From f177ffbbfb77db07a0f02225626b45dca500d853 Mon Sep 17 00:00:00 2001
From: Marcin Haba <marcin.haba@bacula.pl>
Date: Wed, 8 Jul 2015 12:55:26 +0200
Subject: [PATCH] baculum: Update spec file and SELinux policies

---
 gui/baculum/examples/rpm/baculum.spec   |  26 ++++++++++++---------
 gui/baculum/examples/selinux/baculum.pp | Bin 0 -> 2795 bytes
 gui/baculum/examples/selinux/baculum.te |  29 ++++++++++++++++++++++++
 3 files changed, 44 insertions(+), 11 deletions(-)
 create mode 100644 gui/baculum/examples/selinux/baculum.pp
 create mode 100644 gui/baculum/examples/selinux/baculum.te

diff --git a/gui/baculum/examples/rpm/baculum.spec b/gui/baculum/examples/rpm/baculum.spec
index 9e9b0ecf4f..3c9dfd126d 100644
--- a/gui/baculum/examples/rpm/baculum.spec
+++ b/gui/baculum/examples/rpm/baculum.spec
@@ -1,12 +1,14 @@
 Summary:	WebGUI tool for Bacula Community program
 Name:		baculum
 Version:	7.0.6
-Release:	0.1.a%{?dist}
+Release:	0.1.b%{?dist}
 License:	AGPLv3
 Group:		Applications/Internet
 URL:		http://bacula.org/
-Source0:	http://www.bacula.org/downloads/baculum/baculum-7.0.6a.tar.gz
+Source:		%{name}-%{version}b.tar.gz
 BuildRequires:	systemd-units
+BuildRequires:	selinux-policy
+BuildRequires:	checkpolicy
 Requires:	lighttpd
 Requires:	lighttpd-fastcgi
 Requires:	bacula-console
@@ -58,6 +60,7 @@ can be run in enforcing mode.
 
 %files selinux
 %defattr(-,lighttpd,lighttpd)
+%{_datadir}/selinux/packages/%{name}/%{name}.pp
 
 %install
 mkdir -p %{buildroot}%{_datadir}/%{name}/htdocs
@@ -65,6 +68,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/%{name}
 mkdir -p %{buildroot}%{_unitdir}
 mkdir -p %{buildroot}%{_localstatedir}/cache/%{name}
 mkdir -p %{buildroot}%{_var}/log/%{name}
+mkdir -p %{buildroot}%{_datadir}/selinux/packages/%{name}
 
 cp -ra framework protected themes index.php AUTHORS INSTALL LICENSE README %{buildroot}%{_datadir}/%{name}/htdocs
 ln -s  %{_localstatedir}/cache/%{name} %{buildroot}%{_datadir}/%{name}/htdocs/assets
@@ -72,6 +76,7 @@ ln -s  %{_localstatedir}/cache/%{name} %{buildroot}%{_datadir}/%{name}/htdocs/pr
 install -m 640 examples/rpm/baculum.lighttpd.conf %{buildroot}%{_sysconfdir}/%{name}/
 install -m 600 examples/rpm/baculum.users %{buildroot}%{_sysconfdir}/%{name}/%{name}.users
 install -m 644 examples/rpm/baculum.service %{buildroot}%{_unitdir}/
+install -m 644 examples/selinux/%{name}.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/%{name}.pp
 
 %post
 [ -e %{_datadir}/baculum/htdocs/protected/Data/baculum.users ] ||
@@ -85,14 +90,13 @@ install -m 644 examples/rpm/baculum.service %{buildroot}%{_unitdir}/
 
 %post selinux
 if [ $1 -le 1 ] ; then
-    semanage port -a -t http_port_t -p tcp 9095
-    semanage fcontext -a -t httpd_cache_t '%{_localstatedir}/cache/%{name}(/.*)?' 2>/dev/null || :
-    restorecon -R %{_localstatedir}/cache/%{name} || :
     semanage fcontext -a -t httpd_sys_rw_content_t '%{_datadir}/%{name}/htdocs/protected/Data(/.*)?' 2>/dev/null || :
     restorecon '%{_datadir}/%{name}/htdocs/protected/Data' || :
-    chcon -t httpd_user_content_rw_t '%{_datadir}/%{name}/htdocs/protected/Data/baculum.users' || :
-    chcon -t httpd_user_content_rw_t '%{_sysconfdir}/%{name}/baculum.users' || :
-    setsebool -P httpd_can_network_connect 1 || :
+    semanage fcontext -a -t httpd_sys_rw_content_t '%{_sysconfdir}/%{name}/baculum.users' 2>/dev/null || :
+    restorecon '%{_sysconfdir}/%{name}/baculum.users' || :
+    semanage fcontext -a -t httpd_cache_t '%{_localstatedir}/cache/%{name}(/.*)?' 2>/dev/null || :
+    restorecon -R %{_localstatedir}/cache/%{name} || :
+    semodule -i %{_datadir}/selinux/packages/%{name}/%{name}.pp 2>/dev/null || :
 fi
 
 %preun
@@ -111,12 +115,12 @@ fi
 
 %postun selinux
 if [ $1 -eq 0 ] ; then
-    semanage port -d -t http_port_t -p tcp 9095
     semanage fcontext -d -t httpd_sys_rw_content_t '%{_datadir}/%{name}/htdocs/protected/Data(/.*)?' 2>/dev/null || :
+    semanage fcontext -d -t httpd_sys_rw_content_t '%{_sysconfdir}/%{name}/baculum.users' 2>/dev/null || :
     semanage fcontext -d -t httpd_cache_t '%{_localstatedir}/cache/%{name}(/.*)?' 2>/dev/null || :
-    setsebool -P httpd_can_network_connect 0 || :
+    semodule -r %{name} 2>/dev/null || :
 fi
 
 %changelog
- * Tue Mar 24 2015 Marcin Haba <marcin.haba@bacula.pl> - 7.0.6-0.1.a
+ * Mon Jul 06 2015 Marcin Haba <marcin.haba@bacula.pl> - 7.0.6-0.1.b
  - Spec create
\ No newline at end of file
diff --git a/gui/baculum/examples/selinux/baculum.pp b/gui/baculum/examples/selinux/baculum.pp
new file mode 100644
index 0000000000000000000000000000000000000000..b68145ea8422d985d9d857bf1ea470b1ac70ebf1
GIT binary patch
literal 2795
zcmb`J+m6#f42DZNpTr_@PoDs>Pk?W@gDV~&N|T`tn<gchz^;VE6Cj?KEATgo$?TRu
z#P*kdkH_}do=Mut_n%*W+*m9Y@I?7d=TCHe_j>iFsJipj+dA(`w^Y+pC1LlJ;I49=
zW?k9sZmN3v;-%<t6}Qv?pA8P1GlI(bvZ&6Iw95;hv~_mo{6n=<u_|}%CTU!mUfj_s
zRkFsV-rZJ>Rz5d{ca~8-`2#fqoMeE&XZs=deVyU0(w$4zMU_9&NhpRPtE<Xoo=N~a
zwIIlghDNA3HbQV{gaaXR<9zCULlg<<i&a!@UD{+@+dC`qK=8gO9s0OYQetuEF6;Vz
zlk#^tGDYPmK{?EHQtw@b4f5C+LB0N<yG$AhvtCT;783hu3-X|7&uXZ;5X6AC%j<;R
z6VKa2OH-j;)wtF*pIn~o>&7RZ{2av8g01)ayw7VPj6j0y#lCL+MpJ(*hrB#*&c_xJ
zCWryyl};1qwdu!dqmQZBzK1N$wyqE6;Y<bZF0={T-B4_Duq2EIPTS_9I<&dHQrKdM
zPN2onAdnzOfgj?xSWz9?d~OYkXKf7Z@EA4tuL2U}D6EE!cw`_pFn1sSs&R~c*q^C{
z&PEZRll4suwE5h9{H+GRu=t;W{P5T{?DEjm|NT5xELKR6qo7yzajLYwMRjQNxo5>1
zAVH3TJWC}PjO7&7q0Ns`gMGyRIOK<OYG_!145JOKr8n;NtB}Zm4y~5OV>5^<&|<!-
z4kXB4%+cwGIB2=pJCK29e~wWh1I_*lqe2FneX4I_fdtu$>*!IMYpI+CpGSZC6k<<C
z-o5cd#;lB-oPL|cCX(_!5!=xDvD@{(RNee`okv%;xfuEV9$e9J0PBY<IX1KI;0lfd
ZxQ^p1H}-M;Ub<qhIxk(Ru~Qcw;1^yn%ccMT

literal 0
HcmV?d00001

diff --git a/gui/baculum/examples/selinux/baculum.te b/gui/baculum/examples/selinux/baculum.te
new file mode 100644
index 0000000000..131b560f37
--- /dev/null
+++ b/gui/baculum/examples/selinux/baculum.te
@@ -0,0 +1,29 @@
+module baculum 1.0;
+
+require {
+	type postgresql_port_t;
+	type mysqld_port_t;
+	type httpd_t;
+	type bacula_etc_t;
+	type unreserved_port_t;
+	type sudo_exec_t;
+	type httpd_cache_t;
+	class tcp_socket { name_bind name_connect };
+	class dir { search read write create getattr };
+	class file { read write create getattr open execute };
+	class netlink_audit_socket { write nlmsg_relay create read };
+}
+
+#============= httpd_t ==============
+
+allow httpd_t mysqld_port_t:tcp_socket name_connect;
+allow httpd_t postgresql_port_t:tcp_socket name_connect;
+allow httpd_t unreserved_port_t:tcp_socket name_bind;
+allow httpd_t unreserved_port_t:tcp_socket name_connect;
+allow httpd_t bacula_etc_t:dir search;
+allow httpd_t bacula_etc_t:file getattr;
+allow httpd_t bacula_etc_t:file { read open };
+allow httpd_t sudo_exec_t:file { read execute open };
+allow httpd_t httpd_cache_t:dir { read create };
+allow httpd_t httpd_cache_t:file { read write create };
+allow httpd_t self:netlink_audit_socket { write nlmsg_relay create read };
-- 
2.39.5