baculum: Update spec file and SELinux policies

diff --git a/gui/baculum/examples/rpm/baculum.spec b/gui/baculum/examples/rpm/baculum.spec
index 9e9b0ecf4fac9a60071f1b8689b2c49333199618..3c9dfd126d24495f841c0add22162b3ba95ea626 100644 (file)
--- a/gui/baculum/examples/rpm/baculum.spec
+++ b/gui/baculum/examples/rpm/baculum.spec
@@ -1,12 +1,14 @@
 Summary:       WebGUI tool for Bacula Community program
 Name:          baculum
 Version:       7.0.6
-Release:       0.1.a%{?dist}
+Release:       0.1.b%{?dist}
 License:       AGPLv3
 Group:         Applications/Internet
 URL:           http://bacula.org/
-Source0:       http://www.bacula.org/downloads/baculum/baculum-7.0.6a.tar.gz
+Source:                %{name}-%{version}b.tar.gz
 BuildRequires: systemd-units
+BuildRequires: selinux-policy
+BuildRequires: checkpolicy
 Requires:      lighttpd
 Requires:      lighttpd-fastcgi
 Requires:      bacula-console
@@ -58,6 +60,7 @@ can be run in enforcing mode.
 
 %files selinux
 %defattr(-,lighttpd,lighttpd)
+%{_datadir}/selinux/packages/%{name}/%{name}.pp
 
 %install
 mkdir -p %{buildroot}%{_datadir}/%{name}/htdocs
@@ -65,6 +68,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/%{name}
 mkdir -p %{buildroot}%{_unitdir}
 mkdir -p %{buildroot}%{_localstatedir}/cache/%{name}
 mkdir -p %{buildroot}%{_var}/log/%{name}
+mkdir -p %{buildroot}%{_datadir}/selinux/packages/%{name}
 
 cp -ra framework protected themes index.php AUTHORS INSTALL LICENSE README %{buildroot}%{_datadir}/%{name}/htdocs
 ln -s  %{_localstatedir}/cache/%{name} %{buildroot}%{_datadir}/%{name}/htdocs/assets
@@ -72,6 +76,7 @@ ln -s  %{_localstatedir}/cache/%{name} %{buildroot}%{_datadir}/%{name}/htdocs/pr
 install -m 640 examples/rpm/baculum.lighttpd.conf %{buildroot}%{_sysconfdir}/%{name}/
 install -m 600 examples/rpm/baculum.users %{buildroot}%{_sysconfdir}/%{name}/%{name}.users
 install -m 644 examples/rpm/baculum.service %{buildroot}%{_unitdir}/
+install -m 644 examples/selinux/%{name}.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/%{name}.pp
 
 %post
 [ -e %{_datadir}/baculum/htdocs/protected/Data/baculum.users ] ||
@@ -85,14 +90,13 @@ install -m 644 examples/rpm/baculum.service %{buildroot}%{_unitdir}/
 
 %post selinux
 if [ $1 -le 1 ] ; then
-    semanage port -a -t http_port_t -p tcp 9095
-    semanage fcontext -a -t httpd_cache_t '%{_localstatedir}/cache/%{name}(/.*)?' 2>/dev/null || :
-    restorecon -R %{_localstatedir}/cache/%{name} || :
     semanage fcontext -a -t httpd_sys_rw_content_t '%{_datadir}/%{name}/htdocs/protected/Data(/.*)?' 2>/dev/null || :
     restorecon '%{_datadir}/%{name}/htdocs/protected/Data' || :
-    chcon -t httpd_user_content_rw_t '%{_datadir}/%{name}/htdocs/protected/Data/baculum.users' || :
-    chcon -t httpd_user_content_rw_t '%{_sysconfdir}/%{name}/baculum.users' || :
-    setsebool -P httpd_can_network_connect 1 || :
+    semanage fcontext -a -t httpd_sys_rw_content_t '%{_sysconfdir}/%{name}/baculum.users' 2>/dev/null || :
+    restorecon '%{_sysconfdir}/%{name}/baculum.users' || :
+    semanage fcontext -a -t httpd_cache_t '%{_localstatedir}/cache/%{name}(/.*)?' 2>/dev/null || :
+    restorecon -R %{_localstatedir}/cache/%{name} || :
+    semodule -i %{_datadir}/selinux/packages/%{name}/%{name}.pp 2>/dev/null || :
 fi
 
 %preun
@@ -111,12 +115,12 @@ fi
 
 %postun selinux
 if [ $1 -eq 0 ] ; then
-    semanage port -d -t http_port_t -p tcp 9095
     semanage fcontext -d -t httpd_sys_rw_content_t '%{_datadir}/%{name}/htdocs/protected/Data(/.*)?' 2>/dev/null || :
+    semanage fcontext -d -t httpd_sys_rw_content_t '%{_sysconfdir}/%{name}/baculum.users' 2>/dev/null || :
     semanage fcontext -d -t httpd_cache_t '%{_localstatedir}/cache/%{name}(/.*)?' 2>/dev/null || :
-    setsebool -P httpd_can_network_connect 0 || :
+    semodule -r %{name} 2>/dev/null || :
 fi
 
 %changelog
- * Tue Mar 24 2015 Marcin Haba <marcin.haba@bacula.pl> - 7.0.6-0.1.a
+ * Mon Jul 06 2015 Marcin Haba <marcin.haba@bacula.pl> - 7.0.6-0.1.b
  - Spec create
\ No newline at end of file

diff --git a/gui/baculum/examples/selinux/baculum.pp b/gui/baculum/examples/selinux/baculum.pp
new file mode 100644 (file)
index 0000000..b68145e
Binary files /dev/null and b/gui/baculum/examples/selinux/baculum.pp differ

diff --git a/gui/baculum/examples/selinux/baculum.te b/gui/baculum/examples/selinux/baculum.te
new file mode 100644 (file)
index 0000000..131b560
--- /dev/null
+++ b/gui/baculum/examples/selinux/baculum.te
@@ -0,0 +1,29 @@
+module baculum 1.0;
+
+require {
+       type postgresql_port_t;
+       type mysqld_port_t;
+       type httpd_t;
+       type bacula_etc_t;
+       type unreserved_port_t;
+       type sudo_exec_t;
+       type httpd_cache_t;
+       class tcp_socket { name_bind name_connect };
+       class dir { search read write create getattr };
+       class file { read write create getattr open execute };
+       class netlink_audit_socket { write nlmsg_relay create read };
+}
+
+#============= httpd_t ==============
+
+allow httpd_t mysqld_port_t:tcp_socket name_connect;
+allow httpd_t postgresql_port_t:tcp_socket name_connect;
+allow httpd_t unreserved_port_t:tcp_socket name_bind;
+allow httpd_t unreserved_port_t:tcp_socket name_connect;
+allow httpd_t bacula_etc_t:dir search;
+allow httpd_t bacula_etc_t:file getattr;
+allow httpd_t bacula_etc_t:file { read open };
+allow httpd_t sudo_exec_t:file { read execute open };
+allow httpd_t httpd_cache_t:dir { read create };
+allow httpd_t httpd_cache_t:file { read write create };
+allow httpd_t self:netlink_audit_socket { write nlmsg_relay create read };