import CS efs-utils-1.35.1-7.el9

This commit is contained in:
eabdullin 2024-04-01 13:27:21 +00:00
commit 866fdb77b9
8 changed files with 811 additions and 0 deletions

1
.efs-utils.metadata Normal file
View File

@ -0,0 +1 @@
b5c87934fa2cd6e620d6f4243c227941d774274c SOURCES/efs-utils-1.35.1.tar.gz

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/efs-utils-1.35.1.tar.gz

5
SOURCES/efsutils.fc Normal file
View File

@ -0,0 +1,5 @@
/usr/bin/amazon-efs-mount-watchdog -- gen_context(system_u:object_r:efsutils_exec_t,s0)
/usr/lib/systemd/system/amazon-efs-mount-watchdog.service -- gen_context(system_u:object_r:efsutils_unit_file_t,s0)
/var/log/amazon/efs(/.*)? gen_context(system_u:object_r:efsutils_log_t,s0)

220
SOURCES/efsutils.if Normal file
View File

@ -0,0 +1,220 @@
## <summary>policy for efs-utils</summary>
########################################
## <summary>
## Execute efsutils_exec_t in the efsutils domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`efsutils_domtrans',`
gen_require(`
type efsutils_t, efsutils_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, efsutils_exec_t, efsutils_t)
')
######################################
## <summary>
## Execute efs-utils in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`efsutils_exec',`
gen_require(`
type efsutils_exec_t;
')
corecmd_search_bin($1)
can_exec($1, efsutils_exec_t)
')
########################################
## <summary>
## Read efs-utils's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`efsutils_read_log',`
gen_require(`
type efsutils_log_t;
')
logging_search_logs($1)
read_files_pattern($1, efsutils_log_t, efsutils_log_t)
')
########################################
## <summary>
## Append to efs-utils log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`efsutils_append_log',`
gen_require(`
type efsutils_log_t;
')
logging_search_logs($1)
append_files_pattern($1, efsutils_log_t, efsutils_log_t)
')
########################################
## <summary>
## Manage efs-utils log files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`efsutils_manage_log',`
gen_require(`
type efsutils_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, efsutils_log_t, efsutils_log_t)
manage_files_pattern($1, efsutils_log_t, efsutils_log_t)
manage_lnk_files_pattern($1, efsutils_log_t, efsutils_log_t)
')
########################################
## <summary>
## Execute efs-utils server in the efsutils domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`efsutils_systemctl',`
gen_require(`
type efsutils_t;
type efsutils_unit_file_t;
')
systemd_exec_systemctl($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 efsutils_unit_file_t:file read_file_perms;
allow $1 efsutils_unit_file_t:service manage_service_perms;
ps_process_pattern($1, efsutils_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an efs-utils environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`efsutils_admin',`
gen_require(`
type efsutils_t;
type efsutils_log_t;
type efsutils_unit_file_t;
')
allow $1 efsutils_t:process { signal_perms };
ps_process_pattern($1, efsutils_t)
tunable_policy(`deny_ptrace',`',`
allow $1 efsutils_t:process ptrace;
')
logging_search_logs($1)
admin_pattern($1, efsutils_log_t)
efsutils_systemctl($1)
admin_pattern($1, efsutils_unit_file_t)
allow $1 efsutils_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
')
########################################
#
# Interface compatibility blocks
#
# The following definitions ensure compatibility with distribution policy
# versions that do not contain given interfaces (epel, or older Fedora
# releases).
# Each block tests for existence of given interface and defines it if needed.
#
######################################
## <summary>
## Execute stunnel in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
ifndef(`stunnel_exec',`
interface(`stunnel_exec',`
gen_require(`
type stunnel_exec_t;
')
corecmd_search_bin($1)
can_exec($1, stunnel_exec_t)
')
')
########################################
## <summary>
## Read unconfined domain files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
ifndef(`unconfined_read_files',`
interface(`unconfined_read_files',`
gen_require(`
type unconfined_t;
')
read_files_pattern($1, unconfined_t, unconfined_t)
')
')

75
SOURCES/efsutils.te Normal file
View File

@ -0,0 +1,75 @@
policy_module(efsutils, 1.0.0)
########################################
#
# Declarations
#
type efsutils_t;
type efsutils_exec_t;
init_daemon_domain(efsutils_t, efsutils_exec_t)
type efsutils_log_t;
logging_log_file(efsutils_log_t)
type efsutils_unit_file_t;
systemd_unit_file(efsutils_unit_file_t)
########################################
#
# efsutils local policy
#
allow efsutils_t self:fifo_file rw_fifo_file_perms;
allow efsutils_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(efsutils_t, efsutils_log_t, efsutils_log_t)
manage_files_pattern(efsutils_t, efsutils_log_t, efsutils_log_t)
manage_lnk_files_pattern(efsutils_t, efsutils_log_t, efsutils_log_t)
logging_log_filetrans(efsutils_t, efsutils_log_t, { dir file lnk_file })
domain_use_interactive_fds(efsutils_t)
files_read_etc_files(efsutils_t)
miscfiles_read_localization(efsutils_t)
########################################
#
# Custom policy
#
allow efsutils_t self:netlink_route_socket { bind create getattr nlmsg_read };
allow efsutils_t self:process getpgid;
allow efsutils_t self:tcp_socket { accept bind connect create getattr getopt listen setopt shutdown };
allow efsutils_t self:unix_dgram_socket { connect create };
auth_read_passwd_file(efsutils_t)
corecmd_exec_bin(efsutils_t)
corecmd_mmap_bin_files(efsutils_t)
corenet_tcp_bind_generic_node(efsutils_t)
corenet_tcp_bind_generic_port(efsutils_t)
corenet_tcp_connect_nfs_port(efsutils_t)
dev_read_sysfs(efsutils_t)
files_rw_pid_dirs(efsutils_t)
fs_getattr_nfs(efsutils_t)
fs_list_nfs(efsutils_t)
kernel_dgram_send(efsutils_t)
logging_create_devlog_dev(efsutils_t)
logging_read_syslog_pid(efsutils_t)
miscfiles_read_generic_certs(efsutils_t)
miscfiles_search_generic_cert_dirs(efsutils_t)
sysnet_read_config(efsutils_t)
# to be replaced by custom type - efsutils_var_run_t and corresponding rules
# allow efsutils_t var_run_t:dir rmdir;
files_delete_all_pids(efsutils_t)
# allow efsutils_t var_run_t:file { create getattr ioctl open read rename setattr unlink write };
files_manage_all_pids(efsutils_t)
#allow efsutils_t unconfined_t:dir search;
#allow efsutils_t unconfined_t:file { getattr open read };
optional_policy(`
unconfined_read_files(efsutils_t)
')
#allow efs-utils_t stunnel_exec_t:file { execute execute_no_trans map open read };
optional_policy(`
stunnel_exec(efsutils_t)
')

227
SOURCES/efsutils_selinux.8 Normal file
View File

@ -0,0 +1,227 @@
.TH "efsutils_selinux" "8" "23-11-09" "efs-utils" "SELinux Policy efs-utils"
.SH "NAME"
efsutils_selinux \- Security Enhanced Linux Policy for the efs-utils processes
.SH "DESCRIPTION"
Security-Enhanced Linux secures the efs-utils processes via flexible mandatory access control.
The efs-utils processes execute with the efsutils_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
For example:
.B ps -eZ | grep efsutils_t
.SH "ENTRYPOINTS"
The efsutils_t SELinux type can be entered via the \fBefsutils_exec_t\fP file type.
The default entrypoint paths for the efsutils_t domain are the following:
/usr/bin/amazon-efs-mount-watchdog
.SH PROCESS TYPES
SELinux defines process types (domains) for each process running on the system
.PP
You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
.PP
Policy governs the access confined processes have to files.
SELinux efs-utils policy is very flexible allowing users to setup their efs-utils processes in as secure a method as possible.
.PP
The following process types are defined for efs-utils:
.EX
.B efsutils_t
.EE
.PP
Note:
.B semanage permissive -a efsutils_t
can be used to make the process type efsutils_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated.
.SH BOOLEANS
SELinux policy is customizable based on least access required. efs-utils policy is extremely flexible and has several booleans that allow you to manipulate the policy and run efs-utils with the tightest access possible.
.PP
If you want to dontaudit all daemons scheduling requests (setsched, sys_nice), you must turn on the daemons_dontaudit_scheduling boolean. Enabled by default.
.EX
.B setsebool -P daemons_dontaudit_scheduling 1
.EE
.PP
If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default.
.EX
.B setsebool -P fips_mode 1
.EE
.SH "MANAGED FILES"
The SELinux process type efsutils_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
.br
.B cluster_conf_t
/etc/cluster(/.*)?
.br
.br
.B cluster_var_lib_t
/var/lib/pcsd(/.*)?
.br
/var/lib/cluster(/.*)?
.br
/var/lib/openais(/.*)?
.br
/var/lib/pengine(/.*)?
.br
/var/lib/corosync(/.*)?
.br
/usr/lib/heartbeat(/.*)?
.br
/var/lib/heartbeat(/.*)?
.br
/var/lib/pacemaker(/.*)?
.br
.br
.B cluster_var_run_t
/var/run/crm(/.*)?
.br
/var/run/cman_.*
.br
/var/run/rsctmp(/.*)?
.br
/var/run/aisexec.*
.br
/var/run/heartbeat(/.*)?
.br
/var/run/pcsd-ruby.socket
.br
/var/run/corosync-qnetd(/.*)?
.br
/var/run/corosync-qdevice(/.*)?
.br
/var/run/corosync\.pid
.br
/var/run/cpglockd\.pid
.br
/var/run/rgmanager\.pid
.br
/var/run/cluster/rgmanager\.sk
.br
.br
.B efsutils_log_t
/var/log/amazon/efs(/.*)?
.br
.br
.B root_t
/sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
.br
/
.br
/initrd
.br
.br
.B var_run_t
/run/.*
.br
/var/run/.*
.br
/run
.br
/var/run
.br
/var/run
.br
/var/spool/postfix/pid
.br
.SH FILE CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
.PP
You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
.PP
Policy governs the access confined processes have to these files.
SELinux efs-utils policy is very flexible allowing users to setup their efs-utils processes in as secure a method as possible.
.PP
.PP
.B STANDARD FILE CONTEXT
SELinux defines the file context types for the efs-utils, if you wanted to
store files with these types in a different paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
.B semanage fcontext -a -t efsutils_exec_t '/srv/efs-utils/content(/.*)?'
.br
.B restorecon -R -v /srv/myefs-utils_content
Note: SELinux often uses regular expressions to specify labels that match multiple files.
.I The following file types are defined for efs-utils:
.EX
.PP
.B efsutils_exec_t
.EE
- Set files with the efsutils_exec_t type, if you want to transition an executable to the efsutils_t domain.
.EX
.PP
.B efsutils_log_t
.EE
- Set files with the efsutils_log_t type, if you want to treat the data as efs-utils log data, usually stored under the /var/log directory.
.EX
.PP
.B efsutils_unit_file_t
.EE
- Set files with the efsutils_unit_file_t type, if you want to treat the files as efs-utils unit content.
.PP
Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
.B semanage fcontext
command. This will modify the SELinux labeling database. You will need to use
.B restorecon
to apply the labels.
.SH "COMMANDS"
.B semanage fcontext
can also be used to manipulate default file context mappings.
.PP
.B semanage permissive
can also be used to manipulate whether or not a process type is permissive.
.PP
.B semanage module
can also be used to enable/disable/install/remove policy modules.
.B semanage boolean
can also be used to manipulate the booleans
.PP
.B system-config-selinux
is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR
This manual page was auto-generated using
.B "sepolicy manpage".
.SH "SEE ALSO"
selinux(8), efsutils(8), semanage(8), restorecon(8), chcon(1), sepolicy(8), setsebool(8)

View File

@ -0,0 +1,57 @@
From 36ab2ad0d4fff5a5c44369a2322b76fd17707621 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@redhat.com>
Date: Wed, 15 Nov 2023 10:55:57 -0600
Subject: [PATCH] Fix utcnow() deprecation warning
Fixes: #187
Signed-off-by: Major Hayden <major@redhat.com>
---
src/mount_efs/__init__.py | 4 ++--
src/watchdog/__init__.py | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/mount_efs/__init__.py b/src/mount_efs/__init__.py
index 0e9dd20..fec8de5 100755
--- a/src/mount_efs/__init__.py
+++ b/src/mount_efs/__init__.py
@@ -47,7 +47,7 @@
import threading
import time
from contextlib import contextmanager
-from datetime import datetime, timedelta
+from datetime import datetime, timedelta, timezone
from logging.handlers import RotatingFileHandler
try:
@@ -2333,7 +2333,7 @@ def get_utc_now():
"""
Wrapped for patching purposes in unit tests
"""
- return datetime.utcnow()
+ return datetime.now(timezone.utc)
def assert_root():
diff --git a/src/watchdog/__init__.py b/src/watchdog/__init__.py
index c3d76e3..28c3bbb 100755
--- a/src/watchdog/__init__.py
+++ b/src/watchdog/__init__.py
@@ -25,7 +25,7 @@
import time
from collections import namedtuple
from contextlib import contextmanager
-from datetime import datetime, timedelta
+from datetime import datetime, timedelta, timezone
from logging.handlers import RotatingFileHandler
from signal import SIGHUP, SIGKILL, SIGTERM
@@ -2229,7 +2229,7 @@ def get_utc_now():
"""
Wrapped for patching purposes in unit tests
"""
- return datetime.utcnow()
+ return datetime.now(timezone.utc)
def check_process_name(pid):

225
SPECS/efs-utils.spec Normal file
View File

@ -0,0 +1,225 @@
# RHEL 9 does not include pytest-mock.
%bcond_with tests
%global with_selinux 1
%global selinuxtype targeted
%global modulename efsutils
%global watchdog_service_name amazon-efs-mount-watchdog
Name: efs-utils
Version: 1.35.1
Release: 7%{?dist}
Summary: Utilities for Amazon Elastic File System (EFS)
License: MIT
URL: https://github.com/aws/efs-utils
Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
Source1: efsutils.te
Source2: efsutils.if
Source3: efsutils.fc
Source4: efsutils_selinux.8
# Patch a deprecation warning to avoid having it fill the logs.
# https://github.com/aws/efs-utils/pull/189
Patch: fix-deprecation-warning.patch
BuildArch: noarch
Requires: nfs-utils
Requires: openssl
Requires: stunnel
Requires: util-linux
Requires: which
Requires: python3dist(botocore)
%if 0%{?with_selinux}
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
%endif
BuildRequires: python3-devel
BuildRequires: systemd-rpm-macros
%if %{with tests}
BuildRequires: python3dist(botocore)
BuildRequires: python3dist(pytest)
BuildRequires: python3dist(pytest-mock)
%endif
%global _description %{expand:
Utilities for Amazon Elastic File System (EFS).}
%description %{_description}
%if 0%{?with_selinux}
# SELinux subpackage
%package selinux
Summary: %{name} SELinux policy
Requires: %{name} = %{version}-%{release}
Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype}
BuildRequires: selinux-policy-devel
%{?selinux_requires}
%description selinux
Custom %{name} SELinux policy module
%endif
%prep
%autosetup -n %{name}-%{version} -p1
# Use unittest.mock for testing.
sed -i 's/from mock/from unittest.mock/' test/common.py
%build
echo "Nothing to build"
# Disable the automatic version checking.
sed -i 's/enable_version_check = true/enable_version_check = false/' dist/efs-utils.conf
%if 0%{?with_selinux}
mkdir selinux
cp -p %{SOURCE1} selinux/
cp -p %{SOURCE2} selinux/
cp -p %{SOURCE3} selinux/
cp -p %{SOURCE4} selinux/
%make_build -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
bzip2 -9 %{modulename}.pp
%endif
%install
# Watchdog service unit file.
install -m 0755 -vd %{buildroot}%{_unitdir}
install -vp -m 644 dist/%{watchdog_service_name}.service %{buildroot}%{_unitdir}/
# Watchdog service itself.
install -m 0755 -vd %{buildroot}%{_bindir}
install -vp -m 755 src/watchdog/__init__.py %{buildroot}%{_bindir}/amazon-efs-mount-watchdog
# Configuration files and Amazon root certificates.
install -m 0755 -vd %{buildroot}%{_sysconfdir}/amazon/efs/
install -vp -m 644 dist/%{name}.conf %{buildroot}%{_sysconfdir}/amazon/efs/
install -vp -m 444 dist/%{name}.crt %{buildroot}%{_sysconfdir}/amazon/efs/
# mount.efs script allows mounting EFS file systems by their short name.
install -m 0755 -vd %{buildroot}%{_sbindir}
install -vp -m 755 src/mount_efs/__init__.py %{buildroot}%{_sbindir}/mount.efs
# Man page.
install -m 0755 -vd %{buildroot}%{_mandir}/man8/
install -vp -m 644 man/mount.efs.8 %{buildroot}%{_mandir}/man8/
# Log directory.
install -m 0755 -vd %{buildroot}%{_localstatedir}/log/amazon/efs
%if 0%{?with_selinux}
install -D -m 0644 -t %{buildroot}%{_mandir}/man8 selinux/%{modulename}_selinux.8
install -D -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
install -D -p -m 0644 selinux/%{modulename}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{modulename}.if
%endif
%if %{with tests}
%check
# Avoid running tests with coverage enabled.
touch pytest.ini
# Ignore some tests that require networking and get stuck forever.
# Also skip a broken version check test: https://github.com/aws/efs-utils/issues/194
PYTHONPATH=$(pwd)/src %pytest \
--ignore test/mount_efs_test/test_main.py \
--ignore test/mount_efs_test/test_bootstrap_tls.py \
--ignore test/mount_efs_test/test_create_self_signed_cert.py \
--ignore test/watchdog_test/test_refresh_self_signed_certificate.py \
-k "not test_version_check_ready"
%endif
########################################################################################
#
# BEGIN SELINUX PRE/POST
#
# SELinux contexts are saved so that only affected files can be
# relabeled after the policy module installation
%if 0%{?with_selinux}
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
%selinux_relabel_post -s %{selinuxtype}
if [ "$1" -le "1" ]; then # First install
%systemd_postun_with_restart %{watchdog_service_name}.service
fi
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{modulename}
%selinux_relabel_post -s %{selinuxtype}
%systemd_postun_with_restart %{watchdog_service_name}.service
fi
%endif
########################################################################################
%files -n %{name}
%license LICENSE
%doc CONTRIBUTING.md README.md
%dir /var/log/amazon/efs
%dir %{_sysconfdir}/amazon
%dir %{_sysconfdir}/amazon/efs
%config(noreplace) %{_sysconfdir}/amazon/efs/efs-utils.conf
%{_unitdir}/%{watchdog_service_name}.service
%{_sysconfdir}/amazon/efs/efs-utils.crt
%{_sbindir}/mount.efs
%{_bindir}/amazon-efs-mount-watchdog
%{_mandir}/man8/mount.efs.8*
%if 0%{?with_selinux}
%files selinux
%{_mandir}/man8/%{modulename}_selinux.8.*
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
%{_datadir}/selinux/devel/include/distributed/%{modulename}.if
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
%endif
%post
%systemd_post %{watchdog_service_name}.service
%preun
%systemd_preun %{watchdog_service_name}.service
%postun
%systemd_postun_with_restart %{watchdog_service_name}.service
%changelog
* Fri Jan 19 2024 Felix Kolwa <fkolwa@redhat.com> - 1.35.1-7
- Bump revision number to 7.
- Pull in changes from Major Hayden:
- Skip version check test
Opened upstream bug:
https://github.com/aws/efs-utils/issues/194
- Disable automatic version check
* Mon Jan 08 2024 Felix Kolwa <fkolwa@redhat.com> - 1.35.0-6
- Bump revision number to 6.
* Thu Dec 07 2023 Felix Kolwa <fkolwa@redhat.com> - 1.35.0-5
- Bump release to 5 to include selinux-policy-targeted-38.1.28-1 release.
* Fri Nov 17 2023 fkolwa <fkolwa@redhat.com> - 1.35.0-4
- Refactor watchdog service name
* Wed Nov 15 2023 Major Hayden <major@redhat.com> - 1.35.0-3
- Added deprecation warning patch.
- Added SELinux policies. (RHEL-14154)
* Tue Oct 10 2023 Major Hayden <major@redhat.com> - 1.35.0-2
- Add patch for ignoring the fsap option.
* Tue Sep 05 2023 Major Hayden <major@redhat.com> - 1.31.38-1
- Initial package for version 1.31.38