Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Fedora / CoreOS 37 #13

Merged
merged 3 commits into from
Nov 23, 2023
Merged

Add Fedora / CoreOS 37 #13

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fce6fc4
Add fedora/coreos 37
bbaumgartl Sep 21, 2023
6f538e8
Add fedora drone build
bbaumgartl Sep 21, 2023
69455b7
Update policy/fedora37/rancher.te
bbaumgartl Nov 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 96 additions & 0 deletions .drone.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -372,3 +372,99 @@ steps:
- refs/tags/*
event:
- tag

---
kind: pipeline
name: RPM Build Fedora37

platform:
os: linux
arch: amd64

steps:
- name: Build RPM Fedora37
image: fedora:37
commands:
- policy/fedora37/scripts/build

- name: Sign RPM Fedora37 (dry-run)
image: fedora:37
commands:
- policy/fedora37/scripts/sign --dry-run
when:
event:
- pull_request

- name: Sign RPM Fedora37
image: fedora:37
environment:
PRIVATE_KEY:
from_secret: private_key
PRIVATE_KEY_PASS_PHRASE:
from_secret: private_key_pass_phrase
TESTING_PRIVATE_KEY:
from_secret: testing_private_key
TESTING_PRIVATE_KEY_PASS_PHRASE:
from_secret: testing_private_key_pass_phrase
commands:
- policy/fedora37/scripts/sign
when:
instance:
- drone-publish.rancher.io
ref:
- refs/head/master
- refs/tags/*
event:
- tag

- name: Create repo metadata for Fedora37
image: fedora:37
commands:
- policy/fedora37/scripts/repo-metadata

- name: Yum Repo Upload Fedora37
image: fedora:37
environment:
AWS_S3_BUCKET:
from_secret: aws_s3_bucket
AWS_ACCESS_KEY_ID:
from_secret: aws_access_key_id
AWS_SECRET_ACCESS_KEY:
from_secret: aws_secret_access_key
TESTING_AWS_S3_BUCKET:
from_secret: testing_aws_s3_bucket
TESTING_AWS_ACCESS_KEY_ID:
from_secret: testing_aws_access_key_id
TESTING_AWS_SECRET_ACCESS_KEY:
from_secret: testing_aws_secret_access_key
commands:
- policy/fedora37/scripts/upload-repo
when:
instance:
- drone-publish.rancher.io
ref:
- refs/head/master
- refs/tags/*
event:
- tag

- name: GitHub Release Fedora37
image: plugins/github-release
settings:
api_key:
from_secret: github_token
prerelease: true
checksum:
- sha256
checksum_file: CHECKSUMsum-fedora37-noarch.txt
checksum_flatten: true
files:
- "policy/fedora37/dist/**/*.rpm"
when:
instance:
- drone-publish.rancher.io
ref:
- refs/head/master
- refs/tags/*
event:
- tag
6 changes: 5 additions & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ CENTOS7_TARGETS := $(addprefix centos7-,$(shell ls policy/centos7/scripts))
CENTOS8_TARGETS := $(addprefix centos8-,$(shell ls policy/centos8/scripts))
CENTOS9_TARGETS := $(addprefix centos9-,$(shell ls policy/centos9/scripts))
MICROOS_TARGETS := $(addprefix microos-,$(shell ls policy/microos/scripts))
FEDORA37_TARGETS := $(addprefix fedora37-,$(shell ls policy/fedora37/scripts))

.dapper:
@echo Downloading dapper
Expand All @@ -22,4 +23,7 @@ $(CENTOS9_TARGETS): .dapper
$(MICROOS_TARGETS): .dapper
./.dapper -f Dockerfile.microos.dapper $(@:microos-%=%)

.PHONY: $(CENTOS7_TARGETS) $(CENTOS8_TARGETS) $(CENTOS9_TARGETS) $(MICROOS_TARGETS)
$(FEDORA37_TARGETS): .dapper
./.dapper -f Dockerfile.fedora37.dapper $(@:fedora37-%=%)

.PHONY: $(CENTOS7_TARGETS) $(CENTOS8_TARGETS) $(CENTOS9_TARGETS) $(MICROOS_TARGETS) $(FEDORA37_TARGETS)
56 changes: 56 additions & 0 deletions policy/fedora37/rancher-selinux.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# vim: sw=4:ts=4:et

%define selinux_policyver 37.19-1
%define container_policyver 2.204.0-1

%define relabel_files() \
mkdir -p /var/lib/rancher/rke /etc/kubernetes /opt/rke; \
restorecon -R /var/lib/rancher /etc/kubernetes /opt/rke;

Name: rancher-selinux
Version: %{rancher_selinux_version}
Release: %{rancher_selinux_release}.fc37
Summary: SELinux policy module for Rancher

Group: System Environment/Base
License: ASL 2.0
URL: http://rancher.com
Source0: rancher.pp

BuildRequires: container-selinux >= %{container_policyver}

Requires: policycoreutils, libselinux-utils
Requires(post): selinux-policy >= %{selinux_policyver}, policycoreutils, container-selinux >= %{container_policyver}
Requires(postun): policycoreutils

BuildArch: noarch

%description
This package installs and sets up the SELinux policy security module for Rancher.

%install
install -d %{buildroot}%{_datadir}/selinux/packages
install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages


%post
semodule -n -i %{_datadir}/selinux/packages/rancher.pp
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
%relabel_files
fi;
exit 0

%postun
if [ $1 -eq 0 ]; then
semodule -n -r rancher
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
fi;
fi;
exit 0

%files
%attr(0600,root,root) %{_datadir}/selinux/packages/rancher.pp

%changelog
2 changes: 2 additions & 0 deletions policy/fedora37/rancher.fc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
/var/lib/rancher/rke(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/opt/rke(/.*)? gen_context(system_u:object_r:rke_opt_t,s0)
105 changes: 105 additions & 0 deletions policy/fedora37/rancher.te
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
policy_module(rancher, 1.0.0)

gen_require(`
type container_runtime_t, unconfined_service_t;
type container_file_t;
')

########################
# type rke_kubereader_t #
########################
gen_require(`
type container_runtime_t, unconfined_service_t;
type kubernetes_file_t;
class dir { open read search };
class file { getaddr open read };
class lnk_file { getattr read };
')
container_domain_template(rke_kubereader, container)
virt_sandbox_domain(rke_kubereader_t)
corenet_unconfined(rke_kubereader_t)
allow rke_kubereader_t kubernetes_file_t:dir { open read search };
allow rke_kubereader_t kubernetes_file_t:file { getattr open read };
allow rke_kubereader_t kubernetes_file_t:lnk_file { getattr read };

########################
# type rke_logreader_t #
########################
gen_require(`
type container_runtime_t, unconfined_service_t;
type container_log_t;
type syslogd_var_run_t;
type var_log_t;
class dir { read search };
class file { open read };
class lnk_file { getattr read };
')
container_domain_template(rke_logreader, container)
virt_sandbox_domain(rke_logreader_t)
corenet_unconfined(rke_logreader_t)
allow rke_logreader_t container_log_t:dir { open read search };
allow rke_logreader_t container_log_t:lnk_file { getattr read };
allow rke_logreader_t container_log_t:file { getattr open read };
allow rke_logreader_t container_var_lib_t:dir search;
allow rke_logreader_t container_var_lib_t:file { getattr open read };
allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
allow rke_logreader_t syslogd_var_run_t:dir read;
allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
allow rke_logreader_t var_log_t:dir read;
allow rke_logreader_t var_log_t:file { getattr map open read };

########################
# type rke_container_t #
########################
gen_require(`
type container_runtime_t, unconfined_service_t;
type container_log_t;
type kubernetes_file_t;
type container_var_run_t;
class dir { read search };
class file { open read };
')
type rke_opt_t;
files_type(rke_opt_t)
container_domain_template(rke_container, container)
virt_sandbox_domain(rke_container_t)
corenet_unconfined(rke_container_t)
manage_dirs_pattern(rke_container_t, container_var_lib_t, container_var_lib_t)
manage_files_pattern(rke_container_t, container_var_lib_t, container_var_lib_t)
manage_dirs_pattern(rke_container_t, container_log_t, container_log_t)
manage_files_pattern(rke_container_t, container_log_t, container_log_t)
manage_dirs_pattern(rke_container_t, kubernetes_file_t, kubernetes_file_t)
manage_files_pattern(rke_container_t, kubernetes_file_t, kubernetes_file_t)
manage_dirs_pattern(rke_container_t, rke_opt_t, rke_opt_t)
manage_files_pattern(rke_container_t, rke_opt_t, rke_opt_t)
manage_dirs_pattern(rke_container_t, container_var_lib_t, container_var_lib_t)
manage_files_pattern(rke_container_t, container_var_lib_t, container_var_lib_t)
manage_dirs_pattern(rke_container_t, container_var_run_t, container_var_run_t)
manage_files_pattern(rke_container_t, container_var_run_t, container_var_run_t)
allow rke_container_t self:tcp_socket { accept listen };
allow rke_container_t container_var_lib_t:file map;
allow rke_container_t rke_opt_t:file map;
allow rke_container_t container_var_lib_t:dir { relabelfrom relabelto };
allow rke_container_t container_var_lib_t:file { relabelfrom relabelto };
allow rke_container_t rke_opt_t:dir { relabelfrom relabelto };
allow rke_container_t rke_opt_t:file { relabelfrom relabelto };

########################
# type rke_network_t #
########################
gen_require(`
type container_runtime_t, unconfined_service_t;
type iptables_var_run_t;
type var_run_t;
type kernel_t;
')
container_domain_template(rke_network, container)
virt_sandbox_domain(rke_network_t)
corenet_unconfined(rke_network_t)
manage_dirs_pattern(rke_network_t, iptables_var_run_t, iptables_var_run_t)
manage_files_pattern(rke_network_t, iptables_var_run_t, iptables_var_run_t)
manage_dirs_pattern(rke_network_t, var_run_t, var_run_t)
manage_files_pattern(rke_network_t, var_run_t, var_run_t)
allow rke_network_t kernel_t:system module_request;
allow rke_network_t kernel_t:unix_dgram_socket sendto;
allow rke_network_t self:netlink_route_socket nlmsg_write;
20 changes: 20 additions & 0 deletions policy/fedora37/scripts/build
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
#!/bin/bash
set -e -x

cd $(dirname $0)/..
. ./scripts/version

dnf -y install container-selinux selinux-policy-devel rpm-build

make -f /usr/share/selinux/devel/Makefile rancher.pp

rpmbuild \
--define "rancher_selinux_version ${RPM_VERSION}" \
--define "rancher_selinux_release ${RPM_RELEASE}" \
--define "_sourcedir $PWD" \
--define "_specdir $PWD" \
--define "_builddir $PWD" \
--define "_srcrpmdir ${PWD}/dist/source" \
--define "_buildrootdir $PWD/.build" \
--define "_rpmdir ${PWD}/dist" \
-ba rancher-selinux.spec
12 changes: 12 additions & 0 deletions policy/fedora37/scripts/entry
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#!/bin/sh
set -ex

if [ -e ./policy/fedora37/scripts/"$1" ]; then
./policy/fedora37/scripts/"$@"
else
exec "$@"
fi

if [ "$DAPPER_UID" -ne "-1" ]; then
chown -R $DAPPER_UID:$DAPPER_GID .
fi
14 changes: 14 additions & 0 deletions policy/fedora37/scripts/repo-metadata
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
#!/bin/bash
set -e -x

DIRS=("noarch" "source")

cd $(dirname $0)/..
. ./scripts/version

dnf install -y createrepo_c

for dir in "${DIRS[@]}"; do
echo "Creating repository metadata for $dir"
createrepo_c "dist/$dir/"
done
Loading