BREAKING: Refactor selinux::module #189
Conversation
|
tests will be failing and there are lots of hardcoded paths for now. Still wondering what the best way to select the build dir would be. A custom fact as discussed in #146 ? |
|
I implemented simple module building using just checkmodule with a helper script. Also added the custom fact. works for me, but there's still some work to do. I noticed that the module installs the wrong packages by default. On some distros, it only installs policycoreutils, and on others it only installs selinux-policy-devel If we really want to support modules without selinux-policy-devel etc, that needs to be refactored too. |
oranenj
force-pushed
the
module_refactor
branch
from
a01db1f to
147b778
Compare
|
I cleaned this up a bit and fixed the tests. Acceptance goes through with CentOS6, CentOS7 and Fedora 25 |
|
RHEL7 default package was selinux-policy-devel too. Changed it to policycoreutils-python which is where semanage resides |
This commit also introduces an alternative 'simple' builder to refpolicy, and consequently the 'selinux-policy-devel' package is not always needed
oranenj
force-pushed
the
module_refactor
branch
from
2fc7908 to
8da2298
Compare
|
rebased once more to clean things up. I'm pretty happy with this as it is. Any comments? |
| } | ||
|
|
||
| # put helper in place: | ||
| file {"${module_build_root}/modules/selinux_build_module.sh": |
There was a problem hiding this comment.
I think this file needs bin_tseltype or puppet agent will maybe throw SELinux AVC's when it executes?
There was a problem hiding this comment.
maybe we should review seltypes of the directory.
There was a problem hiding this comment.
I didn't get any SELinux errors running the module, and I run my desktop in enforcing mode, so it should be fine. The acceptance tests also seemed fine.
There was a problem hiding this comment.
even if the puppet agent process runs as puppetagent_t type it does not produce an AVC when it executes the selinux_build_module.sh script which has type usr_t. so this is fine. I just wonder why it does not.
by default the puppet agent process even does run in unconfinged_service_t (or initrc_t) because the paths in the refpolicy were not adapted to the /opt/puppetlabs change.
manifests/init.pp
Outdated
| # refpolicy module builder | ||
| # Default value: OS dependent (see params.pp) | ||
| # @param default_builder which builder to use by default with selinux::module | ||
| # Default value: refpolicy |
There was a problem hiding this comment.
default is simple isn't it?
There was a problem hiding this comment.
This is a leftover when I had refpolicy as the default earlier, but I think simple is better because it has fewer dependencies.
oranenj
force-pushed
the
module_refactor
branch
from
91f5749 to
8c9ef4e
Compare
vinzent
added
backwards-incompatible
enhancement
| } | ||
|
|
||
| # put helper in place: | ||
| file {"${module_build_root}/modules/selinux_build_module.sh": |
There was a problem hiding this comment.
even if the puppet agent process runs as puppetagent_t type it does not produce an AVC when it executes the selinux_build_module.sh script which has type usr_t. so this is fine. I just wonder why it does not.
by default the puppet agent process even does run in unconfinged_service_t (or initrc_t) because the paths in the refpolicy were not adapted to the /opt/puppetlabs change.
manifests/init.pp
Outdated
| $package_name = $::selinux::params::package_name, | ||
| $refpolicy_package_name = $::selinux::params::refpolicy_package_name, | ||
| $module_build_root = $::selinux::params::module_build_root, | ||
| $default_builder = 'simple', |
There was a problem hiding this comment.
it's a good choice that the default is the one with the least required packages.
manifests/module.pp
Outdated
| $syncversion = undef, | ||
| ) { | ||
|
|
||
| if $builder == 'refpolicy' { | ||
| require ::selinux::refpolicy_package |
There was a problem hiding this comment.
can we maybe make this selinux::package::policy_devel? the term refpolicy related to the package isn't quite right because refpolicy is what Tresys provides. The RHEL/Fedora fork has large differences to the refpolicy.
But maybe at all not important and just a personal opinion of mine. :)
| creates => "${module_file}.pp", | ||
| notify => Exec["install-module-${title}"], | ||
| } | ||
| # we need to install the module manually because selmodule is kind of dumb. It ends up |
There was a problem hiding this comment.
what kind of dumb? can you elaborate more? Should we file a bug on the puppetlabs jira?
There was a problem hiding this comment.
It's because of the syncversion bug, I think. It can only check that the module is loaded, and if you recompile a module that's loaded, it won't actually detect the change. Installing it manually is a workaround for that.
There was a problem hiding this comment.
Also, the lack of an AVC might be because the files are in the libdir which contains executables anyway (ie. facts and such). The policy seems to allow puppetagent_t to do quite a lot, so might be that it just has permission to execute whatever is in the libdir
| # with puppet4 I would use a HERE DOC to make this pretty, | ||
| # but with puppet3 it's not possible. | ||
| # just something simple I found via Google: | ||
| file {'/tmp/selinux_simple_policy.te': |
There was a problem hiding this comment.
thanks for rewriting with HERE DOC. 👍
manifests/module.pp
Outdated
| validate_absolute_path($::selinux::config::module_build_dir) | ||
|
|
||
| $module_dir = "${::selinux::config::module_build_dir}/${title}" | ||
| $module_file = "${module_dir}/${title}" |
There was a problem hiding this comment.
If one manages multiple refpolicy style policies, lets call them A and B, with *.if files and A depends on an interface provided by B's *.if I don't know if they require to be in the same directory so that the makefile finds the interfaces.
this path creates a directory for every module. Is this a requirement? There should IMHO never be a same named policy source file.
With newer (>= CentOS 7.3.) the refpolicy style will fail if filename and resulting policy name are not the same.
| # just something simple I found via Google: | ||
| file {'/tmp/selinux_simple_policy.te': | ||
| ensure => 'file', | ||
| content => @("EOF") |
There was a problem hiding this comment.
adding 2-space indentation to the here doc would make it more readable.
I thought I'd actually implement part of what's being discussed in #178
This doesn't yet support building the things without selinux-devel,
but it does work, and handles failures gracefully.
It doesn't look like module building needs its own provider, but behaviour on RHEL5/6 should be tested.