Fixes #19746: Move SELinux policy application into postinst script

Normation · Aug 10, 2021 · 655ec9c · 655ec9c
1 parent c541324
commit 655ec9c
Showing 1 changed file with 38 additions and 0 deletions.
diff --git a/relay/sources/rudder-server-relay-postinst b/relay/sources/rudder-server-relay-postinst
@@ -7,6 +7,7 @@ APACHE="$2"
 APACHE_USER="$3"
 APACHE_GROUP="$4"
 APACHE_VHOSTDIR="$5"
+SELINUX="$6"
 
 BACKUP_DIR="/var/backups/rudder/"
 LOG_FILE="/var/log/rudder/install/rudder-server-relay-$(date +%Y%m%d%H%M%S).log"
@@ -105,6 +106,43 @@ fi
 sed -i '/^Set up a WSGI serving process/d' /etc/${APACHE_VHOSTDIR}/rudder.conf
 sed -i '/^WSGI/d' /etc/${APACHE_VHOSTDIR}/rudder.conf
 
+# Apply SELinux config before starting the services
+if [ "${SELINUX}" = "true" ]; then
+  # Check "sestatus" presence, if not there there is not SELinux
+  # setup on this system
+  if type sestatus >/dev/null 2>&1 && sestatus | grep -q "enabled"; then
+    # Add/Update the rudder-relay SELinux policy
+    semodule -i /opt/rudder/share/selinux/rudder-relay.pp
+    # Ensure inventory directories context is set by resetting
+    # their context to the contexts defined in SELinux configuration,
+    # including the file contexts defined in the rudder-relay module
+    #
+    # Test current context for big folders
+    if ! ls -Z /var/rudder/inventories/ | head -n1 | grep -q public_content_rw_t; then
+      restorecon -R /var/rudder/inventories
+    fi
+    if ! ls -Z /var/rudder/reports/ | head -n1 | grep -q public_content_rw_t; then
+      restorecon -R /var/rudder/reports
+    fi
+    restorecon -R /var/log/rudder/apache2
+    restorecon -R /opt/rudder/etc/relayd
+    restorecon /opt/rudder/bin/rudder-relayd
+    restorecon -R /var/rudder/lib
+    restorecon -R /var/rudder/cfengine-community/ppkeys
+    if ! ls -Z /var/rudder/share | head -n1 | grep -q public_content_t; then
+      restorecon -R /var/rudder/share
+    fi
+    if ! ls -Z /var/rudder/shared-files/ | head -n1 | grep -q public_content_rw_t; then
+      restorecon -R /var/rudder/shared-files
+    fi
+    restorecon -R /var/rudder/configuration-repository/shared-files
+    # Add 3030 to ports apache can connect to
+    semanage port -l | grep ^http_port_t | grep -q 3030 || semanage port -a -t http_port_t -p tcp 3030
+    # Allow apache to write to files shared with relayd
+    setsebool -P allow_httpd_anon_write 1
+  fi
+fi
+
 echo -n "INFO: Starting services..."
 systemctl start rudder-relayd >> ${LOG_FILE}
 systemctl start "${APACHE}" >> ${LOG_FILE}