feat(ci): package centreon-plugins-selinux (#4640)

.github/docker/Dockerfile.packaging-plugins-alma8

@@ -10,7 +10,7 @@ baseurl=https://repo.goreleaser.com/yum/
 enabled=1
 gpgcheck=0' | tee /etc/yum.repos.d/goreleaser.repo
 
-dnf -y install gcc git gettext rpm-build dos2unix python3 epel-release nfpm openssl-devel jq zstd
+dnf -y install gcc git gettext rpm-build dos2unix python3 epel-release nfpm openssl-devel jq zstd selinux-policy-devel
 dnf -y install perl-App-cpanminus perl-JSON
 cpanm App::FatPacker
 cpanm File::Copy::Recursive

.github/docker/Dockerfile.packaging-plugins-alma9

@@ -10,7 +10,7 @@ baseurl=https://repo.goreleaser.com/yum/
 enabled=1
 gpgcheck=0' | tee /etc/yum.repos.d/goreleaser.repo
 
-dnf -y install gcc git gettext rpm-build dos2unix python3 epel-release nfpm openssl-devel jq zstd
+dnf -y install gcc git gettext rpm-build dos2unix python3 epel-release nfpm openssl-devel jq zstd selinux-policy-devel
 dnf -y install perl-App-cpanminus perl-JSON
 cpanm App::FatPacker
 cpanm File::Copy::Recursive

.github/workflows/plugins-selinux.yml

@@ -0,0 +1,91 @@
+name: plugins-selinux
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - 'selinux/**'
+  push:
+    branches:
+      - develop
+      - master
+    paths:
+      - 'selinux/**'
+
+jobs:
+  get-environment:
+    uses: ./.github/workflows/get-environment.yml
+    with:
+      version_file: selinux/packaging/centreon-plugins-selinux.yaml
+
+  package:
+    needs: [get-environment]
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        include:
+          - package_extension: rpm
+            image: packaging-plugins-alma8
+            distrib: el8
+          - package_extension: rpm
+            image: packaging-plugins-alma9
+            distrib: el9
+
+    container:
+      image: ${{ vars.DOCKER_INTERNAL_REGISTRY_URL }}/${{ matrix.image }}
+      credentials:
+        username: ${{ secrets.DOCKER_REGISTRY_ID }}
+        password: ${{ secrets.DOCKER_REGISTRY_PASSWD }}
+
+    name: package ${{ matrix.distrib }}
+
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v3
+
+      - name: Generate selinux binary
+        run: |
+          cd selinux/src
+          sed -i "s/@VERSION@/${{ needs.get-environment.outputs.version }}/g" centreon-plugins.te
+          make -f /usr/share/selinux/devel/Makefile
+        shell: bash
+
+      - name: Package
+        uses: ./.github/actions/package
+        with:
+          nfpm_file_pattern: "selinux/packaging/centreon-plugins-selinux.yaml"
+          distrib: ${{ matrix.distrib }}
+          package_extension: ${{ matrix.package_extension }}
+          version: ${{ needs.get-environment.outputs.version }}
+          release: ${{ needs.get-environment.outputs.release }}
+          commit_hash: ${{ github.sha }}
+          cache_key: ${{ github.sha }}-${{ github.run_id }}-${{ matrix.package_extension }}-${{ matrix.distrib }}
+          rpm_gpg_key: ${{ secrets.RPM_GPG_SIGNING_KEY }}
+          rpm_gpg_signing_key_id: ${{ secrets.RPM_GPG_SIGNING_KEY_ID }}
+          rpm_gpg_signing_passphrase: ${{ secrets.RPM_GPG_SIGNING_PASSPHRASE }}
+
+  deliver-rpm:
+    needs: [get-environment, package]
+    if: ${{ contains(fromJson('["stable", "testing", "unstable"]'), needs.get-environment.outputs.stability) }}
+    runs-on: [self-hosted, common]
+
+    strategy:
+      matrix:
+        distrib: [el8, el9]
+
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v3
+
+      - name: Delivery
+        uses: ./.github/actions/rpm-delivery
+        with:
+          module_name: plugins-selinux
+          distrib: ${{ matrix.distrib }}
+          cache_key: ${{ github.sha }}-${{ github.run_id }}-rpm-${{ matrix.distrib }}
+          stability: ${{ needs.get-environment.outputs.stability }}
+          artifactory_token: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}

selinux/packaging/centreon-plugins-selinux.yaml

@@ -0,0 +1,42 @@
+name: "centreon-plugins-selinux"
+arch: "amd64"
+platform: "linux"
+version_schema: "none"
+version: "0.0.8"
+release: "${RELEASE}${DIST}"
+section: "default"
+priority: "optional"
+maintainer: "Centreon <contact@centreon.com>"
+description: |
+  SELinux context for centreon-plugins
+vendor: "Centreon"
+homepage: "https://centreon.com"
+license: "Apache-2.0"
+
+depends:
+  - policycoreutils
+  - centreon-common-selinux
+  - centreon-engine-selinux
+  - centreon-broker-selinux
+replaces:
+  - centreon-plugins-selinux-debuginfo
+conflicts:
+  - centreon-plugins-selinux-debuginfo
+provides:
+  - centreon-plugins-selinux-debuginfo
+
+contents:
+  - src: "../src/centreon-plugins.pp"
+    dst: "/usr/share/selinux/packages/centreon/centreon-plugins.pp"
+    file_info:
+      mode: 0655
+
+scripts:
+  postinstall: ./scripts/centreon-plugins-selinux-postinstall.sh
+  preremove: ./scripts/centreon-plugins-selinux-preremove.sh
+
+rpm:
+  summary: SELinux context for centreon-plugins
+  signature:
+    key_file: ${RPM_SIGNING_KEY_FILE}
+    key_id: ${RPM_SIGNING_KEY_ID}

selinux/packaging/scripts/centreon-plugins-selinux-postinstall.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+install() {
+  semodule -i /usr/share/selinux/packages/centreon/centreon-plugins.pp > /dev/null 2>&1 || :
+}
+
+upgrade() {
+  semodule -i /usr/share/selinux/packages/centreon/centreon-plugins.pp > /dev/null 2>&1 || :
+}
+
+action="$1"
+if  [ "$1" = "configure" ] && [ -z "$2" ]; then
+  action="install"
+elif [ "$1" = "configure" ] && [ -n "$2" ]; then
+  action="upgrade"
+fi
+
+case "$action" in
+  "1" | "install")
+    install
+    ;;
+  "2" | "upgrade")
+    upgrade
+    ;;
+esac

selinux/packaging/scripts/centreon-plugins-selinux-preremove.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+if [ "$1" -lt "1" ]; then # Final removal
+  semodule -r centreon-plugins > /dev/null 2>&1 || :
+fi

selinux/src/centreon-plugins.if

@@ -0,0 +1 @@
+## <summary>Centreon Plugins monitoring server.</summary>

selinux/src/centreon-plugins.te

@@ -0,0 +1,23 @@
+policy_module(centreon-plugins, @VERSION@)
+
+########################################
+#
+# Declarations
+#
+require {
+	type centreon_engine_t;
+	type centreon_broker_t;
+	type snmpd_t;
+	type fixed_disk_device_t;
+}
+
+########################################
+#
+# Centreon local policy
+#
+
+# centreon_centreon_central.pl
+allow centreon_engine_t centreon_broker_t:fifo_file { open read getattr };
+
+#============= snmpd_t ==============
+allow snmpd_t fixed_disk_device_t:blk_file { open read getattr setattr };