[Ovirt-devel] [PATCH node] ovirt-node-selinux: new sub-module, for conforming SELinux policy

Jim Meyering jim at meyering.net
Wed Oct 8 21:19:15 UTC 2008 

ovirt-node needs SELinux policy to allow qemu to access the iSCSI block
devices. This is done presently via a script during install, but it
should be done by a subpackage of ovirt-node called ovirt-node-selinux.
Follow the Fedora guidelines for this located at:
http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules

* Makefile.am (EXTRA_DIST): Add ovirt-node-selinux.te.
* ovirt-node-selinux.te: New file, with contents from...
* ovirt-listen-awake/ovirt-install-node: ...here.  Remove policy
definition and semodule-running code.
* ovirt-node.spec.in: Update per the above wiki URL.
---
 Makefile.am                           |    6 ++--
 ovirt-listen-awake/ovirt-install-node |   19 ----------
 ovirt-node-selinux.te                 |    8 ++++
 ovirt-node.spec.in                    |   59 ++++++++++++++++++++++++++++++++-
 4 files changed, 69 insertions(+), 23 deletions(-)
 create mode 100644 ovirt-node-selinux.te

diff --git a/Makefile.am b/Makefile.am
index 28aa71e..8ca63dc 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -21,10 +21,11 @@ SUBDIRS = ovirt-identify-node ovirt-listen-awake
 EXTRA_DIST =			\
   .gitignore			\
   ovirt-node.spec		\
-  ovirt-node.spec.in	\
+  ovirt-node.spec.in		\
+  ovirt-node-selinux.te		\
   scripts/collectd		\
   scripts/collectd.conf.in	\
-  scripts/ovirt				\
+  scripts/ovirt			\
   scripts/ovirt-awake		\
   scripts/ovirt-early		\
   scripts/ovirt-functions	\
@@ -48,4 +49,3 @@ publish: rpms
 	createrepo $(OVIRT_CACHE_DIR)/ovirt

 .PHONY: rpms publish
-
diff --git a/ovirt-listen-awake/ovirt-install-node b/ovirt-listen-awake/ovirt-install-node
index c741acf..1d998f4 100644
--- a/ovirt-listen-awake/ovirt-install-node
+++ b/ovirt-listen-awake/ovirt-install-node
@@ -100,22 +100,3 @@ elif [ "$1" = "stateful" ]; then
 else
     usage
 fi
-
-# Common to both stateless and stateful Nodes
-
-if selinuxenabled ; then
-    # make disks available to VMs
-    t=$(mktemp -d)
-    cat > $t/te <<\EOF
-module ovirt 1.0.0;
-require {
-    type fixed_disk_device_t;
-    type qemu_t;
-    class blk_file { ioctl getattr setattr read write };
-}
-allow qemu_t fixed_disk_device_t:blk_file { ioctl getattr setattr read write };
-EOF
-    checkmodule -M -m -o $t/mod $t/te
-    semodule_package -o $t/pp -m $t/mod
-    semodule -i $t/pp
-fi
diff --git a/ovirt-node-selinux.te b/ovirt-node-selinux.te
new file mode 100644
index 0000000..a53d3de
--- /dev/null
+++ b/ovirt-node-selinux.te
@@ -0,0 +1,8 @@
+module ovirt 1.0.0;
+require {
+    type fixed_disk_device_t;
+    type qemu_t;
+    class blk_file { ioctl getattr setattr read write };
+}
+# Give qemu_t access to any block device
+allow qemu_t fixed_disk_device_t:blk_file { ioctl getattr setattr read write };
diff --git a/ovirt-node.spec.in b/ovirt-node.spec.in
index 3dc4e1d..daa3d7f 100644
--- a/ovirt-node.spec.in
+++ b/ovirt-node.spec.in
@@ -6,6 +6,11 @@ Source0:        %{name}-%{version}.tar.gz
 License:        GPLv2+
 Group:          Applications/System

+%define selinux_variants mls strict targeted
+%define selinux_policyver %(sed -n 's,.*selinux-policy-\([^/]*\)/.*,\1,p' /usr/share/selinux/devel/policyhelp)
+%define modulename %{name}-selinux
+Source1:        %{modulename}.te
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-buildroot
 URL:            http://www.ovirt.org/
 Requires(post):  /sbin/chkconfig
@@ -26,14 +31,38 @@ ExclusiveArch:  %{ix86} x86_64
 Provides a series of daemons and support utilities to allow an
 oVirt Node to interact with the oVirt server.

-%prep
+%package selinux
+Summary:        SELinux policy module supporting ovirt-node
+Group:          System Environment/Base
+BuildRequires:  checkpolicy, selinux-policy-devel, hardlink
+%if "%{selinux_policyver}" != ""
+Requires:       selinux-policy >= %{selinux_policyver}
+%endif
+Requires:       %{name} = %{version}-%{release}
+Requires(post):   /usr/sbin/semodule, /sbin/restorecon
+Requires(postun): /usr/sbin/semodule, /sbin/restorecon
+
+%description selinux
+SELinux policy module supporting ovirt-node

+%prep
 %setup -q

+mkdir SELinux
+cp -p %{SOURCE1} SELinux
+
 %build
 %configure
 make

+cd SELinux
+for selinuxvariant in %{selinux_variants}; do
+  make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
+  mv %{modulename}.pp %{modulename}.pp.${selinuxvariant}
+  make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
+done
+cd -
+
 %install
 %{__rm} -rf %{buildroot}
 %{__install} -d -m0755 %{buildroot}%{_sbindir}
@@ -65,6 +94,16 @@ make

 echo "oVirt Node release %{version}-%{release}" > %{buildroot}%{_sysconfdir}/ovirt-release

+cd SELinux
+for selinuxvariant in %{selinux_variants}; do
+  install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
+  install -p -m 644 %{modulename}.pp.${selinuxvariant} \
+  %{buildroot}%{_datadir}/selinux/${selinuxvariant}/%{modulename}.pp
+done
+cd -
+
+/usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux
+
 %clean
 %{__rm} -rf %{buildroot}

@@ -85,6 +124,24 @@ if [ "$1" = 0 ] ; then
   /sbin/chkconfig --del ovirt-listen-awake
 fi

+%post selinux
+for selinuxvariant in %{selinux_variants}; do
+  /usr/sbin/semodule -s ${selinuxvariant} -i \
+    %{_datadir}/selinux/${selinuxvariant}/%{modulename}.pp &> /dev/null || :
+done
+
+%postun selinux
+if [ $1 -eq 0 ] ; then
+  for selinuxvariant in %{selinux_variants}; do
+    /usr/sbin/semodule -s ${selinuxvariant} -r %{modulename} &> /dev/null || :
+  done
+fi
+
+%files selinux
+%defattr(-,root,root,0755)
+%doc SELinux/*
+%{_datadir}/selinux/*/%{modulename}.pp
+
 %files
 %defattr(-,root,root,0755)
 %{_sbindir}/ovirt-awake
--
1.6.0.2.304.gc76d

More information about the ovirt-devel mailing list