Add freeipa-selinux subpackage

Add freeipa-selinux subpackage containing selinux policy for FreeIPA server. This policy module will override the distribution policy. Policy files where extracted from https://github.com/fedora-selinux/selinux-policy See Independent policy project guidelines for more details about shipping custom SELinux policy. https://fedoraproject.org/wiki/SELinux/IndependentPolicy Reviewed-By: Christian Heimes <[email protected]>
progier389 · Mar 5, 2020 · 5b573bb · 5b573bb
1 parent 9ee8657
commit 5b573bb
Show file tree

Hide file tree

Showing 4 changed files with 693 additions and 0 deletions.
diff --git a/freeipa.spec.in b/freeipa.spec.in
@@ -36,6 +36,13 @@
     %global linter_options --disable-pylint --without-jslint
 %endif
 
+# Include SELinux subpackage
+%if 0%{?fedora} >= 30 || 0%{?rhel} > 8
+    %global with_selinux 1
+    %global selinuxtype targeted
+    %global modulename ipa
+%endif
+
 %if 0%{?rhel}
 %global package_name ipa
 %global alt_name freeipa
@@ -284,6 +291,13 @@ BuildRequires:  krb5-server >= %{krb5_version}
 # ONLY_CLIENT
 %endif
 
+#
+# Build dependencies for SELinux policy
+#
+%if 0%{?with_selinux}
+BuildRequires:  selinux-policy-devel
+%endif
+
 %description
 IPA is an integrated solution to provide centrally managed Identity (users,
 hosts, services), Authentication (SSO, 2FA), and Authorization
@@ -349,6 +363,11 @@ Requires: oddjob
 # 0.7.0-2: https://pagure.io/gssproxy/pull-request/172
 Requires: gssproxy >= 0.7.0-2
 Requires: sssd-dbus >= %{sssd_version}
+%if 0%{?with_selinux}
+# This ensures that the *-selinux package and all it’s dependencies are not pulled
+# into containers and other systems that do not use SELinux
+Requires:       (%{name}-selinux if selinux-policy-%{selinuxtype})
+%endif # if with_selinux
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
@@ -736,6 +755,19 @@ This package contains tests that verify IPA functionality under Python 3.
 # with_ipatests
 %endif
 
+%if 0%{?with_selinux}
+# SELinux subpackage
+%package selinux
+Summary:             FreeIPA SELinux policy
+BuildArch:           noarch
+Requires:            selinux-policy-%{selinuxtype}
+Requires(post):      selinux-policy-%{selinuxtype}
+%{?selinux_requires}
+
+%description selinux
+Custom SELinux policy module
+# with_selinux
+%endif
 
 %prep
 %setup -n freeipa-%{version} -q
@@ -838,6 +870,10 @@ mkdir -p %{buildroot}%{_sysconfdir}/cron.d
 # ONLY_CLIENT
 %endif
 
+%if 0%{?with_selinux}
+install -D -m 0644 selinux/%{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+# with_selinux
+%endif
 
 %clean
 rm -rf %{buildroot}
@@ -992,6 +1028,26 @@ if [ $1 -gt 1 ] ; then
 fi
 
 
+%if 0%{?with_selinux}
+# SELinux contexts are saved so that only affected files can be
+# relabeled after the policy module installation
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+# with_selinux
+%endif
+
+
 %triggerin client -- openssh-server
 # Has the client been configured?
 restore=0
@@ -1372,6 +1428,12 @@ fi
 # with_ipatests
 %endif
 
+%if 0%{?with_selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
+%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+# with_selinux
+%endif
 
 %changelog
 * Tue Nov 26 2013 Petr Viktorin <[email protected]> - @VERSION@-@VENDOR_SUFFIX@

diff --git a/selinux/ipa.fc b/selinux/ipa.fc
@@ -0,0 +1,29 @@
+/etc/httpd/alias/ipasession.key     --     gen_context(system_u:object_r:ipa_cert_t,s0)
+
+/usr/lib/systemd/system/ipa-otpd.*		--	gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
+/usr/lib/systemd/system/ipa-dnskeysyncd.*		--	gen_context(system_u:object_r:ipa_dnskey_unit_file_t,s0)
+
+/usr/lib/systemd/system/ipa-ods-exporter.*		--	gen_context(system_u:object_r:ipa_ods_exporter_unit_file_t,s0)
+
+/usr/libexec/ipa-otpd		--	gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+/usr/libexec/ipa/ipa-otpd		--	gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+
+
+/usr/libexec/ipa/ipa-ods-exporter	--	gen_context(system_u:object_r:ipa_ods_exporter_exec_t,s0)
+
+/usr/libexec/ipa/ipa-dnskeysyncd		--	gen_context(system_u:object_r:ipa_dnskey_exec_t,s0)
+/usr/libexec/ipa/ipa-dnskeysync-replica		--	gen_context(system_u:object_r:ipa_dnskey_exec_t,s0)
+
+/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains --   gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+/usr/libexec/ipa/oddjob/com\.redhat\.idm\.trust-fetch-domains  --  gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+/usr/libexec/ipa/oddjob/org\.freeipa\.server\.conncheck  --  gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+
+/var/lib/ipa(/.*)?              gen_context(system_u:object_r:ipa_var_lib_t,s0)
+
+/var/log/ipa(/.*)?              gen_context(system_u:object_r:ipa_log_t,s0)
+
+/var/log/ipareplica-conncheck.log.*	--	gen_context(system_u:object_r:ipa_log_t,s0)
+
+/var/run/ipa(/.*)?              gen_context(system_u:object_r:ipa_var_run_t,s0)
+