From 39c8145415bc03d7ccb2fd94d93aaf70da12f5c2 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Mon, 30 Jun 2014 14:53:14 -0400 Subject: [PATCH 1/5] Add 'tarball' target Signed-off-by: Lon Hohberger --- Makefile | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 07fb019..db968c8 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,22 @@ all: ${TARGETS:=.pp.bz2} clean: rm -f *~ *.if *.tc *.pp *.pp.bz2 - rm -rf tmp + rm -rf tmp *.tar.gz + +tarball: .git/config + # + # Downloading tarball. Note: this only works if the + # current HEAD matches a previously-pushed tag. + # + @RELEASE=$$(git tag --points-at=$$(git log -1 | awk '/^commit/ { print $$2 }')) ;\ + if [ -z "$$RELEASE" ]; then \ + echo "Failed. Try 'git tag' first." ;\ + else \ + rm -f openstack-selinux-$$RELEASE.tar.gz ;\ + wget -O openstack-selinux-$$RELEASE.tar.gz \ + https://github.com/redhat-openstack/openstack-selinux/archive/$$RELEASE.tar.gz ;\ + fi + #install: # ${INSTALL} -m 0644 ${TARGETS} \ From 86b8325423ddee492814b0175af6d7a361395ced Mon Sep 17 00:00:00 2001 From: Ryan Hallisey Date: Fri, 18 Jul 2014 09:57:56 -0400 Subject: [PATCH 2/5] Fixes conflict issues with swift. --- Makefile | 2 +- swift.fc => openstack-selinux-swift.fc | 0 swift.te => openstack-selinux-swift.te | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename swift.fc => openstack-selinux-swift.fc (100%) rename swift.te => openstack-selinux-swift.te (100%) diff --git a/Makefile b/Makefile index db968c8..db36e66 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -TARGETS?=openstack-selinux-nova openstack-selinux-neutron openstack-selinux-quantum swift openstack-rsync +TARGETS?=openstack-selinux-nova openstack-selinux-neutron openstack-selinux-quantum openstack-selinux-swift openstack-rsync MODULES?=${TARGETS:=.pp.bz2} SHAREDIR?=/usr/share #INSTALL=?=install diff --git a/swift.fc b/openstack-selinux-swift.fc similarity index 100% rename from swift.fc rename to openstack-selinux-swift.fc diff --git a/swift.te b/openstack-selinux-swift.te similarity index 100% rename from swift.te rename to openstack-selinux-swift.te From 1d2c736228b264ef0e48d96b7e2bffc40ae3983c Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Tue, 1 Jul 2014 13:21:23 -0400 Subject: [PATCH 3/5] Add check script for AVCs Signed-off-by: Lon Hohberger --- tests/check_all | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100755 tests/check_all diff --git a/tests/check_all b/tests/check_all new file mode 100755 index 0000000..14248dc --- /dev/null +++ b/tests/check_all @@ -0,0 +1,36 @@ +#!/bin/bash + +TMP=$(mktemp /tmp/openstack-selinux-test.XXXXXX) + +PWD=$(pwd) +cd "$(dirname $0)" + +TEST_FILES=$(/bin/ls -1 bz*) + +passed=0 +failed=0 + +for f in $TEST_FILES; do + while read; do + echo "$REPLY" > $TMP + if audit2why -i $TMP | grep -q 'Missing type'; then + echo Failed on $f with the following AVC: + audit2why -i $TMP + ((failed++)) + else + ((passed++)) + fi + done < $f +done + +cd "$PWD" + +echo Results: $passed passed, $failed failed +echo -n "Overall result: " +if [ $failed -ne 0 ]; then + echo FAIL + exit 1 +fi + +echo PASS +exit 0 From c8475fff0e2d36fdbf092f23a100602be4324e43 Mon Sep 17 00:00:00 2001 From: Ryan Hallisey Date: Tue, 1 Jul 2014 17:15:16 -0400 Subject: [PATCH 4/5] Added a counter to track progress --- tests/check_all | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/check_all b/tests/check_all index 14248dc..d71ab5b 100755 --- a/tests/check_all +++ b/tests/check_all @@ -11,7 +11,12 @@ passed=0 failed=0 for f in $TEST_FILES; do + echo "CHECKING:" $f + totalAVC=$(grep -s -c "AVC" $f) + count=0 while read; do + ((count++)) + echo "("$count"/"$totalAVC")" echo "$REPLY" > $TMP if audit2why -i $TMP | grep -q 'Missing type'; then echo Failed on $f with the following AVC: From fbe316c40f738763839e60c91ef5782e18f4ee84 Mon Sep 17 00:00:00 2001 From: Ryan Hallisey Date: Thu, 24 Jul 2014 08:14:15 -0400 Subject: [PATCH 5/5] Allow sshd_t to read from nova_var_lib_t Allow sshd_t to look at directories labeled nova_var_lib_t --- openstack-selinux-nova.te | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/openstack-selinux-nova.te b/openstack-selinux-nova.te index ad87215..f29c70c 100644 --- a/openstack-selinux-nova.te +++ b/openstack-selinux-nova.te @@ -23,6 +23,10 @@ require { type semanage_t; type nova_var_lib_t; type qemu_t; + type sshd_t; + type nova_var_lib_t; + type sshd_t; + class dir { search getattr }; class capability dac_override; class file { write ioctl read open getattr }; } @@ -33,6 +37,9 @@ require { allow qemu_t nova_var_lib_t:file rw_file_perms; allow qemu_t self:capability dac_override; +allow sshd_t nova_var_lib_t:file read_file_perms; +allow sshd_t nova_var_lib_t:dir { search getattr }; + # Compile with: # make -f /usr/share/selinux/devel/Makefile # Install: