Fixes #9126 - moved Katello policy to a separate repo

theforeman · May 4, 2016 · 96804f3 · 96804f3
1 parent e54934d
commit 96804f3
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 49 deletions.
diff --git a/foreman-selinux-disable b/foreman-selinux-disable
@@ -9,7 +9,7 @@ do
   if /usr/sbin/semodule -s $selinuxvariant -l >/dev/null; then
     # Remove all user defined ports (including the default one)
     /usr/sbin/semanage port -E | \
-      grep -E '(elasticsearch|docker|foreman_osapi_compute)_port_t' | \
+      grep -E '(docker|foreman_osapi_compute)_port_t' | \
       sed s/-a/-d/g | \
       /usr/sbin/semanage -S $selinuxvariant -i -
     # Unload policy

diff --git a/foreman-selinux-enable b/foreman-selinux-enable
@@ -1,8 +1,10 @@
 #!/bin/bash
 set +e
 
-TMP=$(mktemp -t foreman-selinux-enable.XXXXXXXXXX)
-trap "rm -rf '$TMP'" EXIT INT TERM
+TMP_EXEC_BEFORE=$(mktemp -t foreman-selinux-enable.XXXXX)
+TMP_EXEC_AFTER=$(mktemp -t foreman-selinux-enable.XXXXX)
+TMP_PORTS=$(mktemp -t foreman-selinux-enable.XXXXX)
+trap "rm -rf '$TMP_EXEC_BEFORE' '$TMP_EXEC_AFTER' '$TMP_PORTS'" EXIT INT TERM
 
 is_redhat_6() {
   test x$(rpm -q --whatprovides redhat-release --qf '%{version}') = x6
@@ -17,23 +19,24 @@ is_redhat_6() {
 for selinuxvariant in targeted
 do
   if /usr/sbin/semodule -s $selinuxvariant -l >/dev/null; then
-    # Load policy
-    /usr/sbin/semanage module -S $selinuxvariant \
-      -a /usr/share/selinux/${selinuxvariant}/foreman.pp.bz2
+    /usr/sbin/semanage port -E > $TMP_PORTS
 
-    echo "boolean -m --on httpd_setrlimit" > $TMP
+    # Remove previously defined elasticsearch_port_t
+    # (this can be removed in future release)
+    grep elasticsearch_port_t $TMP_PORTS | sed s/-a/-d/g >> $TMP_EXEC_BEFORE
 
-    /usr/sbin/semanage port -E | grep -q elasticsearch_port_t || \
-      echo "port -a -t elasticsearch_port_t -p tcp 9200-9300" >> $TMP
+    echo "boolean -m --on httpd_setrlimit" >> $TMP_EXEC_AFTER
 
-    /usr/sbin/semanage port -E | grep -q docker_port_t || \
-      echo "port -a -t docker_port_t -p tcp 2375-2376" >> $TMP
+    grep -q docker_port_t $TMP_PORTS || echo "port -a -t docker_port_t -p tcp 2375-2376" >> $TMP_EXEC_AFTER
 
     if is_redhat_6; then
-      /usr/sbin/semanage port -E | grep -q foreman_osapi_compute_port_t || \
-        echo "port -a -t foreman_osapi_compute_port_t -p tcp 8774" >> $TMP
+      grep -q foreman_osapi_compute_port_t $TMP_PORTS || \
+        echo "port -a -t foreman_osapi_compute_port_t -p tcp 8774" >> $TMP_EXEC_AFTER
     fi
 
-    /usr/sbin/semanage -S $selinuxvariant -i $TMP
+    # Execute port management commands and load policy
+    test -s $TMP_EXEC_BEFORE && /usr/sbin/semanage -S $selinuxvariant -i $TMP_EXEC_BEFORE
+    /usr/sbin/semanage module -S $selinuxvariant -a /usr/share/selinux/${selinuxvariant}/foreman.pp.bz2
+    test -s $TMP_EXEC_AFTER && /usr/sbin/semanage -S $selinuxvariant -i $TMP_EXEC_AFTER
   fi
 done
diff --git a/foreman-selinux-relabel b/foreman-selinux-relabel
@@ -2,7 +2,6 @@
 
 # relabel foreman
 /sbin/restorecon -ri $* /usr/share/foreman \
-  /usr/share/katello \
   /var/lib/foreman \
   /var/run/foreman \
   /run/foreman \

diff --git a/foreman.fc b/foreman.fc
@@ -56,7 +56,3 @@
 
 /usr/share/gems/gems/foreman-tasks-.*/bin/foreman-tasks -- gen_context(system_u:object_r:foreman_tasks_exec_t,s0)
 /opt/theforeman/tfm/root/usr/share/gems/gems/foreman-tasks-.*/bin/foreman-tasks -- gen_context(system_u:object_r:foreman_tasks_exec_t,s0)
-
-# Katello plugin
-
-/usr/share/katello/script/katello-jobs -- gen_context(system_u:object_r:foreman_tasks_exec_t,s0)
diff --git a/foreman.te b/foreman.te
@@ -404,36 +404,6 @@ optional_policy(`
     ')
 ')
 
-######################################
-#
-# Elasticsearch
-#
-
-# We carry elasticsearch policy until it is delivered to RHEL6:
-# https://bugzilla.redhat.com/show_bug.cgi?id=1102119
-type elasticsearch_port_t;
-corenet_port(elasticsearch_port_t)
-
-######################################
-#
-# Foreman Katello plugin
-#
-
-# System status (ping) controller checks for service status using sysvinit scripts
-# This is temporary solution until https://bugzilla.redhat.com/show_bug.cgi?id=1105085
-# is fixed.
-init_exec_script_files(passenger_t)
-
-ifndef(`distro_rhel7', `
-    consoletype_exec(passenger_t)
-')
-
-# Katello does connect to Elasticsearch services
-allow passenger_t elasticsearch_port_t:tcp_socket name_connect;
-
-# Katello uses certs in /etc/pki/katello for websockets
-miscfiles_read_certs(websockify_t)
-
 ######################################
 #
 # Foreman Bootdisk plugin