Re: Freeze Break Request - selinux policy for mirrorlist containers to allow logrotate to work.

Stephen John Smoogen <smooge@xxxxxxxxx> · Mon, 3 Jul 2017 11:47:54 -0400



+1 thank you for your patience.

On 2 July 2017 at 17:49, Patrick Uiterwijk <puiterwijk@xxxxxxxxxx> wrote:
> +1 from me
>
> On Sun, Jul 2, 2017 at 8:54 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote:
>> Greetings.
>>
>> Currently our mirrorlist containers on proxies aren't getting their logs rotated due to selinux policy. This patch hopefully fixes that and allows them to be rotated.
>>
>> I have tested this on proxy01.stg and it seems to work there now.
>>
>> +1s?
>> --
>> From 7b0ebec7dbc1085977a727298648516c7198555e Mon Sep 17 00:00:00 2001
>> From: Kevin Fenzi <kevin@xxxxxxxxx>
>> Date: Sun, 2 Jul 2017 18:45:49 +0000
>> Subject: [PATCH] initial selinux policy to allow logrotate to rotate
>>  mirrorlist container log files
>>
>> Signed-off-by: Kevin Fenzi <kevin@xxxxxxxxx>
>> ---
>>  .../files/selinux/mirrorlist-logrotate.mod         | Bin 0 -> 1204 bytes
>>  .../files/selinux/mirrorlist-logrotate.pp          | Bin 0 -> 1220 bytes
>>  .../files/selinux/mirrorlist-logrotate.te          |  12 ++++++++++++
>>  .../mirrormanager/mirrorlist_proxy/tasks/main.yml  |  21 +++++++++++++++++++++
>>  4 files changed, 33 insertions(+)
>>  create mode 100644 roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.mod
>>  create mode 100644 roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.pp
>>  create mode 100644 roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.te
>>
>> diff --git a/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.mod b/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.mod
>> new file mode 100644
>> index 0000000000000000000000000000000000000000..49ca37b8d4e43431ea086fcd61a1d83687dd1a47
>> GIT binary patch
>> literal 1204
>> zcmb`GOHRWu6h%Y%N(>MZ3+M(wumew+!H5M!X=6}OT1$>wI$#Sdm=U}aa;a6Q7|<(S
>> zzxzIZ{>Xm&czr)BisIpReAmnutMPrP7p)&z=-jwxJTZa`<E)7>#J1_uWgDJiNLBLt
>> z7QeZ=c4js~8%PO|mR~pV(88?p5}V{tO^}Oz7M8x8S2NG*Osnd;_YX`1=1{6uk4@{3
>> z%%^r5z3q$6Wc$v?CYaKB+j5FXNOvp<lV?9oWpuswHEh!=$@8oXIfVMFcV72>ab@C4
>> znWA!&g<}}dEt{CiuA0}AuqruXnUvdR)k{lLr!~-Spz^ZBb2xLL^7H_%AJ+qUa=KwM
>> zZlLDM63^kxfy&bdxPDv@<RNQp!es$8R6jiqVuCXP|EjT)9&WIhT#p8yn0je{#J0sP
>> z)x!-Ivn!po{Fmfx+@1YTjwbT=c!ct0`9=CYOjR7sZ^&M}QdnO9Z!bKrv63J71QJ$M
>> AiU0rr
>>
>> literal 0
>> HcmV?d00001
>>
>> diff --git a/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.pp b/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.pp
>> new file mode 100644
>> index 0000000000000000000000000000000000000000..f4be1215e3c3fb0c4c15381f8d1c4c5495c70e9b
>> GIT binary patch
>> literal 1220
>> zcmb`GOHRWu6h%Y%N(=yr1+W1S?7$OdFk%5w+87j+Hj?9(4%h->y^P=;lS{2a#Q?5!
>> z{qFnt`6K)F{rPRHC<=INd@=vX?A`U*O*5M>&u+VV-ujV+PK=Zt7{RG=+Jw-Bw&~+}
>> z+dYIXR?%-;{OaP;nOO&IASFOre%*v!3$w~oXrezfK`!`dxA5hxntE1eT2<G{-!ToC
>> zL#bNbH?7|@pV~?Awl6x9O`Z2mFs1jl<rt8V?pV-`AN?ej!6ol=*rZjG=UEwY2=!O*
>> zyzcAb%E*;6Mdc<7$1tE@G$EFKHLJ(nvgC+mRBn@1FD*@-)<C;~%F7bZ;mm=`(*w9P
>> zt_Jetbi-uaK+TmUp2L{~m8TDIX<QBDA#1F|WdSr)KRpg&f-?bstFe*<H&{%rM}tpH
>> zy|h1Ko8p#AaD&DCm(E)LNpd#s&i*Gy6Zv~QLiw`%BK;nwDvstiWG`MREU*8k7oOKx
>> H$v1oey`EQ}
>>
>> literal 0
>> HcmV?d00001
>>
>> diff --git a/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.te b/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.te
>> new file mode 100644
>> index 0000000..1028deb
>> --- /dev/null
>> +++ b/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.te
>> @@ -0,0 +1,12 @@
>> +module mirrorlist-logrotate 1.0;
>> +
>> +require {
>> +       type logrotate_t;
>> +       type svirt_sandbox_file_t;
>> +       class file { setattr create write };
>> +       class dir { write add_name remove_name };
>> +}
>> +
>> +#============= logrotate_t ==============
>> +allow logrotate_t svirt_sandbox_file_t:dir { add_name remove_name write };
>> +allow logrotate_t svirt_sandbox_file_t:file { setattr create write };
>> diff --git a/roles/mirrormanager/mirrorlist_proxy/tasks/main.yml b/roles/mirrormanager/mirrorlist_proxy/tasks/main.yml
>> index ebec129..37c45a0 100644
>> --- a/roles/mirrormanager/mirrorlist_proxy/tasks/main.yml
>> +++ b/roles/mirrormanager/mirrorlist_proxy/tasks/main.yml
>> @@ -97,3 +97,24 @@
>>          cron_file=restart-mirrorlist-containers
>>    tags:
>>    - mirrorlist_proxy
>> +
>> +# Custom selinux policy to allow logrotate to rotate our mirrorlist logs
>> +- name: ensure a directory exists for our custom selinux module
>> +  file: dest=/usr/local/share/mirrorlist-logrotate state=directory
>> +  tags:
>> +  - selinux
>> +  - mirrorlist_proxy
>> +
>> +- name: copy over our custom selinux module
>> +  copy: src=selinux/mirrorlist-logrotate.pp dest=/usr/local/share/mirrorlist-logrotate/mirrorlist-logrotate.pp
>> +  register: selinux_module
>> +  tags:
>> +  - selinux
>> +  - mirrorlist_proxy
>> +
>> +- name: install our custom selinux module
>> +  command: semodule -i /usr/local/share/mirrorlist-logrotate/mirrorlist-logrotate.pp
>> +  when: selinux_module|changed
>> +  tags:
>> +  - selinux
>> +  - mirrorlist_proxy
>> --
>> 1.8.3.1
>>
>>
>> _______________________________________________
>> infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>
> _______________________________________________
> infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx


-- 
Stephen J Smoogen.
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx