SELinux policy from https://bugzilla.redhat.com/show_bug.cgi?id=1051461.

diff --git a/puppet_passenger.te b/passenger.te
similarity index 89%
rename from puppet_passenger.te
rename to passenger.te
index 7676bd5..e2e43af 100644 (file)
--- a/puppet_passenger.te
+++ b/passenger.te
@@ -13,6 +13,8 @@ require {
         type sysctl_net_t;
         type httpd_t;
         type proc_net_t;
+        type home_root_t;
+        type lib_t;
         class sock_file write;
         class tcp_socket listen;
         class dir { search create rmdir };
@@ -35,3 +37,7 @@ allow passenger_t sysctl_net_t:dir search;
 allow passenger_t sysfs_t:dir search;
 allow passenger_t sysfs_t:file { read open };
 allow passenger_t user_tmp_t:file { read getattr open };
+
+# passenger + occi server
+allow passenger_t home_root_t:dir search;
+allow passenger_t lib_t:file execute_no_trans;

diff --git a/rubygem-passenger.spec b/rubygem-passenger.spec
index 186f1d2..5f540ff 100644 (file)
--- a/rubygem-passenger.spec
+++ b/rubygem-passenger.spec
@@ -40,6 +40,7 @@ Source1: passenger.logrotate
 Source2: rubygem-passenger.tmpfiles
 Source10: apache-passenger.conf.in
 Source11: locations.ini
+Source12: passenger.te
 
 # Include sys/types.h for GCC 4.7
 Patch2:         rubygem-passenger-4.0.18-gcc47-include-sys_types.patch
@@ -70,6 +71,9 @@ Requires: ruby(release)
 %else
 Requires: ruby(abi) = 1.8
 %endif
+Requires(post): policycoreutils-python
+Requires(preun): policycoreutils-python
+Requires(postun): policycoreutils-python
 
 %if 0%{?rhel} >= 6 || 0%{?fedora} >= 15
 BuildRequires:  libcurl-devel
@@ -88,6 +92,7 @@ BuildRequires: doxygen
 BuildRequires: graphviz
 BuildRequires: httpd-devel
 BuildRequires: libev-devel
+BuildRequires: policycoreutils-python
 BuildRequires: ruby
 BuildRequires: ruby-devel
 BuildRequires: rubygems
@@ -228,6 +233,10 @@ rake package:gem SKIP_SIGNING=1
 rake apache2
 #rake nginx
 
+checkmodule -M -m -o passenger.mod %{SOURCE12}
+semodule_package -o passenger.pp -m passenger.mod
+
+
 %install
 export USE_VENDORED_LIBEV=false
 
@@ -324,6 +333,10 @@ find %{buildroot}%{gem_instdir} -type f -size 0c -delete
 %{__cp} -p doc/Users?guide?Apache.txt %{buildroot}%{_docdir}/mod_passenger-%{version}
 %endif
 
+%{__mkdir_p} %{buildroot}%{_datadir}/selinux/packages/%{name}
+install -m 0644 passenger.pp %{buildroot}%{_datadir}/selinux/packages/%{name}
+
+
 %check
 export USE_VENDORED_LIBEV=false
 # Run the tests, capture the output, but don't fail the build if the tests fail
@@ -342,6 +355,25 @@ sed -i \
 
 rake test --trace ||:
 
+
+%post
+if [ "$1" -le "1" ] ; then # First install
+  semodule -i %{_datadir}/selinux/packages/%{name}/passenger.pp 2>/dev/null || :
+fi
+
+
+%preun
+if [ "$1" -lt "1" ] ; then # Final removal
+  semodule -r passenger 2>/dev/null || :
+fi
+
+
+%postun
+if [ "$1" -ge "1" ] ; then # Upgrade
+  semodule -i %{_datadir}/selinux/packages/%{name}/passenger.pp 2>/dev/null || :
+fi
+
+
 %files
 %doc %{gem_instdir}/README.md
 %doc %{gem_instdir}/CHANGELOG
@@ -370,6 +402,8 @@ rake test --trace ||:
 %exclude %{gem_instdir}/configure
 %exclude %{gem_instdir}/debian.template/
 %exclude %{gem_cache}
+%dir %{_datadir}/selinux/packages/%{name}
+%{_datadir}/selinux/packages/%{name}/passenger.pp
 
 %files doc
 %doc %{gem_docdir}