Merge pull request #13 from bbaumgartl/main

Add Fedora / CoreOS 37
rancher · Nov 23, 2023 · 3447fb6 · 3447fb6
2 parents f4ae328 + 69455b7
commit 3447fb6
Show file tree

Hide file tree

Showing 11 changed files with 512 additions and 1 deletion.
diff --git a/.drone.yml b/.drone.yml
@@ -372,3 +372,99 @@ steps:
     - refs/tags/*
     event:
     - tag
+
+---
+kind: pipeline
+name: RPM Build Fedora37
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+- name: Build RPM Fedora37
+  image: fedora:37
+  commands:
+  - policy/fedora37/scripts/build
+
+- name: Sign RPM Fedora37 (dry-run)
+  image: fedora:37
+  commands:
+  - policy/fedora37/scripts/sign --dry-run
+  when:
+    event:
+    - pull_request
+
+- name: Sign RPM Fedora37
+  image: fedora:37
+  environment:
+    PRIVATE_KEY:
+      from_secret: private_key
+    PRIVATE_KEY_PASS_PHRASE:
+      from_secret: private_key_pass_phrase
+    TESTING_PRIVATE_KEY:
+      from_secret: testing_private_key
+    TESTING_PRIVATE_KEY_PASS_PHRASE:
+      from_secret: testing_private_key_pass_phrase
+  commands:
+  - policy/fedora37/scripts/sign
+  when:
+    instance:
+    - drone-publish.rancher.io
+    ref:
+    - refs/head/master
+    - refs/tags/*
+    event:
+    - tag
+
+- name: Create repo metadata for Fedora37
+  image: fedora:37
+  commands:
+  - policy/fedora37/scripts/repo-metadata
+
+- name: Yum Repo Upload Fedora37
+  image: fedora:37
+  environment:
+    AWS_S3_BUCKET:
+      from_secret: aws_s3_bucket
+    AWS_ACCESS_KEY_ID:
+      from_secret: aws_access_key_id
+    AWS_SECRET_ACCESS_KEY:
+      from_secret: aws_secret_access_key
+    TESTING_AWS_S3_BUCKET:
+      from_secret: testing_aws_s3_bucket
+    TESTING_AWS_ACCESS_KEY_ID:
+      from_secret: testing_aws_access_key_id
+    TESTING_AWS_SECRET_ACCESS_KEY:
+      from_secret: testing_aws_secret_access_key
+  commands:
+  - policy/fedora37/scripts/upload-repo
+  when:
+    instance:
+    - drone-publish.rancher.io
+    ref:
+    - refs/head/master
+    - refs/tags/*
+    event:
+    - tag
+
+- name: GitHub Release Fedora37
+  image: plugins/github-release
+  settings:
+    api_key:
+      from_secret: github_token
+    prerelease: true
+    checksum:
+    - sha256
+    checksum_file: CHECKSUMsum-fedora37-noarch.txt
+    checksum_flatten: true
+    files:
+    - "policy/fedora37/dist/**/*.rpm"
+  when:
+    instance:
+    - drone-publish.rancher.io
+    ref:
+    - refs/head/master
+    - refs/tags/*
+    event:
+    - tag
diff --git a/Makefile b/Makefile
@@ -2,6 +2,7 @@ CENTOS7_TARGETS := $(addprefix centos7-,$(shell ls policy/centos7/scripts))
 CENTOS8_TARGETS := $(addprefix centos8-,$(shell ls policy/centos8/scripts))
 CENTOS9_TARGETS := $(addprefix centos9-,$(shell ls policy/centos9/scripts))
 MICROOS_TARGETS := $(addprefix microos-,$(shell ls policy/microos/scripts))
+FEDORA37_TARGETS := $(addprefix fedora37-,$(shell ls policy/fedora37/scripts))
 
 .dapper:
 	@echo Downloading dapper
@@ -22,4 +23,7 @@ $(CENTOS9_TARGETS): .dapper
 $(MICROOS_TARGETS): .dapper
 	./.dapper -f Dockerfile.microos.dapper $(@:microos-%=%)
 
-.PHONY: $(CENTOS7_TARGETS) $(CENTOS8_TARGETS) $(CENTOS9_TARGETS) $(MICROOS_TARGETS)
+$(FEDORA37_TARGETS): .dapper
+	./.dapper -f Dockerfile.fedora37.dapper $(@:fedora37-%=%)
+
+.PHONY: $(CENTOS7_TARGETS) $(CENTOS8_TARGETS) $(CENTOS9_TARGETS) $(MICROOS_TARGETS) $(FEDORA37_TARGETS)
diff --git a/policy/fedora37/rancher-selinux.spec b/policy/fedora37/rancher-selinux.spec
@@ -0,0 +1,56 @@
+# vim: sw=4:ts=4:et
+
+%define selinux_policyver 37.19-1
+%define container_policyver 2.204.0-1
+
+%define relabel_files() \
+mkdir -p /var/lib/rancher/rke /etc/kubernetes /opt/rke; \
+restorecon -R /var/lib/rancher /etc/kubernetes /opt/rke;
+
+Name:   rancher-selinux
+Version:	%{rancher_selinux_version}
+Release:	%{rancher_selinux_release}.fc37
+Summary:	SELinux policy module for Rancher
+
+Group:	System Environment/Base
+License:	ASL 2.0
+URL:		http://rancher.com
+Source0:	rancher.pp
+
+BuildRequires: container-selinux >= %{container_policyver}
+
+Requires: policycoreutils, libselinux-utils
+Requires(post): selinux-policy >= %{selinux_policyver}, policycoreutils, container-selinux >= %{container_policyver}
+Requires(postun): policycoreutils
+
+BuildArch: noarch
+
+%description
+This package installs and sets up the SELinux policy security module for Rancher.
+
+%install
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
+
+
+%post
+semodule -n -i %{_datadir}/selinux/packages/rancher.pp
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    %relabel_files
+fi;
+exit 0
+
+%postun
+if [ $1 -eq 0 ]; then
+    semodule -n -r rancher
+    if /usr/sbin/selinuxenabled ; then
+       /usr/sbin/load_policy
+    fi;
+fi;
+exit 0
+
+%files
+%attr(0600,root,root) %{_datadir}/selinux/packages/rancher.pp
+
+%changelog
diff --git a/policy/fedora37/rancher.fc b/policy/fedora37/rancher.fc
@@ -0,0 +1,2 @@
+/var/lib/rancher/rke(/.*)?                                              gen_context(system_u:object_r:container_var_lib_t,s0)
+/opt/rke(/.*)?                                                          gen_context(system_u:object_r:rke_opt_t,s0)
diff --git a/policy/fedora37/rancher.te b/policy/fedora37/rancher.te
@@ -0,0 +1,105 @@
+policy_module(rancher, 1.0.0)
+
+gen_require(`
+    type container_runtime_t, unconfined_service_t;
+    type container_file_t;
+')
+
+########################
+# type rke_kubereader_t #
+########################
+gen_require(`
+        type container_runtime_t, unconfined_service_t;
+        type kubernetes_file_t;
+        class dir { open read search };
+        class file { getaddr open read };
+        class lnk_file { getattr read };
+')
+container_domain_template(rke_kubereader, container)
+virt_sandbox_domain(rke_kubereader_t)
+corenet_unconfined(rke_kubereader_t)
+allow rke_kubereader_t kubernetes_file_t:dir { open read search };
+allow rke_kubereader_t kubernetes_file_t:file { getattr open read };
+allow rke_kubereader_t kubernetes_file_t:lnk_file { getattr read };
+
+########################
+# type rke_logreader_t #
+########################
+gen_require(`
+        type container_runtime_t, unconfined_service_t;
+        type container_log_t;
+        type syslogd_var_run_t;
+        type var_log_t;
+        class dir { read search };
+        class file { open read };
+        class lnk_file { getattr read };
+')
+container_domain_template(rke_logreader, container)
+virt_sandbox_domain(rke_logreader_t)
+corenet_unconfined(rke_logreader_t)
+allow rke_logreader_t container_log_t:dir { open read search };
+allow rke_logreader_t container_log_t:lnk_file { getattr read };
+allow rke_logreader_t container_log_t:file { getattr open read };
+allow rke_logreader_t container_var_lib_t:dir search;
+allow rke_logreader_t container_var_lib_t:file { getattr open read };
+allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
+allow rke_logreader_t syslogd_var_run_t:dir read;
+allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
+allow rke_logreader_t var_log_t:dir read;
+allow rke_logreader_t var_log_t:file { getattr map open read };
+
+########################
+# type rke_container_t #
+########################
+gen_require(`
+        type container_runtime_t, unconfined_service_t;
+        type container_log_t;
+        type kubernetes_file_t;
+        type container_var_run_t;
+        class dir { read search };
+        class file { open read };
+')
+type rke_opt_t;
+files_type(rke_opt_t)
+container_domain_template(rke_container, container)
+virt_sandbox_domain(rke_container_t)
+corenet_unconfined(rke_container_t)
+manage_dirs_pattern(rke_container_t, container_var_lib_t, container_var_lib_t)
+manage_files_pattern(rke_container_t, container_var_lib_t, container_var_lib_t)
+manage_dirs_pattern(rke_container_t, container_log_t, container_log_t)
+manage_files_pattern(rke_container_t, container_log_t, container_log_t)
+manage_dirs_pattern(rke_container_t, kubernetes_file_t, kubernetes_file_t)
+manage_files_pattern(rke_container_t, kubernetes_file_t, kubernetes_file_t)
+manage_dirs_pattern(rke_container_t, rke_opt_t, rke_opt_t)
+manage_files_pattern(rke_container_t, rke_opt_t, rke_opt_t)
+manage_dirs_pattern(rke_container_t, container_var_lib_t, container_var_lib_t)
+manage_files_pattern(rke_container_t, container_var_lib_t, container_var_lib_t)
+manage_dirs_pattern(rke_container_t, container_var_run_t, container_var_run_t)
+manage_files_pattern(rke_container_t, container_var_run_t, container_var_run_t)
+allow rke_container_t self:tcp_socket { accept listen };
+allow rke_container_t container_var_lib_t:file map;
+allow rke_container_t rke_opt_t:file map;
+allow rke_container_t container_var_lib_t:dir { relabelfrom relabelto };
+allow rke_container_t container_var_lib_t:file { relabelfrom relabelto };
+allow rke_container_t rke_opt_t:dir { relabelfrom relabelto };
+allow rke_container_t rke_opt_t:file { relabelfrom relabelto };
+
+########################
+# type rke_network_t   #
+########################
+gen_require(`
+        type container_runtime_t, unconfined_service_t;
+        type iptables_var_run_t;
+        type var_run_t;
+        type kernel_t;
+')
+container_domain_template(rke_network, container)
+virt_sandbox_domain(rke_network_t)
+corenet_unconfined(rke_network_t)
+manage_dirs_pattern(rke_network_t, iptables_var_run_t, iptables_var_run_t)
+manage_files_pattern(rke_network_t, iptables_var_run_t, iptables_var_run_t)
+manage_dirs_pattern(rke_network_t, var_run_t, var_run_t)
+manage_files_pattern(rke_network_t, var_run_t, var_run_t)
+allow rke_network_t kernel_t:system module_request;
+allow rke_network_t kernel_t:unix_dgram_socket sendto;
+allow rke_network_t self:netlink_route_socket nlmsg_write;
diff --git a/policy/fedora37/scripts/build b/policy/fedora37/scripts/build
@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e -x
+
+cd $(dirname $0)/..
+. ./scripts/version
+
+dnf -y install container-selinux selinux-policy-devel rpm-build
+
+make -f /usr/share/selinux/devel/Makefile rancher.pp
+
+rpmbuild \
+    --define "rancher_selinux_version ${RPM_VERSION}" \
+    --define "rancher_selinux_release ${RPM_RELEASE}" \
+    --define "_sourcedir $PWD" \
+    --define "_specdir $PWD" \
+    --define "_builddir $PWD" \
+    --define "_srcrpmdir ${PWD}/dist/source" \
+    --define "_buildrootdir $PWD/.build" \
+    --define "_rpmdir ${PWD}/dist" \
+    -ba rancher-selinux.spec
diff --git a/policy/fedora37/scripts/entry b/policy/fedora37/scripts/entry
@@ -0,0 +1,12 @@
+#!/bin/sh
+set -ex
+
+if [ -e ./policy/fedora37/scripts/"$1" ]; then
+    ./policy/fedora37/scripts/"$@"
+else
+    exec "$@"
+fi
+
+if [ "$DAPPER_UID" -ne "-1" ]; then
+  chown -R $DAPPER_UID:$DAPPER_GID .
+fi
diff --git a/policy/fedora37/scripts/repo-metadata b/policy/fedora37/scripts/repo-metadata
@@ -0,0 +1,14 @@
+#!/bin/bash
+set -e -x
+
+DIRS=("noarch" "source")
+
+cd $(dirname $0)/..
+. ./scripts/version
+
+dnf install -y createrepo_c
+
+for dir in "${DIRS[@]}"; do
+	echo "Creating repository metadata for $dir"
+	createrepo_c "dist/$dir/"
+done
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		/var/lib/rancher/rke(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
		/opt/rke(/.*)? gen_context(system_u:object_r:rke_opt_t,s0)