Add SELinux subpackage

Signed-off-by: Vitezslav Crhonek <vcrhonek@redhat.com>

openwsman.fc

@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/openwsmand.*		--	gen_context(system_u:object_r:openwsman_unit_file_t,s0)
+
+/usr/sbin/openwsmand		--	gen_context(system_u:object_r:openwsman_exec_t,s0)
+
+/var/log/wsmand.*	--	gen_context(system_u:object_r:openwsman_log_t,s0)
+
+/var/run/wsmand.*	--	gen_context(system_u:object_r:openwsman_run_t,s0)

openwsman.if

@@ -0,0 +1,79 @@
+## <summary>WS-Management Server</summary>
+
+########################################
+## <summary>
+##	Execute openwsman in the openwsman domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`openwsman_domtrans',`
+	gen_require(`
+		type openwsman_t, openwsman_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, openwsman_exec_t, openwsman_t)
+')
+########################################
+## <summary>
+##	Execute openwsman server in the openwsman domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`openwsman_systemctl',`
+	gen_require(`
+		type openwsman_t;
+		type openwsman_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 openwsman_unit_file_t:file read_file_perms;
+	allow $1 openwsman_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, openwsman_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an openwsman environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`openwsman_admin',`
+	gen_require(`
+		type openwsman_t;
+	    type openwsman_unit_file_t;
+	')
+
+	allow $1 openwsman_t:process { signal_perms };
+	ps_process_pattern($1, openwsman_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 openwsman_t:process ptrace;
+    ')
+
+	openwsman_systemctl($1)
+	admin_pattern($1, openwsman_unit_file_t)
+	allow $1 openwsman_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')

openwsman.spec

@@ -1,9 +1,15 @@
 # RubyGems's macros expect gem_name to exist.
 %global		gem_name %{name}
 
+# defining macros needed by SELinux
+%global with_selinux 1
+%global selinuxtype targeted
+%global moduletype contrib
+%global modulename openwsman
+
 Name:		openwsman
 Version:	2.7.0
-Release:	3%{?dist}
+Release:	4%{?dist}
 Summary:	Open source Implementation of WS-Management
 
 License:	BSD
@@ -15,6 +21,11 @@ Source1:	openwsmand.8.gz
 Source2:	openwsmand.service
 # script for testing presence of the certificates in ExecStartPre
 Source3:	owsmantestcert.sh
+# Source100-102: selinux policy for openwsman, extracted
+# from https://github.com/fedora-selinux/selinux-policy
+Source100: %{modulename}.te
+Source101: %{modulename}.if
+Source102: %{modulename}.fc
 Patch1:		openwsman-2.4.0-pamsetup.patch
 Patch2:		openwsman-2.4.12-ruby-binding-build.patch
 Patch3:		openwsman-2.6.2-openssl-1.1-fix.patch
@@ -72,6 +83,11 @@ Openwsman Client libraries.
 License:	BSD
 Summary:	Openwsman Server and service libraries
 Requires:	libwsman1 = %{version}-%{release}
+%if 0%{?with_selinux}
+# This ensures that the *-selinux package and all it’s dependencies are not pulled
+# into containers and other systems that do not use SELinux
+Requires:  (%{name}-selinux if selinux-policy-%{selinuxtype})
+%endif
 
 %description server
 Openwsman Server and service libraries.
@@ -121,6 +137,20 @@ Requires:	rubygem-%{gem_name} = %{version}-%{release}
 This is a command line tool for the Windows Remote Shell protocol.
 You can use it to send shell commands to a remote Windows hosts.
 
+%if 0%{?with_selinux}
+# SELinux subpackage
+%package selinux
+Summary:   openwsman SELinux policy
+BuildArch: noarch
+Requires:  selinux-policy-%{selinuxtype}
+Requires(post): selinux-policy-%{selinuxtype}
+BuildRequires: selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+Custom SELinux policy module
+%endif
+
 %prep
 %setup -q
 
@@ -164,6 +194,15 @@ export LD_LIBRARY_PATH=%{_builddir}/%{name}-%{version}/build/src/lib/
 
 %gem_install -n ./bindings/ruby/%{name}-%{version}.gem
 
+%if 0%{?with_selinux}
+# SELinux policy (originally from selinux-policy-contrib)
+# this policy module will override the production module
+mkdir selinux
+cp -p %{SOURCE100} %{SOURCE101} %{SOURCE102} selinux/
+make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
+bzip2 -9 %{modulename}.pp
+%endif
+
 %install
 cd build
 
@@ -201,6 +240,11 @@ rm -rf %{buildroot}%{gem_instdir}/ext
 mkdir -p %{buildroot}%{gem_extdir_mri}
 cp -a ./build%{gem_extdir_mri}/{gem.build_complete,*.so} %{buildroot}%{gem_extdir_mri}/
 
+%if 0%{?with_selinux}
+install -D -m 0644 build/%{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+install -D -p -m 0644 build/selinux/%{modulename}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/%{name}.if
+%endif
+
 %ldconfig_scriptlets -n libwsman1
 
 %post server
@@ -217,6 +261,30 @@ rm -f /var/log/wsmand.log
 
 %ldconfig_scriptlets client
 
+%if 0%{?with_selinux}
+# SELinux contexts are saved so that only affected files can be
+# relabeled after the policy module installation
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}
+
+if [ "$1" -le "1" ]; then # First install
+   # the service needs to be restarted for the custom label to be applied
+   %systemd_postun_with_restart openwsmand.service
+fi
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+    %selinux_relabel_post -s %{selinuxtype}
+    # the service needs to be restarted for the custom label to be removed
+    %systemd_postun_with_restart openwsmand.service
+fi
+%endif
+
 %files -n libwsman1
 %doc AUTHORS COPYING ChangeLog README.md TODO
 %{_libdir}/libwsman.so.*
@@ -281,7 +349,18 @@ rm -f /var/log/wsmand.log
 %files winrs
 %{_bindir}/winrs
 
+%if 0%{?with_selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
+%{_datadir}/selinux/devel/include/%{moduletype}/%{modulename}.if
+%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+%endif
+
 %changelog
+* Tue Jun 08 2021 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.7.0-4
+- Incorporate -selinux subpackage
+  See https://fedoraproject.org/wiki/SELinux/IndependentPolicy
+
 * Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 2.7.0-3
 - Rebuilt for Python 3.10
 

openwsman.te

@@ -0,0 +1,74 @@
+policy_module(openwsman, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openwsman_t;
+type openwsman_exec_t;
+init_daemon_domain(openwsman_t, openwsman_exec_t)
+
+type openwsman_tmp_t;
+files_tmp_file(openwsman_tmp_t)
+
+type openwsman_tmpfs_t;
+files_tmpfs_file(openwsman_tmpfs_t)
+
+type openwsman_log_t;
+logging_log_file(openwsman_log_t)
+
+type openwsman_run_t;
+files_pid_file(openwsman_run_t)
+
+type openwsman_unit_file_t;
+systemd_unit_file(openwsman_unit_file_t)
+
+########################################
+#
+# openwsman local policy
+#
+
+allow openwsman_t self:capability setuid;
+
+allow openwsman_t self:process { fork };
+allow openwsman_t self:fifo_file rw_fifo_file_perms;
+allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
+allow openwsman_t self:tcp_socket { create_socket_perms accept listen };
+
+manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
+manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
+files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file })
+
+manage_files_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
+manage_dirs_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
+fs_tmpfs_filetrans(openwsman_t, openwsman_tmpfs_t, { dir file })
+
+manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
+logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
+
+manage_files_pattern(openwsman_t, openwsman_run_t, openwsman_run_t)
+files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
+
+auth_use_nsswitch(openwsman_t)
+auth_domtrans_chkpwd(openwsman_t)
+
+corenet_tcp_connect_pegasus_https_port(openwsman_t)
+corenet_tcp_bind_vnc_port(openwsman_t)
+corenet_tcp_bind_http_port(openwsman_t)
+
+dev_read_urand(openwsman_t)
+
+logging_send_syslog_msg(openwsman_t)
+logging_send_audit_msgs(openwsman_t)
+
+optional_policy(`
+    sblim_stream_connect_sfcbd(openwsman_t)
+    sblim_rw_semaphores_sfcbd(openwsman_t)
+    sblim_getattr_exec_sfcbd(openwsman_t)
+')
+
+optional_policy(`
+    unconfined_domain(openwsman_t)
+')
+

tests/tests-DSP.yml

@@ -0,0 +1,37 @@
+- hosts: localhost
+
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    repositories:
+      - repo: https://pagure.io/DSP_test.git
+        dest: DSP_test
+        version: master
+
+    tests:
+    - DSP_test
+    environment:
+      # RPM package containing the policy module
+      TEST_RPM: openwsman-selinux
+      # policy module name
+      TEST_POLICY: openwsman
+      # policy sources will be extracted from corresponding .src.rpm
+      # policy tar filename regexp (e.g. "usbguard-selinux*.tar.gz")
+      # or empty string if policy sources are not inside a tar archive
+      POLICY_TAR: ''
+      # path to policy sources (in of the tar archive) -- <POLICY_TAR>/<POLICY_PATH>/<TEST_POLICY>.(te|if|fc)
+      # or path in the src.rpm if there is no tar archive -- <src.rpm>/<POLICY_PATH>/<TEST_POLICY>.(te|if|fc)
+      # can contain wildcards (e.g. for versions etc.)
+      POLICY_PATH: .
+
+    required_packages:
+    - policycoreutils
+    - selinux-policy
+    - selinux-policy-targeted
+    - setools-console
+    - libselinux-utils
+    - rpm
+    - tar
+    - git
+    - openwsman-server