[openstack-tripleo-image-elements] Simplify keepalived custom policy
slagle
slagle at fedoraproject.org
Thu Oct 23 11:08:43 UTC 2014
commit 5d9d60cd640020b69edb6779440a5e38b0c915fb
Author: James Slagle <jslagle at redhat.com>
Date: Thu Oct 23 07:08:38 2014 -0400
Simplify keepalived custom policy
...-Fix-mnt-state-var-log-keepalived-context.patch | 2 +-
0003-SELinux-Update-keepalived-custom-policy.patch | 94 ----------
...-neutron-rootwrap.d-symlink-is-not-nested.patch | 2 +-
...05-Add-package-install-support-for-tuskar.patch | 2 +-
...Add-package-install-support-for-tuskar-ui.patch | 2 +-
...tch => 0007-Make-rdo-release-install-safe.patch | 2 +-
...-Change-how-SELinux-policies-are-compiled.patch | 53 ++++++
0009-Simplify-keepalived-custom-policy.patch | 193 ++++++++++++++++++++
openstack-tripleo-image-elements.spec | 19 ++-
9 files changed, 263 insertions(+), 106 deletions(-)
---
diff --git a/0004-SELinux-Fix-mnt-state-var-log-keepalived-context.patch b/0003-SELinux-Fix-mnt-state-var-log-keepalived-context.patch
similarity index 95%
rename from 0004-SELinux-Fix-mnt-state-var-log-keepalived-context.patch
rename to 0003-SELinux-Fix-mnt-state-var-log-keepalived-context.patch
index b4a3720..52ade9a 100644
--- a/0004-SELinux-Fix-mnt-state-var-log-keepalived-context.patch
+++ b/0003-SELinux-Fix-mnt-state-var-log-keepalived-context.patch
@@ -1,4 +1,4 @@
-From 5c9b8baa7df0583650607406d5abfd479d27fe54 Mon Sep 17 00:00:00 2001
+From 8ba094055a8d058b89a4d8ead8041c6cdcfff90a Mon Sep 17 00:00:00 2001
From: Richard Su <rwsu at redhat.com>
Date: Wed, 15 Oct 2014 14:33:42 -0700
Subject: [PATCH] SELinux: Fix /mnt/state/var/log/keepalived context
diff --git a/0005-Ensure-neutron-rootwrap.d-symlink-is-not-nested.patch b/0004-Ensure-neutron-rootwrap.d-symlink-is-not-nested.patch
similarity index 95%
rename from 0005-Ensure-neutron-rootwrap.d-symlink-is-not-nested.patch
rename to 0004-Ensure-neutron-rootwrap.d-symlink-is-not-nested.patch
index b2de5a2..1976dbb 100644
--- a/0005-Ensure-neutron-rootwrap.d-symlink-is-not-nested.patch
+++ b/0004-Ensure-neutron-rootwrap.d-symlink-is-not-nested.patch
@@ -1,4 +1,4 @@
-From 68fd0a46119a56a570d67e47e87df3cb266561ca Mon Sep 17 00:00:00 2001
+From f000cb5fe27db02680116d111b6c0de6743ab742 Mon Sep 17 00:00:00 2001
From: Giulio Fidente <gfidente at redhat.com>
Date: Thu, 16 Oct 2014 16:03:31 +0200
Subject: [PATCH] Ensure neutron rootwrap.d symlink is not nested
diff --git a/0006-Add-package-install-support-for-tuskar.patch b/0005-Add-package-install-support-for-tuskar.patch
similarity index 98%
rename from 0006-Add-package-install-support-for-tuskar.patch
rename to 0005-Add-package-install-support-for-tuskar.patch
index 8b66f07..39cb480 100644
--- a/0006-Add-package-install-support-for-tuskar.patch
+++ b/0005-Add-package-install-support-for-tuskar.patch
@@ -1,4 +1,4 @@
-From b5d4558ae204f2712b56016ad1c1c6a64140c394 Mon Sep 17 00:00:00 2001
+From 6b9ee6a73b9c15247ce5698a58748d0ea2a353ea Mon Sep 17 00:00:00 2001
From: James Slagle <jslagle at redhat.com>
Date: Fri, 17 Oct 2014 11:56:12 -0400
Subject: [PATCH] Add package install support for tuskar
diff --git a/0007-Add-package-install-support-for-tuskar-ui.patch b/0006-Add-package-install-support-for-tuskar-ui.patch
similarity index 98%
rename from 0007-Add-package-install-support-for-tuskar-ui.patch
rename to 0006-Add-package-install-support-for-tuskar-ui.patch
index 9ec317c..8c6778a 100644
--- a/0007-Add-package-install-support-for-tuskar-ui.patch
+++ b/0006-Add-package-install-support-for-tuskar-ui.patch
@@ -1,4 +1,4 @@
-From 0432b81b19c75bd73959108dee0e2157fe79e403 Mon Sep 17 00:00:00 2001
+From 5eef2950d6f267c2161d79f3d64fb81867bb4a1a Mon Sep 17 00:00:00 2001
From: James Slagle <jslagle at redhat.com>
Date: Fri, 17 Oct 2014 11:59:43 -0400
Subject: [PATCH] Add package install support for tuskar-ui
diff --git a/0008-Make-rdo-release-install-safe.patch b/0007-Make-rdo-release-install-safe.patch
similarity index 94%
rename from 0008-Make-rdo-release-install-safe.patch
rename to 0007-Make-rdo-release-install-safe.patch
index e10614b..d5b1da4 100644
--- a/0008-Make-rdo-release-install-safe.patch
+++ b/0007-Make-rdo-release-install-safe.patch
@@ -1,4 +1,4 @@
-From 2c32c016d9ec7fa0f70bc405b1d53a504f28fc27 Mon Sep 17 00:00:00 2001
+From cbe4a193468dec699ee411c0585466c3df84e5e5 Mon Sep 17 00:00:00 2001
From: Ben Nemec <bnemec at redhat.com>
Date: Mon, 20 Oct 2014 15:41:50 -0500
Subject: [PATCH] Make rdo-release install safe
diff --git a/0008-Change-how-SELinux-policies-are-compiled.patch b/0008-Change-how-SELinux-policies-are-compiled.patch
new file mode 100644
index 0000000..a7bbb56
--- /dev/null
+++ b/0008-Change-how-SELinux-policies-are-compiled.patch
@@ -0,0 +1,53 @@
+From 5bedbc04aa8065509220f1f624c04e54abe7141f Mon Sep 17 00:00:00 2001
+From: Richard Su <rwsu at redhat.com>
+Date: Wed, 22 Oct 2014 19:48:37 -0700
+Subject: [PATCH] Change how SELinux policies are compiled
+
+To take advantage of macros, the custom policies are now compiled
+using make. To use macros, selinux-policy-devel needs to be
+installed.
+
+Change-Id: I803291c01af709f39edcbf2f366808443233d7b3
+---
+ elements/selinux/install.d/100-install-custom-selinux-policies | 2 +-
+ .../configure.d/20-compile-and-install-selinux-policies | 10 +++++-----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/elements/selinux/install.d/100-install-custom-selinux-policies b/elements/selinux/install.d/100-install-custom-selinux-policies
+index 57f3ea7..4258de2 100755
+--- a/elements/selinux/install.d/100-install-custom-selinux-policies
++++ b/elements/selinux/install.d/100-install-custom-selinux-policies
+@@ -7,7 +7,7 @@
+ set -eux
+ set -o pipefail
+
+-install-packages checkpolicy
++install-packages checkpolicy selinux-policy-devel
+ mkdir -p /opt/stack/selinux-policy
+
+ for file in $(ls $(dirname $0)/../custom-policies/*.te); do
+diff --git a/elements/selinux/os-refresh-config/configure.d/20-compile-and-install-selinux-policies b/elements/selinux/os-refresh-config/configure.d/20-compile-and-install-selinux-policies
+index f4279c7..69346ba 100755
+--- a/elements/selinux/os-refresh-config/configure.d/20-compile-and-install-selinux-policies
++++ b/elements/selinux/os-refresh-config/configure.d/20-compile-and-install-selinux-policies
+@@ -6,15 +6,15 @@ set -eux
+ set -o pipefail
+
+ if [ -x /usr/sbin/semanage ]; then
++ cd /tmp
+ for file in $(ls /opt/stack/selinux-policy/*.te); do
+ filename=$(basename $file)
+ filename_no_ext=${filename%.*}
+ # compile policy
+- checkmodule -M -m -o "/tmp/$filename_no_ext.mod" \
+- "/opt/stack/selinux-policy/$filename"
+- semodule_package -o "/tmp/$filename_no_ext.pp" \
+- -m "/tmp/$filename_no_ext.mod"
++ cp $file /tmp
++ make -f /usr/share/selinux/devel/Makefile $filename_no_ext.pp
+ # install policy
+- semodule -i "/tmp/$filename_no_ext.pp"
++ semodule -i /tmp/$filename_no_ext.pp
++ rm /tmp/$filename_no_ext.*
+ done
+ fi
diff --git a/0009-Simplify-keepalived-custom-policy.patch b/0009-Simplify-keepalived-custom-policy.patch
new file mode 100644
index 0000000..3217a44
--- /dev/null
+++ b/0009-Simplify-keepalived-custom-policy.patch
@@ -0,0 +1,193 @@
+From be1aaf1d7436def267d7b28e58646009146fb6a8 Mon Sep 17 00:00:00 2001
+From: Richard Su <rwsu at redhat.com>
+Date: Wed, 22 Oct 2014 20:08:58 -0700
+Subject: [PATCH] Simplify keepalived custom policy
+
+Instead of allowing access to individual types to keepalived, we
+now grant keepalived access to read the processes for all types.
+
+This change was suggested in
+https://bugzilla.redhat.com/show_bug.cgi?id=1151647
+
+This also makes the custom policy work on both Fedora and RHEL.
+The previous custom policy would not install on RHEL 7.0 because
+some types were not defined in 7.0.
+
+Change-Id: Ic7adbd14ef27959f0a991127b5213384c9e46be3
+---
+ .../custom-policies/tripleo-selinux-keepalived.te | 158 ++-------------------
+ 1 file changed, 13 insertions(+), 145 deletions(-)
+
+diff --git a/elements/selinux/custom-policies/tripleo-selinux-keepalived.te b/elements/selinux/custom-policies/tripleo-selinux-keepalived.te
+index e6f7549..0d9da32 100644
+--- a/elements/selinux/custom-policies/tripleo-selinux-keepalived.te
++++ b/elements/selinux/custom-policies/tripleo-selinux-keepalived.te
+@@ -1,154 +1,22 @@
+
+ module tripleo-selinux-keepalived 1.0;
+
+-require {
+- type haproxy_t;
+- type nova_api_t;
+- type initrc_t;
+- type snmpd_t;
+- type rabbitmq_epmd_t;
+- type dhcpc_t;
+- type nova_cert_t;
+- type openvswitch_t;
+- type nova_conductor_t;
+- type auditd_t;
+- type systemd_logind_t;
+- type httpd_t;
+- type cinder_scheduler_t;
+- type dnsmasq_t;
+- type mysqld_safe_t;
+- type rabbitmq_beam_t;
+- type getty_t;
+- type lvm_t;
+- type systemd_hostnamed_t;
+- type unconfined_t;
+- type sshd_net_t;
+- type crond_t;
+- type keystone_t;
+- type rpcbind_t;
+- type init_t;
+- type system_cronjob_t;
+- type mysqld_t;
+- type syslogd_t;
+- type rsync_t;
+- type swift_t;
+- type system_dbusd_t;
+- type nova_scheduler_t;
+- type cinder_volume_t;
+- type cinder_api_t;
+- type neutron_t;
+- type kernel_t;
+- type glance_api_t;
+- type mandb_t;
+- type cluster_t;
+- type nova_console_t;
+- type udev_t;
+- type glance_registry_t;
+- type sshd_t;
+- type ntpd_t;
+- type keepalived_t;
+- type rpcd_t;
+- type memcached_t;
+- class process signull;
+- class capability kill;
+- class dir search;
+- class file { getattr read open };
+-}
++gen_require(`
++ type haproxy_t;
++ type keepalived_t;
++ class process signull;
++ class capability kill;
++ class dir { getattr search open read lock ioctl };
++ class file { open { getattr read ioctl lock } };
++ class lnk_file { getattr read };
++')
+
+ #============= keepalived_t ==============
+ # killall denials
+ # https://bugs.launchpad.net/tripleo/+bug/1379079
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1145886
+-allow keepalived_t auditd_t:dir search;
+-allow keepalived_t auditd_t:file { read getattr open };
+-allow keepalived_t cinder_api_t:dir search;
+-allow keepalived_t cinder_api_t:file { read getattr open };
+-allow keepalived_t cinder_scheduler_t:dir search;
+-allow keepalived_t cinder_scheduler_t:file { read getattr open };
+-allow keepalived_t cinder_volume_t:dir search;
+-allow keepalived_t cinder_volume_t:file { read getattr open };
+-allow keepalived_t cluster_t:dir search;
+-allow keepalived_t cluster_t:file { read getattr open };
+-allow keepalived_t crond_t:dir search;
+-allow keepalived_t crond_t:file { read getattr open };
+-allow keepalived_t dhcpc_t:dir search;
+-allow keepalived_t dhcpc_t:file { read getattr open };
+-allow keepalived_t dnsmasq_t:dir search;
+-allow keepalived_t dnsmasq_t:file { read getattr open };
+-allow keepalived_t getty_t:dir search;
+-allow keepalived_t getty_t:file { read getattr open };
+-allow keepalived_t glance_api_t:dir search;
+-allow keepalived_t glance_api_t:file { read getattr open };
+-allow keepalived_t glance_registry_t:dir search;
+-allow keepalived_t glance_registry_t:file { read getattr open };
+-allow keepalived_t haproxy_t:dir search;
+-allow keepalived_t haproxy_t:file { read getattr open };
++# https://bugzilla.redhat.com/show_bug.cgi?id=1151647
++
++domain_read_all_domains_state(keepalived_t)
+ allow keepalived_t haproxy_t:process signull;
+-allow keepalived_t httpd_t:dir search;
+-allow keepalived_t httpd_t:file { read getattr open };
+-allow keepalived_t init_t:file { read getattr open };
+-allow keepalived_t initrc_t:dir search;
+-allow keepalived_t initrc_t:file { read getattr open };
+-allow keepalived_t kernel_t:dir search;
+-allow keepalived_t kernel_t:file { read getattr open };
+-allow keepalived_t keystone_t:dir search;
+-allow keepalived_t keystone_t:file { read getattr open };
+-allow keepalived_t lvm_t:dir search;
+-allow keepalived_t lvm_t:file { read getattr open };
+-allow keepalived_t mandb_t:dir search;
+-allow keepalived_t mandb_t:file { read getattr open };
+-allow keepalived_t memcached_t:dir search;
+-allow keepalived_t memcached_t:file { read getattr open };
+-allow keepalived_t mysqld_safe_t:dir search;
+-allow keepalived_t mysqld_safe_t:file { read getattr open };
+-allow keepalived_t mysqld_t:dir search;
+-allow keepalived_t mysqld_t:file { read getattr open };
+-allow keepalived_t neutron_t:dir search;
+-allow keepalived_t neutron_t:file { read getattr open };
+-allow keepalived_t nova_api_t:dir search;
+-allow keepalived_t nova_api_t:file { read getattr open };
+-allow keepalived_t nova_cert_t:dir search;
+-allow keepalived_t nova_cert_t:file { read getattr open };
+-allow keepalived_t nova_conductor_t:dir search;
+-allow keepalived_t nova_conductor_t:file { read getattr open };
+-allow keepalived_t nova_console_t:dir search;
+-allow keepalived_t nova_console_t:file { read getattr open };
+-allow keepalived_t nova_scheduler_t:dir search;
+-allow keepalived_t nova_scheduler_t:file { read getattr open };
+-allow keepalived_t ntpd_t:dir search;
+-allow keepalived_t ntpd_t:file { read getattr open };
+-allow keepalived_t openvswitch_t:dir search;
+-allow keepalived_t openvswitch_t:file { read getattr open };
+-allow keepalived_t rabbitmq_beam_t:dir search;
+-allow keepalived_t rabbitmq_beam_t:file { read getattr open };
+-allow keepalived_t rabbitmq_epmd_t:dir search;
+-allow keepalived_t rabbitmq_epmd_t:file { read getattr open };
+-allow keepalived_t rpcbind_t:dir search;
+-allow keepalived_t rpcbind_t:file { read getattr open };
+-allow keepalived_t rpcd_t:dir search;
+-allow keepalived_t rpcd_t:file { read getattr open };
+-allow keepalived_t rsync_t:dir search;
+-allow keepalived_t rsync_t:file { read getattr open };
+-allow keepalived_t self:capability kill;
+-allow keepalived_t snmpd_t:dir search;
+-allow keepalived_t snmpd_t:file { read getattr open };
+-allow keepalived_t sshd_net_t:dir search;
+-allow keepalived_t sshd_net_t:file { read getattr open };
+-allow keepalived_t sshd_t:dir search;
+-allow keepalived_t sshd_t:file { read getattr open };
+-allow keepalived_t swift_t:dir search;
+-allow keepalived_t swift_t:file { read getattr open };
+-allow keepalived_t syslogd_t:dir search;
+-allow keepalived_t syslogd_t:file { read getattr open };
+-allow keepalived_t system_cronjob_t:dir search;
+-allow keepalived_t system_cronjob_t:file { read getattr open };
+-allow keepalived_t system_dbusd_t:dir search;
+-allow keepalived_t system_dbusd_t:file { read getattr open };
+-allow keepalived_t systemd_hostnamed_t:dir search;
+-allow keepalived_t systemd_hostnamed_t:file { read getattr open };
+-allow keepalived_t systemd_logind_t:dir search;
+-allow keepalived_t systemd_logind_t:file { read getattr open };
+-allow keepalived_t udev_t:dir search;
+-allow keepalived_t udev_t:file { read getattr open };
+-allow keepalived_t unconfined_t:dir search;
+-allow keepalived_t unconfined_t:file { read getattr open };
++allow keepalived_t self:capability kill;
+\ No newline at end of file
diff --git a/openstack-tripleo-image-elements.spec b/openstack-tripleo-image-elements.spec
index 6cf060b..7fe7bcd 100644
--- a/openstack-tripleo-image-elements.spec
+++ b/openstack-tripleo-image-elements.spec
@@ -4,7 +4,7 @@
Name: openstack-tripleo-image-elements
Summary: OpenStack TripleO Image Elements for diskimage-builder
Version: 0.8.10
-Release: 2%{?dist}
+Release: 3%{?dist}
License: ASL 2.0
Group: System Environment/Base
URL: https://wiki.openstack.org/wiki/TripleO
@@ -12,12 +12,13 @@ Source0: http://tarballs.openstack.org/tripleo-image-elements/tripleo-image-elem
Patch0001: 0001-Cinder-conf-patch.patch
Patch0002: 0002-Change-default-swift-bind_ports.patch
-Patch0003: 0003-SELinux-Update-keepalived-custom-policy.patch
-Patch0004: 0004-SELinux-Fix-mnt-state-var-log-keepalived-context.patch
-Patch0005: 0005-Ensure-neutron-rootwrap.d-symlink-is-not-nested.patch
-Patch0006: 0006-Add-package-install-support-for-tuskar.patch
-Patch0007: 0007-Add-package-install-support-for-tuskar-ui.patch
-Patch0008: 0008-Make-rdo-release-install-safe.patch
+Patch0003: 0003-SELinux-Fix-mnt-state-var-log-keepalived-context.patch
+Patch0004: 0004-Ensure-neutron-rootwrap.d-symlink-is-not-nested.patch
+Patch0005: 0005-Add-package-install-support-for-tuskar.patch
+Patch0006: 0006-Add-package-install-support-for-tuskar-ui.patch
+Patch0007: 0007-Make-rdo-release-install-safe.patch
+Patch0008: 0008-Change-how-SELinux-policies-are-compiled.patch
+Patch0009: 0009-Simplify-keepalived-custom-policy.patch
BuildArch: noarch
BuildRequires: python
@@ -42,6 +43,7 @@ program.
%patch0006 -p1
%patch0007 -p1
%patch0008 -p1
+%patch0009 -p1
%build
%{__python} setup.py build
@@ -92,6 +94,9 @@ fi
%{_datadir}/tripleo-image-elements
%changelog
+* Thu Oct 23 2014 James Slagle <jslagle at redhat.com> 0.8.10-3
+- Simplify keepalived custom policy
+
* Tue Oct 21 2014 James Slagle <jslagle at redhat.com> 0.8.10-2
- Make rdo-release install safe
More information about the scm-commits
mailing list