Create RPM SELinux sub-module

microshift.spec

@@ -9,6 +9,10 @@
 # modifying the Go binaries breaks the DWARF debugging
 %global __os_install_post %{_rpmconfigdir}/brp-compress
 
+# SELinux specifics
+%global selinuxtype targeted
+
+
 Name: microshift
 Version: %{version}
 Release: %{release}%{dist}
@@ -34,6 +38,8 @@ BuildRequires: make
 
 Requires: cri-o
 Requires: cri-tools
+Requires: microshift-selinux
+
 %{?systemd_requires}
 
 %description
@@ -60,6 +66,17 @@ systems, scale testing, and provisioning of lightweight Kubernetes control plane
 Note: Microshift is still early days and moving fast. Features are missing.
 Things break. But you can still help shape it, too.
 
+%package selinux
+Summary: SELinux policies for Microshift
+BuildRequires: selinux-policy
+BuildRequires: selinux-policy-devel
+BuildArch: noarch
+%{?selinux_requires}
+
+%description selinux
+SElinux policy modules for Microshift.
+
+
 %prep
 
 # Unpack the sources, unless it's a localbuild
@@ -90,6 +107,11 @@ GOARCH=amd64
 make _build_local GOOS=${GOOS} GOARCH=${GOARCH}
 cp ./_output/bin/${GOOS}_${GOARCH}/microshift ./_output/microshift
 
+# SELinux modules build
+
+cd selinux
+make
+
 %install
 
 install -d %{buildroot}%{_bindir}
@@ -106,10 +128,27 @@ mkdir -p -m755 %{buildroot}/var/run/secrets/kubernetes.io/serviceaccount
 mkdir -p -m755 %{buildroot}/var/hpvolumes
 restorecon -v %{buildroot}/var/hpvolumes
 
+install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+install -m644 selinux/microshift.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+
 %post
 
 %systemd_post microshift.service
 
+%post selinux
+
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/microshift.pp.bz2
+
+%postun selinux
+
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} microshift
+fi
+
+%posttrans selinux
+
+%selinux_relabel_post -s %{selinuxtype}
+
 %preun
 
 %systemd_preun microshift.service
@@ -121,6 +160,11 @@ restorecon -v %{buildroot}/var/hpvolumes
 %{_bindir}/microshift
 %{_unitdir}/microshift.service
 
+%files selinux
+
+%{_datadir}/selinux/packages/%{selinuxtype}/microshift.pp.bz2
+%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/microshift
+
 %changelog
 * Mon Sep 20 2021 Miguel Angel Ajo <majopela@redhat.com> . 4.7.0-2021_08_31_224727
 - Initial packaging

selinux/Makefile

@@ -0,0 +1,26 @@
+TARGET?=microshift
+MODULES?=${TARGET:=.pp.bz2}
+SHAREDIR?=/usr/share
+
+all: ${TARGET:=.pp.bz2}
+
+%.pp.bz2: %.pp
+	@echo Compressing $^ -\> $@
+	bzip2 -9 $^
+
+%.pp: %.te
+	make -f ${SHAREDIR}/selinux/devel/Makefile $@
+
+clean:
+	rm -f *~  *.tc *.pp *.pp.bz2
+	rm -rf tmp *.tar.gz
+
+man: install-policy
+	sepolicy manpage --path . --domain ${TARGET}_t
+
+install-policy: all
+	semodule -i ${TARGET}.pp.bz2
+
+install: man
+	install -D -m 644 ${TARGET}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/${TARGET}.pp.bz2
+	install -D -m 644 ${TARGET}_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/

selinux/microshift.fc

@@ -2,4 +2,5 @@
 /var/run/secrets/kubernetes.io/serviceaccount(/.*)?				gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
 /var/lib/microshift/certs/ca-bundle(/.*)?                                       gen_context(system_u:object_r:container_file_t,s0)
 /usr/local/bin/microshift                                                  --	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/bin/microshift                                                        --	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /var/hpvolumes(/.*)?            						gen_context(system_u:object_r:container_file_t,s0)