diff --git a/.github/docker/Dockerfile.packaging-plugins-alma8 b/.github/docker/Dockerfile.packaging-plugins-alma8 index fa13fa291..11c2ec593 100644 --- a/.github/docker/Dockerfile.packaging-plugins-alma8 +++ b/.github/docker/Dockerfile.packaging-plugins-alma8 @@ -10,7 +10,7 @@ baseurl=https://repo.goreleaser.com/yum/ enabled=1 gpgcheck=0' | tee /etc/yum.repos.d/goreleaser.repo -dnf -y install gcc git gettext rpm-build dos2unix python3 epel-release nfpm openssl-devel jq zstd +dnf -y install gcc git gettext rpm-build dos2unix python3 epel-release nfpm openssl-devel jq zstd selinux-policy-devel dnf -y install perl-App-cpanminus perl-JSON cpanm App::FatPacker cpanm File::Copy::Recursive diff --git a/.github/docker/Dockerfile.packaging-plugins-alma9 b/.github/docker/Dockerfile.packaging-plugins-alma9 index 4e61f0b88..bdd7f8d72 100644 --- a/.github/docker/Dockerfile.packaging-plugins-alma9 +++ b/.github/docker/Dockerfile.packaging-plugins-alma9 @@ -10,7 +10,7 @@ baseurl=https://repo.goreleaser.com/yum/ enabled=1 gpgcheck=0' | tee /etc/yum.repos.d/goreleaser.repo -dnf -y install gcc git gettext rpm-build dos2unix python3 epel-release nfpm openssl-devel jq zstd +dnf -y install gcc git gettext rpm-build dos2unix python3 epel-release nfpm openssl-devel jq zstd selinux-policy-devel dnf -y install perl-App-cpanminus perl-JSON cpanm App::FatPacker cpanm File::Copy::Recursive diff --git a/.github/workflows/plugins-selinux.yml b/.github/workflows/plugins-selinux.yml new file mode 100644 index 000000000..753baa686 --- /dev/null +++ b/.github/workflows/plugins-selinux.yml @@ -0,0 +1,91 @@ +name: plugins-selinux + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +on: + workflow_dispatch: + pull_request: + paths: + - 'selinux/**' + push: + branches: + - develop + - master + paths: + - 'selinux/**' + +jobs: + get-environment: + uses: ./.github/workflows/get-environment.yml + with: + version_file: selinux/packaging/centreon-plugins-selinux.yaml + + package: + needs: [get-environment] + runs-on: ubuntu-22.04 + strategy: + matrix: + include: + - package_extension: rpm + image: packaging-plugins-alma8 + distrib: el8 + - package_extension: rpm + image: packaging-plugins-alma9 + distrib: el9 + + container: + image: ${{ vars.DOCKER_INTERNAL_REGISTRY_URL }}/${{ matrix.image }} + credentials: + username: ${{ secrets.DOCKER_REGISTRY_ID }} + password: ${{ secrets.DOCKER_REGISTRY_PASSWD }} + + name: package ${{ matrix.distrib }} + + steps: + - name: Checkout sources + uses: actions/checkout@v3 + + - name: Generate selinux binary + run: | + cd selinux/src + sed -i "s/@VERSION@/${{ needs.get-environment.outputs.version }}/g" centreon-plugins.te + make -f /usr/share/selinux/devel/Makefile + shell: bash + + - name: Package + uses: ./.github/actions/package + with: + nfpm_file_pattern: "selinux/packaging/centreon-plugins-selinux.yaml" + distrib: ${{ matrix.distrib }} + package_extension: ${{ matrix.package_extension }} + version: ${{ needs.get-environment.outputs.version }} + release: ${{ needs.get-environment.outputs.release }} + commit_hash: ${{ github.sha }} + cache_key: ${{ github.sha }}-${{ github.run_id }}-${{ matrix.package_extension }}-${{ matrix.distrib }} + rpm_gpg_key: ${{ secrets.RPM_GPG_SIGNING_KEY }} + rpm_gpg_signing_key_id: ${{ secrets.RPM_GPG_SIGNING_KEY_ID }} + rpm_gpg_signing_passphrase: ${{ secrets.RPM_GPG_SIGNING_PASSPHRASE }} + + deliver-rpm: + needs: [get-environment, package] + if: ${{ contains(fromJson('["stable", "testing", "unstable"]'), needs.get-environment.outputs.stability) }} + runs-on: [self-hosted, common] + + strategy: + matrix: + distrib: [el8, el9] + + steps: + - name: Checkout sources + uses: actions/checkout@v3 + + - name: Delivery + uses: ./.github/actions/rpm-delivery + with: + module_name: plugins-selinux + distrib: ${{ matrix.distrib }} + cache_key: ${{ github.sha }}-${{ github.run_id }}-rpm-${{ matrix.distrib }} + stability: ${{ needs.get-environment.outputs.stability }} + artifactory_token: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} diff --git a/selinux/packaging/centreon-plugins-selinux.yaml b/selinux/packaging/centreon-plugins-selinux.yaml new file mode 100644 index 000000000..7add488fe --- /dev/null +++ b/selinux/packaging/centreon-plugins-selinux.yaml @@ -0,0 +1,42 @@ +name: "centreon-plugins-selinux" +arch: "amd64" +platform: "linux" +version_schema: "none" +version: "0.0.8" +release: "${RELEASE}${DIST}" +section: "default" +priority: "optional" +maintainer: "Centreon " +description: | + SELinux context for centreon-plugins +vendor: "Centreon" +homepage: "https://centreon.com" +license: "Apache-2.0" + +depends: + - policycoreutils + - centreon-common-selinux + - centreon-engine-selinux + - centreon-broker-selinux +replaces: + - centreon-plugins-selinux-debuginfo +conflicts: + - centreon-plugins-selinux-debuginfo +provides: + - centreon-plugins-selinux-debuginfo + +contents: + - src: "../src/centreon-plugins.pp" + dst: "/usr/share/selinux/packages/centreon/centreon-plugins.pp" + file_info: + mode: 0655 + +scripts: + postinstall: ./scripts/centreon-plugins-selinux-postinstall.sh + preremove: ./scripts/centreon-plugins-selinux-preremove.sh + +rpm: + summary: SELinux context for centreon-plugins + signature: + key_file: ${RPM_SIGNING_KEY_FILE} + key_id: ${RPM_SIGNING_KEY_ID} diff --git a/selinux/packaging/scripts/centreon-plugins-selinux-postinstall.sh b/selinux/packaging/scripts/centreon-plugins-selinux-postinstall.sh new file mode 100644 index 000000000..ed2cf7a34 --- /dev/null +++ b/selinux/packaging/scripts/centreon-plugins-selinux-postinstall.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +install() { + semodule -i /usr/share/selinux/packages/centreon/centreon-plugins.pp > /dev/null 2>&1 || : +} + +upgrade() { + semodule -i /usr/share/selinux/packages/centreon/centreon-plugins.pp > /dev/null 2>&1 || : +} + +action="$1" +if [ "$1" = "configure" ] && [ -z "$2" ]; then + action="install" +elif [ "$1" = "configure" ] && [ -n "$2" ]; then + action="upgrade" +fi + +case "$action" in + "1" | "install") + install + ;; + "2" | "upgrade") + upgrade + ;; +esac diff --git a/selinux/packaging/scripts/centreon-plugins-selinux-preremove.sh b/selinux/packaging/scripts/centreon-plugins-selinux-preremove.sh new file mode 100644 index 000000000..ef3a441d5 --- /dev/null +++ b/selinux/packaging/scripts/centreon-plugins-selinux-preremove.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +if [ "$1" -lt "1" ]; then # Final removal + semodule -r centreon-plugins > /dev/null 2>&1 || : +fi diff --git a/selinux/src/centreon-plugins.fc b/selinux/src/centreon-plugins.fc new file mode 100644 index 000000000..e69de29bb diff --git a/selinux/src/centreon-plugins.if b/selinux/src/centreon-plugins.if new file mode 100644 index 000000000..590975e34 --- /dev/null +++ b/selinux/src/centreon-plugins.if @@ -0,0 +1 @@ +## Centreon Plugins monitoring server. diff --git a/selinux/src/centreon-plugins.te b/selinux/src/centreon-plugins.te new file mode 100644 index 000000000..096c280dd --- /dev/null +++ b/selinux/src/centreon-plugins.te @@ -0,0 +1,23 @@ +policy_module(centreon-plugins, @VERSION@) + +######################################## +# +# Declarations +# +require { + type centreon_engine_t; + type centreon_broker_t; + type snmpd_t; + type fixed_disk_device_t; +} + +######################################## +# +# Centreon local policy +# + +# centreon_centreon_central.pl +allow centreon_engine_t centreon_broker_t:fifo_file { open read getattr }; + +#============= snmpd_t ============== +allow snmpd_t fixed_disk_device_t:blk_file { open read getattr setattr };