Correct SELinux file contexts

OpenStack components installed via source are placed under /opt/stack/venvs. The files under /opt/stack/venvs/<component>/bin do not have the correct SElinux file contexts. This change applies the same context as they would have received if they had been installed by a rpm package under /usr/bin. Closes-Bug: 1340499 Change-Id: Ibffa1b986b52a1dc28de8d3b8056eed92aae9ee7
2014-07-17 13:17:15 -07:00 · 2014-07-17 13:17:15 -07:00 · b56a278aa4
commit b56a278aa4
parent 9ba50d1b86
29 changed files with 103 additions and 0 deletions
--- a/elements/ceilometer/element-deps
+++ b/elements/ceilometer/element-deps
@ -1,3 +1,4 @@
 os-apply-config
 os-svc-install
 selinux
 source-repositories
--- a/elements/ceilometer/install.d/68-ceilometer
+++ b/elements/ceilometer/install.d/68-ceilometer
@ -16,3 +16,5 @@ if [ -f /opt/stack/ceilometer/etc/ceilometer/sources.json ]; then
 fi
 ln -s $CEILOMETER_VENV_DIR/bin/ceilometer-dbsync /usr/local/bin/ceilometer-dbsync
 add-selinux-path-substitution /usr/bin $CEILOMETER_VENV_DIR/bin
--- a/elements/cinder/element-deps
+++ b/elements/cinder/element-deps
@ -2,5 +2,6 @@ iptables
 os-apply-config
 os-refresh-config
 os-svc-install
 selinux
 source-repositories
 use-ephemeral
--- a/elements/cinder/install.d/cinder-source-install/72-cinder
+++ b/elements/cinder/install.d/cinder-source-install/72-cinder
@ -14,3 +14,5 @@ ln -sf $CINDER_VENV_DIR/bin/cinder-rootwrap /usr/local/bin/cinder-rootwrap
 echo "cinder ALL=(root) NOPASSWD: /usr/local/bin/cinder-rootwrap" > /etc/sudoers.d/cinder
 chmod 0440 /etc/sudoers.d/cinder
 visudo -c
 add-selinux-path-substitution /usr/bin $CINDER_VENV_DIR/bin
--- a/elements/glance/element-deps
+++ b/elements/glance/element-deps
@ -2,4 +2,5 @@ iptables
 os-apply-config
 os-refresh-config
 os-svc-install
 selinux
 source-repositories
--- a/elements/glance/install.d/glance-source-install/75-glance
+++ b/elements/glance/install.d/glance-source-install/75-glance
@ -14,3 +14,5 @@ cp /opt/stack/glance/etc/glance-registry-paste.ini /etc/glance/glance-registry-p
 os-svc-daemon -i "$GLANCE_VENV_DIR" glance-api glance glance-api
 os-svc-daemon -i "$GLANCE_VENV_DIR" glance-reg glance glance-registry
 add-selinux-path-substitution /usr/bin $GLANCE_VENV_DIR/bin
--- a/elements/heat/element-deps
+++ b/elements/heat/element-deps
@ -1,4 +1,5 @@
 os-apply-config
 os-refresh-config
 os-svc-install
 selinux
 source-repositories
--- a/elements/heat/install.d/heat-source-install/05-heat
+++ b/elements/heat/install.d/heat-source-install/05-heat
@ -9,3 +9,5 @@ os-svc-install $HEAT_EXTRA_INSTALL_OPTS -i "$HEAT_VENV_DIR" -u heat -r /opt/stac
 cp /opt/stack/heat/etc/heat/policy.json /etc/heat/policy.json
 install -d -m 0770 -o root -g heat /var/log/heat
 add-selinux-path-substitution /usr/bin $HEAT_VENV_DIR/bin
--- a/elements/ironic/element-deps
+++ b/elements/ironic/element-deps
@ -2,4 +2,5 @@ openstack-clients
 os-apply-config
 os-refresh-config
 os-svc-install
 selinux
 source-repositories
--- a/elements/ironic/install.d/68-ironic
+++ b/elements/ironic/install.d/68-ironic
@ -18,3 +18,4 @@ ln -s $IRONIC_VENV_DIR/bin/ironic-dbsync /usr/local/bin/ironic-dbsync
 ln -sf $IRONIC_VENV_DIR/bin/ironic-rootwrap /usr/local/bin/ironic-rootwrap
 add-selinux-path-substitution /usr/bin $IRONIC_VENV_DIR/bin
--- a/elements/keystone/element-deps
+++ b/elements/keystone/element-deps
@ -2,4 +2,5 @@ iptables
 os-apply-config
 os-refresh-config
 os-svc-install
 selinux
 source-repositories
--- a/elements/keystone/install.d/keystone-source-install/70-keystone
+++ b/elements/keystone/install.d/keystone-source-install/70-keystone
@ -24,3 +24,5 @@ if [[ "ubuntu rhel rhel7 centos" =~ "$DISTRO_NAME" ]]; then
    fi
    install-packages percona-toolkit
 fi
 add-selinux-path-substitution /usr/bin $KEYSTONE_VENV_DIR/bin
--- a/elements/neutron/element-deps
+++ b/elements/neutron/element-deps
@ -2,4 +2,5 @@ iptables
 os-apply-config
 os-refresh-config
 os-svc-install
 selinux
 source-repositories
--- a/elements/neutron/install.d/neutron-source-install/76-neutron
+++ b/elements/neutron/install.d/neutron-source-install/76-neutron
@ -24,3 +24,5 @@ visudo -c
 if [ "$DIB_INIT_SYSTEM" == "systemd" ]; then
    systemctl enable openvswitch.service
 fi
 add-selinux-path-substitution /usr/bin $NEUTRON_VENV_DIR/bin
--- a/elements/nova/element-deps
+++ b/elements/nova/element-deps
@ -1,4 +1,5 @@
 os-apply-config
 os-refresh-config
 os-svc-install
 selinux
 source-repositories
--- a/elements/nova/install.d/nova-source-install/74-nova
+++ b/elements/nova/install.d/nova-source-install/74-nova
@ -15,3 +15,5 @@ ln -sf $NOVA_VENV_DIR/bin/nova-rootwrap /usr/local/bin/nova-rootwrap
 echo "nova ALL=(root) NOPASSWD: /usr/local/bin/nova-rootwrap" > /etc/sudoers.d/nova
 chmod 0440 /etc/sudoers.d/nova
 visudo -c
 add-selinux-path-substitution /usr/bin $NOVA_VENV_DIR/bin
--- a/elements/openstack-clients/element-deps
+++ b/elements/openstack-clients/element-deps
@ -1,3 +1,4 @@
 pip-and-virtualenv
 pip-manifest
 selinux
 source-repositories
--- a/elements/openstack-clients/install.d/python-ceilometerclient-source-install/51-ceilometerclient
+++ b/elements/openstack-clients/install.d/python-ceilometerclient-source-install/51-ceilometerclient
@ -3,3 +3,5 @@
 set -eux
 install-openstack-client $CEILOMETERCLIENT_EXTRA_INSTALL_OPTS -c ceilometer -i $CEILOMETERCLIENT_VENV_DIR
 add-selinux-path-substitution /usr/bin $CEILOMETERCLIENT_VENV_DIR/bin
--- a/elements/openstack-clients/install.d/python-cinderclient-source-install/51-cinderclient
+++ b/elements/openstack-clients/install.d/python-cinderclient-source-install/51-cinderclient
@ -4,3 +4,4 @@ set -eux
 install-openstack-client $CINDERCLIENT_EXTRA_INSTALL_OPTS -c cinder -i $CINDERCLIENT_VENV_DIR
 add-selinux-path-substitution /usr/bin $CINDERCLIENT_VENV_DIR/bin
--- a/elements/openstack-clients/install.d/python-glanceclient-source-install/51-glanceclient
+++ b/elements/openstack-clients/install.d/python-glanceclient-source-install/51-glanceclient
@ -3,3 +3,5 @@
 set -eux
 install-openstack-client $GLANCECLIENT_EXTRA_INSTALL_OPTS -c glance -i $GLANCECLIENT_VENV_DIR
 add-selinux-path-substitution /usr/bin $GLANCECLIENT_VENV_DIR/bin
--- a/elements/openstack-clients/install.d/python-heatclient-source-install/51-heatclient
+++ b/elements/openstack-clients/install.d/python-heatclient-source-install/51-heatclient
@ -3,3 +3,5 @@
 set -eux
 install-openstack-client $HEATCLIENT_EXTRA_INSTALL_OPTS -c heat -i $HEATCLIENT_VENV_DIR
 add-selinux-path-substitution /usr/bin $HEATCLIENT_VENV_DIR/bin
--- a/elements/openstack-clients/install.d/python-ironicclient-source-install/51-ironicclient
+++ b/elements/openstack-clients/install.d/python-ironicclient-source-install/51-ironicclient
@ -3,3 +3,5 @@
 set -eux
 install-openstack-client $IRONICCLIENT_EXTRA_INSTALL_OPTS -c ironic -i $IRONICCLIENT_VENV_DIR
 add-selinux-path-substitution /usr/bin $IRONICCLIENT_VENV_DIR/bin
--- a/elements/openstack-clients/install.d/python-keystoneclient-source-install/51-keystoneclient
+++ b/elements/openstack-clients/install.d/python-keystoneclient-source-install/51-keystoneclient
@ -3,3 +3,5 @@
 set -eux
 install-openstack-client $KEYSTONECLIENT_EXTRA_INSTALL_OPTS -c keystone -i $KEYSTONECLIENT_VENV_DIR
 add-selinux-path-substitution /usr/bin $KEYSTONECLIENT_VENV_DIR/bin
--- a/elements/openstack-clients/install.d/python-novaclient-source-install/51-novaclient
+++ b/elements/openstack-clients/install.d/python-novaclient-source-install/51-novaclient
@ -3,3 +3,5 @@
 set -eux
 install-openstack-client $NOVACLIENT_EXTRA_INSTALL_OPTS -c nova -i $NOVACLIENT_VENV_DIR
 add-selinux-path-substitution /usr/bin $NOVACLIENT_VENV_DIR/bin
--- a/elements/openstack-clients/install.d/python-swiftclient-source-install/51-swiftclient
+++ b/elements/openstack-clients/install.d/python-swiftclient-source-install/51-swiftclient
@ -7,3 +7,5 @@ install-openstack-client $SWIFTCLIENT_EXTRA_INSTALL_OPTS -c swift -i $SWIFTCLIEN
 # the swift client doesn't have keystoneclient as a dependency, tripleo is
 # using keystone auth so we need to explicitly install it. Bug 1085740.
 $SWIFTCLIENT_VENV_DIR/bin/pip install python-keystoneclient
 add-selinux-path-substitution /usr/bin $SWIFTCLIENT_VENV_DIR/bin
--- a/elements/selinux/README.md
+++ b/elements/selinux/README.md
@ -0,0 +1,8 @@
 An element containing SELinux scripts
 bin/add-selinux-path-substitution
 Adds a path substitution from a source to a target path. Can be used to
 indicate the SELinux rules that normally apply to the packaged version
 of nova at /usr/bin/nova (source path) should also be applied to the
 source version at /opt/stack/venvs/nova/bin/nova (target path).
--- a/elements/selinux/bin/add-selinux-path-substitution
+++ b/elements/selinux/bin/add-selinux-path-substitution
@ -0,0 +1,53 @@
 #! /bin/bash
 #
 # Copyright 2014 Red Hat
 # All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
 # a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
 set -eux
 set -o pipefail
 function show_options() {
    echo "Usage: $0 SOURCE_PATH TARGET_PATH"
    echo
    echo "Context labeling for the TARGET_PATH is made equivalent"
    echo "to the SOURCE_PATH"
    echo
    echo "Can be used to relabel file contexts for files installed"
    echo "in non-standard locations. For example when nova is installed"
    echo "under /opt/stack/venvs/nova/bin (target) instead of /usr/bin/"
    echo "(source). Adding a path subsitution would correct the file"
    echo "contexts for files in /opt/stack/venvs/nova/bin. They would"
    echo "be labeled with the same contexts as if they had been installed"
    echo "at /usr/bin by a rpm package."
 }
 SOURCE_PATH=${1:-""}
 TARGET_PATH=${2:-""}
 if [ -z "$SOURCE_PATH" -o -z "$TARGET_PATH" ]; then
    show_options
 fi
 if [ ! -x /usr/sbin/semanage ]; then
    echo "SELinux not available"
    exit 0
 fi
 # Add the path if it doesn't already exist
 if [ "`semanage fcontext -l | grep $TARGET_PATH`" == "" ]; then
    semanage fcontext -a -e $SOURCE_PATH $TARGET_PATH
 fi
 restorecon -Rv $TARGET_PATH
--- a/elements/swift/element-deps
+++ b/elements/swift/element-deps
@ -1 +1,2 @@
 os-svc-install
 selinux
--- a/elements/swift/install.d/swift-source-install/75-swift
+++ b/elements/swift/install.d/swift-source-install/75-swift
@ -8,3 +8,5 @@ os-svc-install $SWIFT_EXTRA_INSTALL_OPTS -i "$SWIFT_VENV_DIR" -u swift -r /opt/s
 ln -s $SWIFT_VENV_DIR/bin/swift-ring-builder /usr/local/bin/swift-ring-builder
 ln -s $SWIFT_VENV_DIR/bin/swift-get-nodes /usr/local/bin/swift-get-nodes
 add-selinux-path-substitution /usr/bin $SWIFT_VENV_DIR/bin
`@ -18,3 +18,4 @@ ln -s $IRONIC_VENV_DIR/bin/ironic-dbsync /usr/local/bin/ironic-dbsync`

	`ln -sf $IRONIC_VENV_DIR/bin/ironic-rootwrap /usr/local/bin/ironic-rootwrap`	`ln -sf $IRONIC_VENV_DIR/bin/ironic-rootwrap /usr/local/bin/ironic-rootwrap`

		`add-selinux-path-substitution /usr/bin $IRONIC_VENV_DIR/bin`
`@ -4,3 +4,4 @@ set -eux`

	`install-openstack-client $CINDERCLIENT_EXTRA_INSTALL_OPTS -c cinder -i $CINDERCLIENT_VENV_DIR`	`install-openstack-client $CINDERCLIENT_EXTRA_INSTALL_OPTS -c cinder -i $CINDERCLIENT_VENV_DIR`

		`add-selinux-path-substitution /usr/bin $CINDERCLIENT_VENV_DIR/bin`