MDEV-18374: Add SELinux policy to cracklib_password_check packages

GeoffMontee · LinuxJedi · commit 23dae6173c92 · 2023-07-26T11:13:09.000+01:00
diff --git a/cmake/cpack_rpm.cmake b/cmake/cpack_rpm.cmake
@@ -229,6 +229,8 @@ SET(CPACK_RPM_shared_POST_INSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/support-files/
 SET(CPACK_RPM_shared_POST_UNINSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/support-files/rpm/shared-post.sh)
 SET(CPACK_RPM_compat_POST_INSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/support-files/rpm/shared-post.sh)
 SET(CPACK_RPM_compat_POST_UNINSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/support-files/rpm/shared-post.sh)
+SET(CPACK_RPM_cracklib-password-check_POST_INSTALL_SCRIPT_FILE 
+  ${CMAKE_SOURCE_DIR}/plugin/cracklib_password_check/support-files/rpm/mariadb-plugin-cracklib-password-check-postin.sh)
 
 MACRO(ALTERNATIVE_NAME real alt)
   IF(${ARGC} GREATER 2)
diff --git a/plugin/cracklib_password_check/CMakeLists.txt b/plugin/cracklib_password_check/CMakeLists.txt
@@ -14,4 +14,29 @@ IF (HAVE_ALLOCA_H AND HAVE_CRACK_H AND HAVE_LIBCRACK AND HAVE_MEMCPY)
   MYSQL_ADD_PLUGIN(cracklib_password_check cracklib_password_check.c
                    LINK_LIBRARIES crack MODULE_ONLY
                    COMPONENT cracklib-password-check)
+
+  IF (RPM)
+    SET(inst_location ${INSTALL_SUPPORTFILESDIR})
+    INSTALL(DIRECTORY policy DESTINATION ${inst_location} COMPONENT cracklib-password-check)
+    FIND_PROGRAM(CHECKMODULE checkmodule)
+    FIND_PROGRAM(SEMODULE_PACKAGE semodule_package)
+    MARK_AS_ADVANCED(CHECKMODULE SEMODULE_PACKAGE)
+    
+    # Build pp files in policy/selinux
+    IF(CHECKMODULE AND SEMODULE_PACKAGE)
+      FOREACH(pol mariadb-plugin-cracklib-password-check)
+        SET(src ${CMAKE_CURRENT_SOURCE_DIR}/policy/selinux/${pol}.te)
+        SET(tmp ${CMAKE_CURRENT_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/${pol}-pp.dir/${pol}.mod)
+        SET(out ${CMAKE_CURRENT_BINARY_DIR}/${pol}.pp)
+        ADD_CUSTOM_COMMAND(OUTPUT ${out}
+          COMMAND ${CHECKMODULE} -M -m ${src} -o ${tmp}
+          COMMAND ${SEMODULE_PACKAGE} -m ${tmp} -o ${out}
+        DEPENDS ${src})
+        ADD_CUSTOM_TARGET(${pol}-pp ALL DEPENDS ${out})
+        INSTALL(FILES ${out} DESTINATION ${inst_location}/policy/selinux COMPONENT cracklib-password-check)
+      ENDFOREACH()
+    ENDIF()
+
+  ENDIF()
+
 ENDIF()
diff --git a/plugin/cracklib_password_check/policy/selinux/mariadb-plugin-cracklib-password-check.te b/plugin/cracklib_password_check/policy/selinux/mariadb-plugin-cracklib-password-check.te
@@ -0,0 +1,13 @@
+ 
+module mariadb-plugin-cracklib-password-check 1.0;
+ 
+require {
+        type mysqld_t;
+        type crack_db_t;
+        class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
+        class dir { write search getattr add_name read remove_name open };
+}
+ 
+allow mysqld_t crack_db_t:dir { search read open };
+allow mysqld_t crack_db_t:file { getattr read open };
+
diff --git a/plugin/cracklib_password_check/support-files/rpm/mariadb-plugin-cracklib-password-check-postin.sh b/plugin/cracklib_password_check/support-files/rpm/mariadb-plugin-cracklib-password-check-postin.sh
@@ -0,0 +1,8 @@
+SETARGETDIR=/etc/selinux/targeted/src/policy
+SEDOMPROG=$SETARGETDIR/domains/program
+SECONPROG=$SETARGETDIR/file_contexts/program
+
+if [ -x /usr/sbin/semodule ] ; then
+  /usr/sbin/semodule -i /usr/share/mysql/policy/selinux/mariadb-plugin-cracklib-password-check.pp
+fi
+
