Fixes #10443 - added nova/glance/neutron rules

This patch introduces new foreman_allowed_port_t type for all foreman-defined ports. Also it introduces helper function in the enable script which is now the most sane way of adding ports - if a port number is already defined, it uses `-m` option to redefine it.
theforeman · Jun 3, 2015 · ea34214 · ea34214
1 parent 121d1aa
commit ea34214
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 5 deletions.
diff --git a/foreman-selinux-disable b/foreman-selinux-disable
@@ -9,7 +9,7 @@ do
   if /usr/sbin/semodule -s $selinuxvariant -l >/dev/null; then
     # Remove all user defined ports (including the default one)
     /usr/sbin/semanage port -E | \
-      grep -E '(elasticsearch|docker)_port_t' | \
+      grep -E '(elasticsearch|docker|foreman_allowed)_port_t' | \
       sed s/-a/-d/g | \
       /usr/sbin/semanage -S $selinuxvariant -i -
     # Unload policy

diff --git a/foreman-selinux-enable b/foreman-selinux-enable
@@ -4,6 +4,17 @@ set +e
 TMP=$(mktemp -t foreman-selinux-enable.XXXXXXXXXX)
 trap "rm -rf '$TMP'" EXIT INT TERM
 
+# Assign port number or change existing port definition.
+assign_or_change_existing() {
+  if ! /usr/sbin/semanage port -E | grep -qEe "${1}.*-p (tcp|udp) ${2}"; then
+    if /usr/sbin/semanage port -E | grep -qEe "-p (tcp|udp) $2"; then
+      echo "port -m -t $1 -p tcp $2"
+    else
+      echo "port -a -t $1 -p tcp $2"
+    fi
+  fi
+}
+
 # Load or upgrade foreman policy and set booleans.
 #
 # Dependant booleans must be managed in a separate transaction.
@@ -25,6 +36,18 @@ do
     /usr/sbin/semanage port -E | grep -q docker_port_t || \
       echo "port -a -t docker_port_t -p tcp 2375-2376" >> $TMP
 
+    /usr/sbin/semanage port -l | grep -qEe "commplex_port_t.*tcp.*5000" || \
+      assign_or_change_existing 'foreman_allowed_port_t' '5000' >> $TMP
+
+    /usr/sbin/semanage port -l | grep -qEe "osapi_compute_port_t.*tcp.*8774" || \
+      assign_or_change_existing 'foreman_allowed_port_t' '8774' >> $TMP
+
+    /usr/sbin/semanage port -l | grep -qEe "glance_port_t.*tcp.*9292" || \
+      assign_or_change_existing 'foreman_allowed_port_t' '9292' >> $TMP
+
+    /usr/sbin/semanage port -l | grep -qEe "neutron_port_t.*tcp.*9696" || \
+      assign_or_change_existing 'foreman_allowed_port_t' '9696' >> $TMP
+
     /usr/sbin/semanage -S $selinuxvariant -i $TMP
   fi
 done
diff --git a/foreman.te b/foreman.te
@@ -129,6 +129,9 @@ files_pid_file(foreman_var_run_t)
 type foreman_proxy_port_t;
 corenet_port(foreman_proxy_port_t)
 
+type foreman_allowed_port_t;
+corenet_port(foreman_allowed_port_t)
+
 require{
     type bin_t;
     type httpd_t;
@@ -165,6 +168,9 @@ allow passenger_t websm_port_t:tcp_socket name_connect;
 # Allow Foreman to connect to Foreman Proxy on a defined port
 allow passenger_t foreman_proxy_port_t:tcp_socket name_connect;
 
+# Allow Foreman to connect to ports explicitly allowed
+allow passenger_t foreman_allowed_port_t:tcp_socket name_connect;
+
 # Allow Foreman to connect to PostgreSQL
 corenet_tcp_connect_postgresql_port(passenger_t)
 optional_policy(`
@@ -291,11 +297,35 @@ optional_policy(`
 # OpenStack Compute Resource
 #
 
-tunable_policy(`passenger_can_connect_openstack',`
-    ifdef(`distro_rhel6', `
+# port is assigned via foreman_allowed_port_t if this fails
+optional_policy(`
+    tunable_policy(`passenger_can_connect_openstack',`
+        # keystone (identity service)
         corenet_tcp_connect_commplex_port(passenger_t)
-    ',`
-        corenet_tcp_connect_commplex_main_port(passenger_t)
+    ')
+')
+
+# port is assigned via foreman_allowed_port_t if this fails
+optional_policy(`
+    tunable_policy(`passenger_can_connect_openstack',`
+        # nova (compute service)
+        corenet_tcp_connect_osapi_compute_port(passenger_t)
+    ')
+')
+
+# port is assigned via foreman_allowed_port_t if this fails
+optional_policy(`
+    tunable_policy(`passenger_can_connect_openstack',`
+        # glance (image service)
+        corenet_tcp_connect_glance_port(passenger_t)
+    ')
+')
+
+# port is assigned via foreman_allowed_port_t if this fails
+optional_policy(`
+    tunable_policy(`passenger_can_connect_openstack',`
+        # neutron (networking service)
+        corenet_tcp_connect_neutron_port(passenger_t)
     ')
 ')