Fixes #10443 - added nova/glance/neutron rules

This patch introduces new type for missing OpenStack port Compute (Nova). Also introduces helper function in the enable script which is now the most sane way of adding ports - if a port number is already defined, it uses `-m` option to redefine it.
theforeman · Mar 24, 2016 · 0848bac · 0848bac
1 parent eb34a92
commit 0848bac
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 1 deletion.
diff --git a/foreman-selinux-disable b/foreman-selinux-disable
@@ -9,7 +9,7 @@ do
   if /usr/sbin/semodule -s $selinuxvariant -l >/dev/null; then
     # Remove all user defined ports (including the default one)
     /usr/sbin/semanage port -E | \
-      grep -E '(elasticsearch|docker)_port_t' | \
+      grep -E '(elasticsearch|docker|foreman_osapi_compute)_port_t' | \
       sed s/-a/-d/g | \
       /usr/sbin/semanage -S $selinuxvariant -i -
     # Unload policy

diff --git a/foreman-selinux-enable b/foreman-selinux-enable
@@ -4,6 +4,21 @@ set +e
 TMP=$(mktemp -t foreman-selinux-enable.XXXXXXXXXX)
 trap "rm -rf '$TMP'" EXIT INT TERM
 
+# Assign port number or change existing port definition.
+assign_or_change_existing() {
+  if ! /usr/sbin/semanage port -E | grep -qEe "${1}.*-p (tcp|udp) ${2}"; then
+    if /usr/sbin/semanage port -E | grep -qEe "-p (tcp|udp) $2"; then
+      echo "port -m -t $1 -p tcp $2"
+    else
+      echo "port -a -t $1 -p tcp $2"
+    fi
+  fi
+}
+
+is_redhat_6() {
+  test x$(rpm -q --whatprovides redhat-release --qf '%{version}') = x6
+}
+
 # Load or upgrade foreman policy and set booleans.
 #
 # Dependant booleans must be managed in a separate transaction.
@@ -25,6 +40,11 @@ do
     /usr/sbin/semanage port -E | grep -q docker_port_t || \
       echo "port -a -t docker_port_t -p tcp 2375-2376" >> $TMP
 
+    if is_redhat_6; then
+      # missing port definitions
+      assign_or_change_existing 'foreman_osapi_compute_port_t' '8774' >> $TMP
+    fi
+
     /usr/sbin/semanage -S $selinuxvariant -i $TMP
   fi
 done
diff --git a/foreman.te b/foreman.te
@@ -142,6 +142,9 @@ files_pid_file(foreman_var_run_t)
 type foreman_proxy_port_t;
 corenet_port(foreman_proxy_port_t)
 
+type foreman_osapi_compute_port_t;
+corenet_port(foreman_osapi_compute_port_t)
+
 require{
     type bin_t;
     type httpd_t;
@@ -308,9 +311,15 @@ optional_policy(`
 
 tunable_policy(`passenger_can_connect_openstack',`
     ifdef(`distro_rhel6', `
+        # keystone (identity service)
         corenet_tcp_connect_commplex_port(passenger_t)
+        # all other ports not yet defined on rhel6
+        allow passenger_t foreman_osapi_compute_port_t:tcp_socket name_connect;
     ',`
+        # keystone (identity service)
         corenet_tcp_connect_commplex_main_port(passenger_t)
+        # nova (compute service)
+        corenet_tcp_connect_osapi_compute_port(passenger_t)
     ')
 ')