diff --git a/microshift.spec b/microshift.spec index f0bd79aeb1..6aafb109d0 100644 --- a/microshift.spec +++ b/microshift.spec @@ -9,6 +9,10 @@ # modifying the Go binaries breaks the DWARF debugging %global __os_install_post %{_rpmconfigdir}/brp-compress +# SELinux specifics +%global selinuxtype targeted + + Name: microshift Version: %{version} Release: %{release}%{dist} @@ -34,6 +38,8 @@ BuildRequires: make Requires: cri-o Requires: cri-tools +Requires: microshift-selinux + %{?systemd_requires} %description @@ -60,6 +66,17 @@ systems, scale testing, and provisioning of lightweight Kubernetes control plane Note: Microshift is still early days and moving fast. Features are missing. Things break. But you can still help shape it, too. +%package selinux +Summary: SELinux policies for Microshift +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +BuildArch: noarch +%{?selinux_requires} + +%description selinux +SElinux policy modules for Microshift. + + %prep # Unpack the sources, unless it's a localbuild @@ -90,6 +107,11 @@ GOARCH=amd64 make _build_local GOOS=${GOOS} GOARCH=${GOARCH} cp ./_output/bin/${GOOS}_${GOARCH}/microshift ./_output/microshift +# SELinux modules build + +cd selinux +make + %install install -d %{buildroot}%{_bindir} @@ -106,10 +128,27 @@ mkdir -p -m755 %{buildroot}/var/run/secrets/kubernetes.io/serviceaccount mkdir -p -m755 %{buildroot}/var/hpvolumes restorecon -v %{buildroot}/var/hpvolumes +install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +install -m644 selinux/microshift.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} + %post %systemd_post microshift.service +%post selinux + +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/microshift.pp.bz2 + +%postun selinux + +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} microshift +fi + +%posttrans selinux + +%selinux_relabel_post -s %{selinuxtype} + %preun %systemd_preun microshift.service @@ -121,6 +160,11 @@ restorecon -v %{buildroot}/var/hpvolumes %{_bindir}/microshift %{_unitdir}/microshift.service +%files selinux + +%{_datadir}/selinux/packages/%{selinuxtype}/microshift.pp.bz2 +%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/microshift + %changelog * Mon Sep 20 2021 Miguel Angel Ajo . 4.7.0-2021_08_31_224727 - Initial packaging diff --git a/selinux/Makefile b/selinux/Makefile new file mode 100644 index 0000000000..903d61ebac --- /dev/null +++ b/selinux/Makefile @@ -0,0 +1,26 @@ +TARGET?=microshift +MODULES?=${TARGET:=.pp.bz2} +SHAREDIR?=/usr/share + +all: ${TARGET:=.pp.bz2} + +%.pp.bz2: %.pp + @echo Compressing $^ -\> $@ + bzip2 -9 $^ + +%.pp: %.te + make -f ${SHAREDIR}/selinux/devel/Makefile $@ + +clean: + rm -f *~ *.tc *.pp *.pp.bz2 + rm -rf tmp *.tar.gz + +man: install-policy + sepolicy manpage --path . --domain ${TARGET}_t + +install-policy: all + semodule -i ${TARGET}.pp.bz2 + +install: man + install -D -m 644 ${TARGET}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/${TARGET}.pp.bz2 + install -D -m 644 ${TARGET}_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/ diff --git a/selinux/microshift.fc b/selinux/microshift.fc index 47a66a5c6c..c888fada79 100644 --- a/selinux/microshift.fc +++ b/selinux/microshift.fc @@ -2,4 +2,5 @@ /var/run/secrets/kubernetes.io/serviceaccount(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) /var/lib/microshift/certs/ca-bundle(/.*)? gen_context(system_u:object_r:container_file_t,s0) /usr/local/bin/microshift -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/bin/microshift -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /var/hpvolumes(/.*)? gen_context(system_u:object_r:container_file_t,s0)