From b7e6fca56e2c748d183d32353450ed0ca9daa424 Mon Sep 17 00:00:00 2001 From: Francesco Di Nucci Date: Fri, 5 Apr 2024 08:29:38 +0200 Subject: [PATCH] fix: add proper SELinux context and enable httpd_enable_cgi * Add puppet/selinux to dependencies * Set SELinux context for files in ${basedir}/puppetboard, if virtualenv is managed, set context for it too * Enable httpd_enable_cgi SELinux boolean to allow WSGI execution Fixes: #336, #365 --- manifests/init.pp | 75 +++++++++++++++++++++++++++++++++++++++++------ metadata.json | 4 +++ 2 files changed, 70 insertions(+), 9 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 62f300d6..239bea29 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -274,17 +274,74 @@ } if $manage_selinux { - selboolean { 'httpd_can_network_relay': - persistent => true, - value => 'on', + # Include puppet/selinux + include selinux + # Set SELinux booleans required for httpd proper functioning + # https://linux.die.net/man/8/httpd_selinux + selinux::boolean { + default: + ensure => 'on', + persistent => true, + ; + # allow httpd scripts to connect to network: Puppetboard connects + # to PuppetDB + 'httpd_can_network_connect': + ; + # allow httpd script to connect to database servers: PuppetDB relies + # on PostgreSQL + 'httpd_can_network_connect_db': + ; + # allow httpd to be used as a forward/reverse proxy + 'httpd_can_network_relay': + ; + # enable cgi support + 'httpd_enable_cgi': + ; } - selboolean { 'httpd_can_network_connect': - persistent => true, - value => 'on', + # Set context for wsgi and settings + selinux::fcontext { + default: + ensure => present, + notify => Selinux::Exec_restorecon["${basedir}/puppetboard"], + ; + "${basedir}/puppetboard/wsgi.py": + seltype => 'httpd_sys_script_exec_t', + ; + $settings_file : + require => File[$settings_file], + seltype => 'httpd_sys_content_t', + ; } - selboolean { 'httpd_can_network_connect_db': - persistent => true, - value => 'on', + # Apply changes above + selinux::exec_restorecon { "${basedir}/puppetboard": + notify => Service['httpd'], + } + + if $manage_virtualenv { + # Set context for venv files + selinux::fcontext { + default: + ensure => present, + require => Python::Pip['puppetboard'], + notify => Selinux::Exec_restorecon[$virtualenv_dir], + ; + "${virtualenv_dir} static files": + seltype => 'httpd_sys_content_t', + pathspec => "${virtualenv_dir}(/.*\\.(cfg|css|html|ico|js|pem|png|svg|ttf|txt|woff|woff2|xml))?", + ; + "${virtualenv_dir} METADATA": + seltype => 'httpd_sys_content_t', + pathspec => "${virtualenv_dir}(/.*/METADATA)?", + ; + "${virtualenv_dir} executables": + seltype => 'httpd_sys_script_exec_t', + pathspec => "${virtualenv_dir}(/.*\\.(pth|py|pyc|pyi|so))?", + ; + } + # Apply changes above + selinux::exec_restorecon { $virtualenv_dir : + notify => Service['httpd'], + } } } } diff --git a/metadata.json b/metadata.json index 73187dcd..b6f07e83 100644 --- a/metadata.json +++ b/metadata.json @@ -73,6 +73,10 @@ { "name": "puppet/python", "version_requirement": ">= 6.3.0 < 8.0.0" + }, + { + "name": "puppet/selinux", + "version_requirement": ">= 3.0.0 < 5.0.0" } ] }