Closed strider closed 4 years ago
Archiving pastebin content here:
module delorean 1.0;
require {
type httpd_sys_rw_content_t;
type svirt_lxc_net_t;
type docker_t;
class dir { setattr read create write getattr rmdir remove_name add_name };
class file { append execute setattr read create ioctl execute_no_trans write getattr link unlink open };
class lnk_file { read unlink link setattr};
}
#============= docker_t ==============
allow docker_t httpd_sys_rw_content_t:dir getattr;
#============= svirt_lxc_net_t ==============
allow svirt_lxc_net_t httpd_sys_rw_content_t:dir { write read create add_name remove_name rmdir setattr };
allow svirt_lxc_net_t httpd_sys_rw_content_t:file { append write ioctl link read create open unlink setattr};
allow svirt_lxc_net_t httpd_sys_rw_content_t:lnk_file { read unlink link setattr};
Thanks, Was this on centos or fedora? On F21 this is working for me with no custom modules
sudo semanage fcontext -a -t svirt_sandbox_filet "/tmp/delorean/data(/.)?" sudo semanage fcontext -a -t svirt_sandbox_filet "/tmp/delorean/scripts(/.)?" mkdir /tmp/delorean/data sudo restorecon -R /tmp/delorean
I'm not sure why I need to create the data directory before running restorecon, I would have thought it would get the correct context once semanage had been run.
@dmsimard Does above selinux modules resolve all denials for you on F22 ?
It works with the module and the instructions provided by @strider but I had to adjust that last bit:
# semanage fcontext -a -t httpd_sys_rw_content_t "/root/delorean/data(/.*)?"
# restorecon -Rv /root/delorean/data
actually used:
# semanage fcontext -a -t httpd_sys_rw_content_t "/root/delorean/data(/.*)?"
# semanage fcontext -a -t httpd_sys_rw_content_t "/root/delorean/scripts(/.*)?"
# restorecon -Rv /root/delorean
For the record, the AVC error with the permission denied was the following:
type=AVC msg=audit(1441897500.157:754): avc: denied { read } for pid=13754 comm="build_rpm_wrapp" name="build_rpm_wrapper.sh" dev="dm-1" ino=565190 scontext=system_u:system_r:svirt_lxc_net_t:s0:c53,c65 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
No permission denied errors so far (and package is building)
Edit: That doesn't look like it works after all. Trying to figure out what the issue is now.
$ delorean --config-file projects.ini --local --dev --package-name openstack-cinder --log-commands
INFO:delorean:Getting git://git.openstack.org/openstack/cinder to ./data/openstack-cinder
INFO:delorean:Processing openstack-cinder cb790c0979665f376c0c01c0443301f8e7362d66
ERROR:delorean:Error while building packages for openstack-cinder
Traceback (most recent call last):
File "/home/dmsimard/dev/delorean/delorean/shell.py", line 229, in main
options.use_public)
File "/home/dmsimard/dev/delorean/delorean/shell.py", line 498, in build
raise Exception("No rpms built for %s" % project_name)
Exception: No rpms built for openstack-cinder
INFO:delorean:Skipping notify email to ['eharney@redhat.com', 'apevec@redhat.com', 'hguemar@redhat.com']
INFO:delorean:Processing openstack-cinder bcc7ce05cb73b96915df43e89af3c8f42f9eb677
ERROR:delorean:Error while building packages for openstack-cinder
Traceback (most recent call last):
File "/home/dmsimard/dev/delorean/delorean/shell.py", line 229, in main
options.use_public)
File "/home/dmsimard/dev/delorean/delorean/shell.py", line 498, in build
raise Exception("No rpms built for %s" % project_name)
Exception: No rpms built for openstack-cinder
INFO:delorean:Processing openstack-cinder 23e6cf9967463d3b59ca2e63344b0bbbf3e5491a
ERROR:delorean:Error while building packages for openstack-cinder
Traceback (most recent call last):
File "/home/dmsimard/dev/delorean/delorean/shell.py", line 229, in main
options.use_public)
File "/home/dmsimard/dev/delorean/delorean/shell.py", line 498, in build
raise Exception("No rpms built for %s" % project_name)
Exception: No rpms built for openstack-cinder
[...]
I tried docker_home_t on ./data/ but that doesn't help:
avc: denied { write } for pid=875 comm="build_rpm_wrapp" ... scontext=system_u:system_r:svirt_lxc_net_t:s0:c104,c397 tcontext=unconfined_u:object_r:docker_home_t:s0 tclass=dir permissive=0
I think the switch to mock allowed DLRN to run with SELinux active. The current instance is running in Permissive, although from a quick check on the audit logs it looks like the issue is more related to having the user home directories running on NFS.
This is already in Taiga: https://tree.taiga.io/project/morucci-software-factory/us/233 . In general terms, DLRN runs without any issue with SELinux set to Enforcing. Some details of the current production deployment need to be fixed, mostly related to the API and location of web-served files.
@trown has been working and testing a delorean policy on http://trunk-mgt.rdoproject.org. Would be interesting to get it running on delorean trunk instance.
Here is the selinux policy module: http://fpaste.org/223819/14321316/
The fpaste is of a
delorean.te
file. This can be installed with:Then adding a labeling rule for the data directory and relabeling the existing files: