Correct SELinux file contexts

OpenStack components installed via source are placed under
/opt/stack/venvs. The files under /opt/stack/venvs/<component>/bin
do not have the correct SElinux file contexts. This change
applies the same context as they would have received if they had
been installed by a rpm package under /usr/bin.

Closes-Bug: 1340499
Change-Id: Ibffa1b986b52a1dc28de8d3b8056eed92aae9ee7
This commit is contained in:
Richard Su 2014-07-17 13:17:15 -07:00
parent 9ba50d1b86
commit b56a278aa4
29 changed files with 103 additions and 0 deletions

View File

@ -1,3 +1,4 @@
os-apply-config
os-svc-install
selinux
source-repositories

View File

@ -16,3 +16,5 @@ if [ -f /opt/stack/ceilometer/etc/ceilometer/sources.json ]; then
fi
ln -s $CEILOMETER_VENV_DIR/bin/ceilometer-dbsync /usr/local/bin/ceilometer-dbsync
add-selinux-path-substitution /usr/bin $CEILOMETER_VENV_DIR/bin

View File

@ -2,5 +2,6 @@ iptables
os-apply-config
os-refresh-config
os-svc-install
selinux
source-repositories
use-ephemeral

View File

@ -14,3 +14,5 @@ ln -sf $CINDER_VENV_DIR/bin/cinder-rootwrap /usr/local/bin/cinder-rootwrap
echo "cinder ALL=(root) NOPASSWD: /usr/local/bin/cinder-rootwrap" > /etc/sudoers.d/cinder
chmod 0440 /etc/sudoers.d/cinder
visudo -c
add-selinux-path-substitution /usr/bin $CINDER_VENV_DIR/bin

View File

@ -2,4 +2,5 @@ iptables
os-apply-config
os-refresh-config
os-svc-install
selinux
source-repositories

View File

@ -14,3 +14,5 @@ cp /opt/stack/glance/etc/glance-registry-paste.ini /etc/glance/glance-registry-p
os-svc-daemon -i "$GLANCE_VENV_DIR" glance-api glance glance-api
os-svc-daemon -i "$GLANCE_VENV_DIR" glance-reg glance glance-registry
add-selinux-path-substitution /usr/bin $GLANCE_VENV_DIR/bin

View File

@ -1,4 +1,5 @@
os-apply-config
os-refresh-config
os-svc-install
selinux
source-repositories

View File

@ -9,3 +9,5 @@ os-svc-install $HEAT_EXTRA_INSTALL_OPTS -i "$HEAT_VENV_DIR" -u heat -r /opt/stac
cp /opt/stack/heat/etc/heat/policy.json /etc/heat/policy.json
install -d -m 0770 -o root -g heat /var/log/heat
add-selinux-path-substitution /usr/bin $HEAT_VENV_DIR/bin

View File

@ -2,4 +2,5 @@ openstack-clients
os-apply-config
os-refresh-config
os-svc-install
selinux
source-repositories

View File

@ -18,3 +18,4 @@ ln -s $IRONIC_VENV_DIR/bin/ironic-dbsync /usr/local/bin/ironic-dbsync
ln -sf $IRONIC_VENV_DIR/bin/ironic-rootwrap /usr/local/bin/ironic-rootwrap
add-selinux-path-substitution /usr/bin $IRONIC_VENV_DIR/bin

View File

@ -2,4 +2,5 @@ iptables
os-apply-config
os-refresh-config
os-svc-install
selinux
source-repositories

View File

@ -24,3 +24,5 @@ if [[ "ubuntu rhel rhel7 centos" =~ "$DISTRO_NAME" ]]; then
fi
install-packages percona-toolkit
fi
add-selinux-path-substitution /usr/bin $KEYSTONE_VENV_DIR/bin

View File

@ -2,4 +2,5 @@ iptables
os-apply-config
os-refresh-config
os-svc-install
selinux
source-repositories

View File

@ -24,3 +24,5 @@ visudo -c
if [ "$DIB_INIT_SYSTEM" == "systemd" ]; then
systemctl enable openvswitch.service
fi
add-selinux-path-substitution /usr/bin $NEUTRON_VENV_DIR/bin

View File

@ -1,4 +1,5 @@
os-apply-config
os-refresh-config
os-svc-install
selinux
source-repositories

View File

@ -15,3 +15,5 @@ ln -sf $NOVA_VENV_DIR/bin/nova-rootwrap /usr/local/bin/nova-rootwrap
echo "nova ALL=(root) NOPASSWD: /usr/local/bin/nova-rootwrap" > /etc/sudoers.d/nova
chmod 0440 /etc/sudoers.d/nova
visudo -c
add-selinux-path-substitution /usr/bin $NOVA_VENV_DIR/bin

View File

@ -1,3 +1,4 @@
pip-and-virtualenv
pip-manifest
selinux
source-repositories

View File

@ -3,3 +3,5 @@
set -eux
install-openstack-client $CEILOMETERCLIENT_EXTRA_INSTALL_OPTS -c ceilometer -i $CEILOMETERCLIENT_VENV_DIR
add-selinux-path-substitution /usr/bin $CEILOMETERCLIENT_VENV_DIR/bin

View File

@ -4,3 +4,4 @@ set -eux
install-openstack-client $CINDERCLIENT_EXTRA_INSTALL_OPTS -c cinder -i $CINDERCLIENT_VENV_DIR
add-selinux-path-substitution /usr/bin $CINDERCLIENT_VENV_DIR/bin

View File

@ -3,3 +3,5 @@
set -eux
install-openstack-client $GLANCECLIENT_EXTRA_INSTALL_OPTS -c glance -i $GLANCECLIENT_VENV_DIR
add-selinux-path-substitution /usr/bin $GLANCECLIENT_VENV_DIR/bin

View File

@ -3,3 +3,5 @@
set -eux
install-openstack-client $HEATCLIENT_EXTRA_INSTALL_OPTS -c heat -i $HEATCLIENT_VENV_DIR
add-selinux-path-substitution /usr/bin $HEATCLIENT_VENV_DIR/bin

View File

@ -3,3 +3,5 @@
set -eux
install-openstack-client $IRONICCLIENT_EXTRA_INSTALL_OPTS -c ironic -i $IRONICCLIENT_VENV_DIR
add-selinux-path-substitution /usr/bin $IRONICCLIENT_VENV_DIR/bin

View File

@ -3,3 +3,5 @@
set -eux
install-openstack-client $KEYSTONECLIENT_EXTRA_INSTALL_OPTS -c keystone -i $KEYSTONECLIENT_VENV_DIR
add-selinux-path-substitution /usr/bin $KEYSTONECLIENT_VENV_DIR/bin

View File

@ -3,3 +3,5 @@
set -eux
install-openstack-client $NOVACLIENT_EXTRA_INSTALL_OPTS -c nova -i $NOVACLIENT_VENV_DIR
add-selinux-path-substitution /usr/bin $NOVACLIENT_VENV_DIR/bin

View File

@ -7,3 +7,5 @@ install-openstack-client $SWIFTCLIENT_EXTRA_INSTALL_OPTS -c swift -i $SWIFTCLIEN
# the swift client doesn't have keystoneclient as a dependency, tripleo is
# using keystone auth so we need to explicitly install it. Bug 1085740.
$SWIFTCLIENT_VENV_DIR/bin/pip install python-keystoneclient
add-selinux-path-substitution /usr/bin $SWIFTCLIENT_VENV_DIR/bin

View File

@ -0,0 +1,8 @@
An element containing SELinux scripts
bin/add-selinux-path-substitution
Adds a path substitution from a source to a target path. Can be used to
indicate the SELinux rules that normally apply to the packaged version
of nova at /usr/bin/nova (source path) should also be applied to the
source version at /opt/stack/venvs/nova/bin/nova (target path).

View File

@ -0,0 +1,53 @@
#! /bin/bash
#
# Copyright 2014 Red Hat
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -eux
set -o pipefail
function show_options() {
echo "Usage: $0 SOURCE_PATH TARGET_PATH"
echo
echo "Context labeling for the TARGET_PATH is made equivalent"
echo "to the SOURCE_PATH"
echo
echo "Can be used to relabel file contexts for files installed"
echo "in non-standard locations. For example when nova is installed"
echo "under /opt/stack/venvs/nova/bin (target) instead of /usr/bin/"
echo "(source). Adding a path subsitution would correct the file"
echo "contexts for files in /opt/stack/venvs/nova/bin. They would"
echo "be labeled with the same contexts as if they had been installed"
echo "at /usr/bin by a rpm package."
}
SOURCE_PATH=${1:-""}
TARGET_PATH=${2:-""}
if [ -z "$SOURCE_PATH" -o -z "$TARGET_PATH" ]; then
show_options
fi
if [ ! -x /usr/sbin/semanage ]; then
echo "SELinux not available"
exit 0
fi
# Add the path if it doesn't already exist
if [ "`semanage fcontext -l | grep $TARGET_PATH`" == "" ]; then
semanage fcontext -a -e $SOURCE_PATH $TARGET_PATH
fi
restorecon -Rv $TARGET_PATH

View File

@ -1 +1,2 @@
os-svc-install
selinux

View File

@ -8,3 +8,5 @@ os-svc-install $SWIFT_EXTRA_INSTALL_OPTS -i "$SWIFT_VENV_DIR" -u swift -r /opt/s
ln -s $SWIFT_VENV_DIR/bin/swift-ring-builder /usr/local/bin/swift-ring-builder
ln -s $SWIFT_VENV_DIR/bin/swift-get-nodes /usr/local/bin/swift-get-nodes
add-selinux-path-substitution /usr/bin $SWIFT_VENV_DIR/bin