:object_r:swift_exec_t,s0)
+ /usr/bin/swift-object-replicator		--	gen_context(system_u:object_r:swift_exec_t,s0)
+@@ -27,3 +36,11 @@
+ /usr/bin/swift-object-updater		--	gen_context(system_u:object_r:swift_exec_t,s0)
+ 
+ /var/run/swift(/.*)?		gen_context(system_u:object_r:swift_var_run_t,s0)
++
++# This seems to be a de-facto standard when using swift.
++/srv/node(/.*)?		gen_context(system_u:object_r:swift_data_t,s0)
++
++# This is specific to RHOS's packstack utility
++ifdef(`distro_redhat', `
++/srv/loopback-device(/.*)?		gen_context(system_u:object_r:swift_data_t,s0)
++')
+diff --git a/swift.te b/swift.te
+index d52c0a8..acc7321 100644
+--- a/swift.te
++++ b/swift.te
+@@ -25,6 +25,10 @@
+ 
+ policy_module(swift, 1.0.0)
+ 
++gen_require(`
++	type rsync_t;
++')
++
+ ########################################
+ #
+ # Declarations
+@@ -37,6 +41,9 @@ init_daemon_domain(swift_t, swift_exec_t)
+ type swift_var_run_t;
+ files_pid_file(swift_var_run_t)
+ 
++type swift_data_t;
++files_type(swift_data_t)
++
+ ########################################
+ #
+ # swift local policy
+@@ -48,6 +55,14 @@ allow swift_t self:unix_dgram_socket create_socket_perms;
+ 
+ manage_dirs_pattern(swift_t, swift_var_run_t, swift_var_run_t)
+ manage_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
++
++# swift makes use of rsync, so we need to give rsync permissions
++# to edit swift_data_t files as well as swift_t those permissions
++manage_dirs_pattern(swift_t, swift_data_t, swift_data_t)
++manage_files_pattern(swift_t, swift_data_t, swift_data_t)
++manage_dirs_pattern(rsync_t, swift_data_t, swift_data_t)
++manage_files_pattern(rsync_t, swift_data_t, swift_data_t)
++
+ manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
+ files_pid_filetrans(swift_t, swift_var_run_t, { dir })
+ 
+-- 
+1.7.7.6
+
diff --git a/openstack-selinux.spec b/openstack-selinux.spec
new file mode 100644
index 0000000..d392f63
--- /dev/null
+++ b/openstack-selinux.spec
@@ -0,0 +1,158 @@
+# RPM spec file for OpenStack on RHEL 6
+# Some bits borrowed from the katello-selinux package
+
+%global selinuxtype	targeted
+%global moduletype	services
+%global modulenames	openstack-selinux-nova openstack-selinux-quantum swift openstack-rsync
+
+# Usage: _format var format
+#   Expand 'modulenames' into various formats as needed
+#   Format must contain '$x' somewhere to do anything useful
+%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
+
+# We do this in post install and post uninstall phases
+%global relabel_files() \
+	/sbin/restorecon -Rv %{_bindir}/swift* %{_localstatedir}/run/swift /srv &> /dev/null || :
+
+# Version of SELinux we were using
+%global selinux_policyver 3.7.19-195.el6_4.2
+
+# Package information
+Name:			openstack-selinux
+Version:		0.1.2
+Release:		11%{?dist}
+License:		GPLv2
+Group:			System Environment/Base
+Summary:		SELinux Policies for OpenStack
+BuildArch:		noarch
+URL:			https://github.com/lhh/%{name}
+Requires:		policycoreutils, libselinux-utils
+Requires(post):		selinux-policy-base >= %{selinux_policyver}, selinux-policy-targeted >= %{selinux_policyver}, policycoreutils
+Requires(postun):	policycoreutils
+BuildRequires:		selinux-policy selinux-policy-devel
+
+#
+# wget -c https://github.com/lhh/%{name}/archive/%{version}.tar.gz \
+#    -O %{name}-%{version}.tar.gz
+#
+Source:			%{name}-%{version}.tar.gz
+
+Patch1:	bz889782-fix_avc_related_to_shelling_out_of_dnsmasq_from_quantum.patch
+Patch2: bz885529-allow_rsync_to_deal_with_lock_files.patch
+Patch3: bz915906-allow_dnsmasq_t_to_write_to_quantum_s_dhcp_directory.patch
+Patch4: bz918721-add_a_type_and_path_for_swift_when_using_rsync.patch
+
+%description
+SELinux policy modules for use with OpenStack
+
+%prep
+%setup -q
+
+%patch1 -p1 -b .bz889782
+%patch2 -p1 -b .bz885529.1
+%patch3 -p1 -b .bz915906.1
+%patch4 -p1 -b .bz918721.1
+
+%build
+make SHARE="%{_datadir}" TARGETS="%{modulenames}"
+
+%install
+
+# Install SELinux interfaces
+%_format INTERFACES $x.if
+install -d %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
+install -p -m 644 $INTERFACES \
+	%{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
+
+# Install policy modules
+%_format MODULES $x.pp.bz2
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 0644 $MODULES \
+	%{buildroot}%{_datadir}/selinux/packages
+
+%post
+#
+# Install all modules in a single transaction
+#
+%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
+%{_sbindir}/semodule -n -s %{selinuxtype} -i $MODULES
+
+if %{_sbindir}/selinuxenabled ; then
+	%{_sbindir}/load_policy
+	%relabel_files
+fi
+
+
+%postun
+if [ $1 -eq 0 ]; then
+	%{_sbindir}/semodule -n -r %{modulenames} || :
+	if %{_sbindir}/selinuxenabled ; then
+		%{_sbindir}/load_policy
+		%relabel_files
+	fi
+fi
+
+
+%files
+%defattr(-,root,root,0755)
+%doc COPYING
+%attr(0644,root,root) %{_datadir}/selinux/packages/*.pp.bz2
+%attr(0644,root,root) %{_datadir}/selinux/devel/include/%{moduletype}/*.if
+
+%changelog
+* Wed Mar 20 2013 Lon Hohberger <lhh at redhat.com> - 0.1.2-11
+- Add BuildRequires for selinux-policy-devel
+- Fix directory permissions
+
+* Wed Mar 20 2013 Lon Hohberger <lhh at redhat.com> - 0.1.2-10
+- Depend on later release of selinux-policy since it contains
+  fixes for OpenStack Swift's use of GlusterFS 
+  Resolves: rhbz#923426
+
+* Tue Mar 19 2013 Lon Hohberger <lhh at redhat.com> - 0.1.2-9
+- Depend on later release of selinux-policy since it contains
+  fixes for OpenStack Quantum
+  Resolves: rhbz#923426
+
+* Mon Mar 18 2013 Lon Hohberger <lhh at redhat.com> - 0.1.2-8
+- Call restorecon on /srv to ensure that previously-created
+  Swift objects have the correct SELinux context
+  Resolves: rhbz#918721
+
+* Wed Mar 06 2013 Lon Hohberger <lhh at redhat.com> - 0.1.2-7
+- Add a type and path for swift when using rsync
+  Resolves: rhbz#918721
+
+* Tue Mar 05 2013 Lon Hohberger <lhh at redhat.com> - 0.1.2-6
+- Allow dnsmasq_t to write to quantum's DHCP directory
+  Resolves: rhbz#915906
+
+* Fri Feb 22 2013 Lon Hohberger <lhh at redhat.com> - 0.1.2-5
+- Allow rsync to deal with lock files
+  Resolves: rhbz#885529
+
+* Thu Feb 20 2013 Lon Hohberger <lhh at redhat.com> - 0.1.2-4
+- Fix up changelog for wrong bug
+- Ancillary patch for dnsmasq AVC denial
+- Resolves: rhbz#889782
+
+* Tue Feb 12 2013 Lon Hohberger <lhh at redhat.com> - 0.1.2-3
+- Spec file cleanups
+
+* Tue Feb 12 2013 Lon Hohberger <lhh at redhat.com> - 0.1.2-2
+- Spec file cleanups 
+
+* Tue Feb 12 2013 Lon Hohberger <lhh at redhat.com> - 0.1.2-1
+- Add policy for swift to resolve rsync issues
+- Resolves: rhbz#885529
+
+* Tue Feb 12 2013 Lon Hohberger <lhh at redhat.com> - 0.1.1-1
+- Add policy for quantum to resolve DHCP lease issues
+- Resolves: rhbz#889782
+
+* Mon Feb 11 2013 Lon Hohberger <lhh at redhat.com> - 0.1.0-2
+- Fix URL and Source identifiers
+
+* Mon Feb 11 2013 Lon Hohberger <lhh at redhat.com> - 0.1.0-1
+- First Build, addreses openstack nova issues
+- Resolves: rhbz#913197
diff --git a/sources b/sources
index e69de29..0657a12 100644
--- a/sources
+++ b/sources
@@ -0,0 +1 @@
+a3703c9d7e571f3b06e40ef8719cf145  openstack-selinux-0.1.2.tar.gz
