[openstack-tripleo-image-elements] Simplify keepalived custom policy

slagle slagle at fedoraproject.org
Thu Oct 23 11:08:43 UTC 2014 

commit 5d9d60cd640020b69edb6779440a5e38b0c915fb
Author: James Slagle <jslagle at redhat.com>
Date:   Thu Oct 23 07:08:38 2014 -0400

    Simplify keepalived custom policy

 ...-Fix-mnt-state-var-log-keepalived-context.patch |    2 +-
 0003-SELinux-Update-keepalived-custom-policy.patch |   94 ----------
 ...-neutron-rootwrap.d-symlink-is-not-nested.patch |    2 +-
 ...05-Add-package-install-support-for-tuskar.patch |    2 +-
 ...Add-package-install-support-for-tuskar-ui.patch |    2 +-
 ...tch => 0007-Make-rdo-release-install-safe.patch |    2 +-
 ...-Change-how-SELinux-policies-are-compiled.patch |   53 ++++++
 0009-Simplify-keepalived-custom-policy.patch       |  193 ++++++++++++++++++++
 openstack-tripleo-image-elements.spec              |   19 ++-
 9 files changed, 263 insertions(+), 106 deletions(-)
---
diff --git a/0004-SELinux-Fix-mnt-state-var-log-keepalived-context.patch b/0003-SELinux-Fix-mnt-state-var-log-keepalived-context.patch
similarity index 95%
rename from 0004-SELinux-Fix-mnt-state-var-log-keepalived-context.patch
rename to 0003-SELinux-Fix-mnt-state-var-log-keepalived-context.patch
index b4a3720..52ade9a 100644
--- a/0004-SELinux-Fix-mnt-state-var-log-keepalived-context.patch
+++ b/0003-SELinux-Fix-mnt-state-var-log-keepalived-context.patch
@@ -1,4 +1,4 @@
-From 5c9b8baa7df0583650607406d5abfd479d27fe54 Mon Sep 17 00:00:00 2001
+From 8ba094055a8d058b89a4d8ead8041c6cdcfff90a Mon Sep 17 00:00:00 2001
 From: Richard Su <rwsu at redhat.com>
 Date: Wed, 15 Oct 2014 14:33:42 -0700
 Subject: [PATCH] SELinux: Fix /mnt/state/var/log/keepalived context
diff --git a/0005-Ensure-neutron-rootwrap.d-symlink-is-not-nested.patch b/0004-Ensure-neutron-rootwrap.d-symlink-is-not-nested.patch
similarity index 95%
rename from 0005-Ensure-neutron-rootwrap.d-symlink-is-not-nested.patch
rename to 0004-Ensure-neutron-rootwrap.d-symlink-is-not-nested.patch
index b2de5a2..1976dbb 100644
--- a/0005-Ensure-neutron-rootwrap.d-symlink-is-not-nested.patch
+++ b/0004-Ensure-neutron-rootwrap.d-symlink-is-not-nested.patch
@@ -1,4 +1,4 @@
-From 68fd0a46119a56a570d67e47e87df3cb266561ca Mon Sep 17 00:00:00 2001
+From f000cb5fe27db02680116d111b6c0de6743ab742 Mon Sep 17 00:00:00 2001
 From: Giulio Fidente <gfidente at redhat.com>
 Date: Thu, 16 Oct 2014 16:03:31 +0200
 Subject: [PATCH] Ensure neutron rootwrap.d symlink is not nested
diff --git a/0006-Add-package-install-support-for-tuskar.patch b/0005-Add-package-install-support-for-tuskar.patch
similarity index 98%
rename from 0006-Add-package-install-support-for-tuskar.patch
rename to 0005-Add-package-install-support-for-tuskar.patch
index 8b66f07..39cb480 100644
--- a/0006-Add-package-install-support-for-tuskar.patch
+++ b/0005-Add-package-install-support-for-tuskar.patch
@@ -1,4 +1,4 @@
-From b5d4558ae204f2712b56016ad1c1c6a64140c394 Mon Sep 17 00:00:00 2001
+From 6b9ee6a73b9c15247ce5698a58748d0ea2a353ea Mon Sep 17 00:00:00 2001
 From: James Slagle <jslagle at redhat.com>
 Date: Fri, 17 Oct 2014 11:56:12 -0400
 Subject: [PATCH] Add package install support for tuskar
diff --git a/0007-Add-package-install-support-for-tuskar-ui.patch b/0006-Add-package-install-support-for-tuskar-ui.patch
similarity index 98%
rename from 0007-Add-package-install-support-for-tuskar-ui.patch
rename to 0006-Add-package-install-support-for-tuskar-ui.patch
index 9ec317c..8c6778a 100644
--- a/0007-Add-package-install-support-for-tuskar-ui.patch
+++ b/0006-Add-package-install-support-for-tuskar-ui.patch
@@ -1,4 +1,4 @@
-From 0432b81b19c75bd73959108dee0e2157fe79e403 Mon Sep 17 00:00:00 2001
+From 5eef2950d6f267c2161d79f3d64fb81867bb4a1a Mon Sep 17 00:00:00 2001
 From: James Slagle <jslagle at redhat.com>
 Date: Fri, 17 Oct 2014 11:59:43 -0400
 Subject: [PATCH] Add package install support for tuskar-ui
diff --git a/0008-Make-rdo-release-install-safe.patch b/0007-Make-rdo-release-install-safe.patch
similarity index 94%
rename from 0008-Make-rdo-release-install-safe.patch
rename to 0007-Make-rdo-release-install-safe.patch
index e10614b..d5b1da4 100644
--- a/0008-Make-rdo-release-install-safe.patch
+++ b/0007-Make-rdo-release-install-safe.patch
@@ -1,4 +1,4 @@
-From 2c32c016d9ec7fa0f70bc405b1d53a504f28fc27 Mon Sep 17 00:00:00 2001
+From cbe4a193468dec699ee411c0585466c3df84e5e5 Mon Sep 17 00:00:00 2001
 From: Ben Nemec <bnemec at redhat.com>
 Date: Mon, 20 Oct 2014 15:41:50 -0500
 Subject: [PATCH] Make rdo-release install safe
diff --git a/0008-Change-how-SELinux-policies-are-compiled.patch b/0008-Change-how-SELinux-policies-are-compiled.patch
new file mode 100644
index 0000000..a7bbb56
--- /dev/null
+++ b/0008-Change-how-SELinux-policies-are-compiled.patch
@@ -0,0 +1,53 @@
+From 5bedbc04aa8065509220f1f624c04e54abe7141f Mon Sep 17 00:00:00 2001
+From: Richard Su <rwsu at redhat.com>
+Date: Wed, 22 Oct 2014 19:48:37 -0700
+Subject: [PATCH] Change how SELinux policies are compiled
+
+To take advantage of macros, the custom policies are now compiled
+using make. To use macros, selinux-policy-devel needs to be
+installed.
+
+Change-Id: I803291c01af709f39edcbf2f366808443233d7b3
+---
+ elements/selinux/install.d/100-install-custom-selinux-policies |  2 +-
+ .../configure.d/20-compile-and-install-selinux-policies        | 10 +++++-----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/elements/selinux/install.d/100-install-custom-selinux-policies b/elements/selinux/install.d/100-install-custom-selinux-policies
+index 57f3ea7..4258de2 100755
+--- a/elements/selinux/install.d/100-install-custom-selinux-policies
++++ b/elements/selinux/install.d/100-install-custom-selinux-policies
+@@ -7,7 +7,7 @@
+ set -eux
+ set -o pipefail
+ 
+-install-packages checkpolicy
++install-packages checkpolicy selinux-policy-devel
+ mkdir -p /opt/stack/selinux-policy
+ 
+ for file in $(ls $(dirname $0)/../custom-policies/*.te); do
+diff --git a/elements/selinux/os-refresh-config/configure.d/20-compile-and-install-selinux-policies b/elements/selinux/os-refresh-config/configure.d/20-compile-and-install-selinux-policies
+index f4279c7..69346ba 100755
+--- a/elements/selinux/os-refresh-config/configure.d/20-compile-and-install-selinux-policies
++++ b/elements/selinux/os-refresh-config/configure.d/20-compile-and-install-selinux-policies
+@@ -6,15 +6,15 @@ set -eux
+ set -o pipefail
+ 
+ if [ -x /usr/sbin/semanage ]; then
++    cd /tmp
+     for file in $(ls /opt/stack/selinux-policy/*.te); do
+         filename=$(basename $file)
+         filename_no_ext=${filename%.*}
+         # compile policy
+-        checkmodule -M -m -o "/tmp/$filename_no_ext.mod" \
+-           "/opt/stack/selinux-policy/$filename"
+-        semodule_package -o "/tmp/$filename_no_ext.pp" \
+-            -m "/tmp/$filename_no_ext.mod"
++        cp $file /tmp
++        make -f /usr/share/selinux/devel/Makefile $filename_no_ext.pp
+         # install policy
+-        semodule -i "/tmp/$filename_no_ext.pp"
++        semodule -i /tmp/$filename_no_ext.pp
++        rm /tmp/$filename_no_ext.*
+     done
+ fi
diff --git a/0009-Simplify-keepalived-custom-policy.patch b/0009-Simplify-keepalived-custom-policy.patch
new file mode 100644
index 0000000..3217a44
--- /dev/null
+++ b/0009-Simplify-keepalived-custom-policy.patch
@@ -0,0 +1,193 @@
+From be1aaf1d7436def267d7b28e58646009146fb6a8 Mon Sep 17 00:00:00 2001
+From: Richard Su <rwsu at redhat.com>
+Date: Wed, 22 Oct 2014 20:08:58 -0700
+Subject: [PATCH] Simplify keepalived custom policy
+
+Instead of allowing access to individual types to keepalived, we
+now grant keepalived access to read the processes for all types.
+
+This change was suggested in
+https://bugzilla.redhat.com/show_bug.cgi?id=1151647
+
+This also makes the custom policy work on both Fedora and RHEL.
+The previous custom policy would not install on RHEL 7.0 because
+some types were not defined in 7.0.
+
+Change-Id: Ic7adbd14ef27959f0a991127b5213384c9e46be3
+---
+ .../custom-policies/tripleo-selinux-keepalived.te  | 158 ++-------------------
+ 1 file changed, 13 insertions(+), 145 deletions(-)
+
+diff --git a/elements/selinux/custom-policies/tripleo-selinux-keepalived.te b/elements/selinux/custom-policies/tripleo-selinux-keepalived.te
+index e6f7549..0d9da32 100644
+--- a/elements/selinux/custom-policies/tripleo-selinux-keepalived.te
++++ b/elements/selinux/custom-policies/tripleo-selinux-keepalived.te
+@@ -1,154 +1,22 @@
+ 
+ module tripleo-selinux-keepalived 1.0;
+ 
+-require {
+-	type haproxy_t;
+-	type nova_api_t;
+-	type initrc_t;
+-	type snmpd_t;
+-	type rabbitmq_epmd_t;
+-	type dhcpc_t;
+-	type nova_cert_t;
+-	type openvswitch_t;
+-	type nova_conductor_t;
+-	type auditd_t;
+-	type systemd_logind_t;
+-	type httpd_t;
+-	type cinder_scheduler_t;
+-	type dnsmasq_t;
+-	type mysqld_safe_t;
+-	type rabbitmq_beam_t;
+-	type getty_t;
+-	type lvm_t;
+-	type systemd_hostnamed_t;
+-	type unconfined_t;
+-	type sshd_net_t;
+-	type crond_t;
+-	type keystone_t;
+-	type rpcbind_t;
+-	type init_t;
+-	type system_cronjob_t;
+-	type mysqld_t;
+-	type syslogd_t;
+-	type rsync_t;
+-	type swift_t;
+-	type system_dbusd_t;
+-	type nova_scheduler_t;
+-	type cinder_volume_t;
+-	type cinder_api_t;
+-	type neutron_t;
+-	type kernel_t;
+-	type glance_api_t;
+-	type mandb_t;
+-	type cluster_t;
+-	type nova_console_t;
+-	type udev_t;
+-	type glance_registry_t;
+-	type sshd_t;
+-	type ntpd_t;
+-	type keepalived_t;
+-	type rpcd_t;
+-	type memcached_t;
+-	class process signull;
+-	class capability kill;
+-	class dir search;
+-	class file { getattr read open };
+-}
++gen_require(`
++        type haproxy_t;
++        type keepalived_t;
++        class process signull;
++        class capability kill;
++        class dir { getattr search open read lock ioctl };
++        class file { open { getattr read ioctl lock } };
++        class lnk_file { getattr read };
++')
+ 
+ #============= keepalived_t ==============
+ # killall denials
+ # https://bugs.launchpad.net/tripleo/+bug/1379079
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1145886
+-allow keepalived_t auditd_t:dir search;
+-allow keepalived_t auditd_t:file { read getattr open };
+-allow keepalived_t cinder_api_t:dir search;
+-allow keepalived_t cinder_api_t:file { read getattr open };
+-allow keepalived_t cinder_scheduler_t:dir search;
+-allow keepalived_t cinder_scheduler_t:file { read getattr open };
+-allow keepalived_t cinder_volume_t:dir search;
+-allow keepalived_t cinder_volume_t:file { read getattr open };
+-allow keepalived_t cluster_t:dir search;
+-allow keepalived_t cluster_t:file { read getattr open };
+-allow keepalived_t crond_t:dir search;
+-allow keepalived_t crond_t:file { read getattr open };
+-allow keepalived_t dhcpc_t:dir search;
+-allow keepalived_t dhcpc_t:file { read getattr open };
+-allow keepalived_t dnsmasq_t:dir search;
+-allow keepalived_t dnsmasq_t:file { read getattr open };
+-allow keepalived_t getty_t:dir search;
+-allow keepalived_t getty_t:file { read getattr open };
+-allow keepalived_t glance_api_t:dir search;
+-allow keepalived_t glance_api_t:file { read getattr open };
+-allow keepalived_t glance_registry_t:dir search;
+-allow keepalived_t glance_registry_t:file { read getattr open };
+-allow keepalived_t haproxy_t:dir search;
+-allow keepalived_t haproxy_t:file { read getattr open };
++# https://bugzilla.redhat.com/show_bug.cgi?id=1151647
++
++domain_read_all_domains_state(keepalived_t)
+ allow keepalived_t haproxy_t:process signull;
+-allow keepalived_t httpd_t:dir search;
+-allow keepalived_t httpd_t:file { read getattr open };
+-allow keepalived_t init_t:file { read getattr open };
+-allow keepalived_t initrc_t:dir search;
+-allow keepalived_t initrc_t:file { read getattr open };
+-allow keepalived_t kernel_t:dir search;
+-allow keepalived_t kernel_t:file { read getattr open };
+-allow keepalived_t keystone_t:dir search;
+-allow keepalived_t keystone_t:file { read getattr open };
+-allow keepalived_t lvm_t:dir search;
+-allow keepalived_t lvm_t:file { read getattr open };
+-allow keepalived_t mandb_t:dir search;
+-allow keepalived_t mandb_t:file { read getattr open };
+-allow keepalived_t memcached_t:dir search;
+-allow keepalived_t memcached_t:file { read getattr open };
+-allow keepalived_t mysqld_safe_t:dir search;
+-allow keepalived_t mysqld_safe_t:file { read getattr open };
+-allow keepalived_t mysqld_t:dir search;
+-allow keepalived_t mysqld_t:file { read getattr open };
+-allow keepalived_t neutron_t:dir search;
+-allow keepalived_t neutron_t:file { read getattr open };
+-allow keepalived_t nova_api_t:dir search;
+-allow keepalived_t nova_api_t:file { read getattr open };
+-allow keepalived_t nova_cert_t:dir search;
+-allow keepalived_t nova_cert_t:file { read getattr open };
+-allow keepalived_t nova_conductor_t:dir search;
+-allow keepalived_t nova_conductor_t:file { read getattr open };
+-allow keepalived_t nova_console_t:dir search;
+-allow keepalived_t nova_console_t:file { read getattr open };
+-allow keepalived_t nova_scheduler_t:dir search;
+-allow keepalived_t nova_scheduler_t:file { read getattr open };
+-allow keepalived_t ntpd_t:dir search;
+-allow keepalived_t ntpd_t:file { read getattr open };
+-allow keepalived_t openvswitch_t:dir search;
+-allow keepalived_t openvswitch_t:file { read getattr open };
+-allow keepalived_t rabbitmq_beam_t:dir search;
+-allow keepalived_t rabbitmq_beam_t:file { read getattr open };
+-allow keepalived_t rabbitmq_epmd_t:dir search;
+-allow keepalived_t rabbitmq_epmd_t:file { read getattr open };
+-allow keepalived_t rpcbind_t:dir search;
+-allow keepalived_t rpcbind_t:file { read getattr open };
+-allow keepalived_t rpcd_t:dir search;
+-allow keepalived_t rpcd_t:file { read getattr open };
+-allow keepalived_t rsync_t:dir search;
+-allow keepalived_t rsync_t:file { read getattr open };
+-allow keepalived_t self:capability kill;
+-allow keepalived_t snmpd_t:dir search;
+-allow keepalived_t snmpd_t:file { read getattr open };
+-allow keepalived_t sshd_net_t:dir search;
+-allow keepalived_t sshd_net_t:file { read getattr open };
+-allow keepalived_t sshd_t:dir search;
+-allow keepalived_t sshd_t:file { read getattr open };
+-allow keepalived_t swift_t:dir search;
+-allow keepalived_t swift_t:file { read getattr open };
+-allow keepalived_t syslogd_t:dir search;
+-allow keepalived_t syslogd_t:file { read getattr open };
+-allow keepalived_t system_cronjob_t:dir search;
+-allow keepalived_t system_cronjob_t:file { read getattr open };
+-allow keepalived_t system_dbusd_t:dir search;
+-allow keepalived_t system_dbusd_t:file { read getattr open };
+-allow keepalived_t systemd_hostnamed_t:dir search;
+-allow keepalived_t systemd_hostnamed_t:file { read getattr open };
+-allow keepalived_t systemd_logind_t:dir search;
+-allow keepalived_t systemd_logind_t:file { read getattr open };
+-allow keepalived_t udev_t:dir search;
+-allow keepalived_t udev_t:file { read getattr open };
+-allow keepalived_t unconfined_t:dir search;
+-allow keepalived_t unconfined_t:file { read getattr open };
++allow keepalived_t self:capability kill;
+\ No newline at end of file
diff --git a/openstack-tripleo-image-elements.spec b/openstack-tripleo-image-elements.spec
index 6cf060b..7fe7bcd 100644
--- a/openstack-tripleo-image-elements.spec
+++ b/openstack-tripleo-image-elements.spec
@@ -4,7 +4,7 @@
 Name:		openstack-tripleo-image-elements
 Summary:	OpenStack TripleO Image Elements for diskimage-builder
 Version:	0.8.10
-Release:	2%{?dist}
+Release:	3%{?dist}
 License:	ASL 2.0
 Group:		System Environment/Base
 URL:		https://wiki.openstack.org/wiki/TripleO
@@ -12,12 +12,13 @@ Source0:	http://tarballs.openstack.org/tripleo-image-elements/tripleo-image-elem
 
 Patch0001: 0001-Cinder-conf-patch.patch
 Patch0002: 0002-Change-default-swift-bind_ports.patch
-Patch0003: 0003-SELinux-Update-keepalived-custom-policy.patch
-Patch0004: 0004-SELinux-Fix-mnt-state-var-log-keepalived-context.patch
-Patch0005: 0005-Ensure-neutron-rootwrap.d-symlink-is-not-nested.patch
-Patch0006: 0006-Add-package-install-support-for-tuskar.patch
-Patch0007: 0007-Add-package-install-support-for-tuskar-ui.patch
-Patch0008: 0008-Make-rdo-release-install-safe.patch
+Patch0003: 0003-SELinux-Fix-mnt-state-var-log-keepalived-context.patch
+Patch0004: 0004-Ensure-neutron-rootwrap.d-symlink-is-not-nested.patch
+Patch0005: 0005-Add-package-install-support-for-tuskar.patch
+Patch0006: 0006-Add-package-install-support-for-tuskar-ui.patch
+Patch0007: 0007-Make-rdo-release-install-safe.patch
+Patch0008: 0008-Change-how-SELinux-policies-are-compiled.patch
+Patch0009: 0009-Simplify-keepalived-custom-policy.patch
 
 BuildArch:	noarch
 BuildRequires:	python
@@ -42,6 +43,7 @@ program.
 %patch0006 -p1
 %patch0007 -p1
 %patch0008 -p1
+%patch0009 -p1
 
 %build
 %{__python} setup.py build
@@ -92,6 +94,9 @@ fi
 %{_datadir}/tripleo-image-elements
 
 %changelog
+* Thu Oct 23 2014 James Slagle <jslagle at redhat.com> 0.8.10-3
+- Simplify keepalived custom policy
+
 * Tue Oct 21 2014 James Slagle <jslagle at redhat.com> 0.8.10-2
 - Make rdo-release install safe

More information about the scm-commits mailing list