From: František Dvořák <valtri@civ.zcu.cz>
Date: Wed, 19 Oct 2016 14:41:59 +0000 (+0200)
Subject: Finalize packaging:
X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=d188b1cd2adf45fa8f9fd98b6048b175011c72ef;p=packaging-rpm-NOW.git

Finalize packaging:

* SELinux support (only EPEL7 tested)
* package README file
* deployment updates
---

diff --git a/NOW.conf b/NOW.conf
index b9c4223..79c87b6 100644
--- a/NOW.conf
+++ b/NOW.conf
@@ -1,4 +1,4 @@
-Listen 11080
+Listen localhost:11080
 
 <VirtualHost *:11080>
   LogLevel info
@@ -13,4 +13,5 @@ Listen 11080
   PassengerUser now
   PassengerGroup now
   PassengerMinInstances 3
+  PassengerFriendlyErrorPages off
 </VirtualHost>
diff --git a/NOW.spec b/NOW.spec
index a1dc517..b759d2d 100644
--- a/NOW.spec
+++ b/NOW.spec
@@ -2,27 +2,34 @@
 
 %global app_root %{_datadir}/%{name}
 %global semodule_name now
-%global commit0 7496c4388c785eee5c3115dc63eded398e17b349
+%global commit0 4cd4d76de20a2a6230fcae4bcb4718ef2105a84c
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 %if 0%{?rhel} && 0%{?rhel} <= 7
 # old rspec
 %global with_tests 0
+%global selinux_pkg policycoreutils-python
 %else
 %global with_tests 1
+%global selinux_pkg policycoreutils-python-utils
 %endif
 
 Name:           NOW
 Version:        0.0.1
-Release:        0%{?dist}.20160918git%{shortcommit0}
+Release:        0.20160928git4cd4d76
 Summary:        Network Orchestrator Wrapper for OpenNebula
 
 License:        ASL 2.0
 URL:            https://github.com/CESNET/NOW
 Source0:        https://github.com/CESNET/%{name}/archive/%{commit0}.tar.gz#/%{name}-%{shortcommit0}.tar.gz
 Source1:        NOW.conf
+Source2:        %{semodule_name}.te
+Source3:        %{semodule_name}.fc
+Source4:        README.Fedora
 
 BuildArch:      noarch
+BuildRequires:  checkpolicy
+BuildRequires:  %{selinux_pkg}
 BuildRequires:  ruby-devel
 %if 0%{?with_tests}
 BuildRequires:  rubygem(bigdecimal)
@@ -36,6 +43,8 @@ BuildRequires:  rubygem(rdoc)
 BuildRequires:  rubygem(sinatra)
 BuildRequires:  rubygem(sinatra-cross_origin)
 %endif
+Requires(post): %{selinux_pkg}
+Requires(preun): %{selinux_pkg}
 Requires(pre):  shadow-utils
 Requires:       mod_passenger
 Requires:       rubygem(bigdecimal)
@@ -67,6 +76,8 @@ Documentation for %{name}.
 
 
 %build
+checkmodule -M -m -o %{semodule_name}.mod %{SOURCE2}
+semodule_package -o %{semodule_name}.pp -m %{semodule_name}.mod -f %{SOURCE3}
 
 
 %install
@@ -79,6 +90,15 @@ install -m 0640 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/
 rdoc --op rdoc/ models/ lib/ *.rb README*
 mv rdoc %{buildroot}%{_pkgdocdir}/
 
+# Fedora README
+install -p -m 0644 %{SOURCE4} %{buildroot}%{_pkgdocdir}/
+
+# SELinux
+mkdir -p %{buildroot}%{_datadir}/selinux/packages/%{name}
+install -m 0644 %{semodule_name}.pp %{buildroot}%{_datadir}/selinux/packages/%{name}
+rm -f %{buildroot}%{app_root}/%{semodule_name}.mod
+rm -f %{buildroot}%{app_root}/%{semodule_name}.pp
+
 
 %check
 %if 0%{?with_tests}
@@ -92,28 +112,34 @@ getent group now >/dev/null || groupadd -r now
 getent passwd now >/dev/null || \
   useradd -r -g now -d %{app_root} -s /sbin/nologin -c "NOW user" now
 
-# no SELinux support yet (will be similar to rOCCI server)
-%if 0
 %post
 if [ "$1" -le "1" ] ; then # First install
   semodule -i %{_datadir}/selinux/packages/%{name}/%{semodule_name}.pp 2>/dev/null || :
-  restorecon -R %{app_root} %{_localstatedir}/log/rocci-server 2>/dev/null || :
-  semanage port -a -t http_port_t -p tcp 11443 2>/dev/null || :
+  restorecon -R %{app_root} 2>/dev/null || :
+  semanage port -a -t http_port_t -p tcp 2633 2>/dev/null || :
+  semanage port -a -t http_port_t -p tcp 11080 2>/dev/null || :
 fi
 
 %preun
 if [ "$1" -lt "1" ] ; then # Final removal
   semodule -r %{semodule_name} 2>/dev/null || :
-  restorecon -R %{app_root} %{_localstatedir}/log/rocci-server 2>/dev/null || :
-  semanage port -d -t http_port_t -p tcp 11443 2>/dev/null || :
+  restorecon -R %{app_root} 2>/dev/null || :
+  semanage port -d -t http_port_t -p tcp 2633 2>/dev/null || :
+  semanage port -d -t http_port_t -p tcp 11080 2>/dev/null || :
+fi
+
+%postun
+if [ "$1" -ge "1" ] ; then # Upgrade
+  semodule -i %{_datadir}/selinux/packages/%{name}/%{semodule_name}.pp 2>/dev/null || :
+  restorecon -R %{app_root} 2>/dev/null || :
 fi
-%endif
 
 
 %files
 %dir %{app_root}/
 %license %{app_root}/LICENSE
 %license %{app_root}/NOTICE
+%{_pkgdocdir}/README.Fedora
 %attr(0600, now, now) %config(noreplace) %{_sysconfdir}/now.yml
 %config(noreplace) %{_sysconfdir}/httpd/conf.d/%{name}.conf
 %{app_root}/models/
@@ -122,6 +148,7 @@ fi
 %{app_root}/templates/
 %{app_root}/config.ru
 %{app_root}/*.rb
+%{_datadir}/selinux/packages/%{name}/%{semodule_name}.pp
 
 %files doc
 %doc %{app_root}/README.md
@@ -134,5 +161,5 @@ fi
 
 
 %changelog
-* Sun Sep 18 2016 FrantiÅ¡ek DvoÅÃ¡k <valtri@civ.zcu.cz> - 0.0.1-0.20160918git7496c43
+* Wed Oct 19 2016 FrantiÅ¡ek DvoÅÃ¡k <valtri@civ.zcu.cz> - 0.0.1-0.20160928git4cd4d76
 - Initial package
diff --git a/README.Fedora b/README.Fedora
new file mode 100644
index 0000000..30fa5a1
--- /dev/null
+++ b/README.Fedora
@@ -0,0 +1,18 @@
+Installation
+============
+
+  systemctl enable httpd
+  service httpd restart
+
+SELinux notes: httpd is allowed to connect to the default OpenNebula RPC port 2633. Different remote port would need to be permitted in SELinux (it works adding the port to 'http_port_t', or enabling 'httpd_can_network_connect' boolean).
+
+
+Quick test
+==========
+
+  # API version
+  curl http://localhost:11080
+
+  # connect to the OpenNebula and read networks (replace hawking for real
+  # user name)
+  curl http://localhost:11080/network?user=hawking
diff --git a/gen.sh b/gen.sh
index 6553416..3fa517e 100755
--- a/gen.sh
+++ b/gen.sh
@@ -15,7 +15,7 @@ rm -rf NOW-${tag}/
 cp -a NOW/ NOW-${tag}/
 tar --exclude .git -cf - NOW-${tag}/ | pigz --best > NOW-${short}.tar.gz
 rm -rf NOW-${tag}/
-cp -vp NOW-${short}.tar.gz NOW.conf ~/rpmbuild/SOURCES/
+cp -vp NOW-${short}.tar.gz NOW.conf README.Fedora now.fc now.te ~/rpmbuild/SOURCES/
 
 sed -i \
 	-e "s/\(%global commit0 \+\).*/\1${tag}/" \
diff --git a/now.fc b/now.fc
new file mode 100644
index 0000000..761fb75
--- /dev/null
+++ b/now.fc
@@ -0,0 +1,2 @@
+# not really needed for Fedora/EPEL package - bundler is not used
+/usr/share/NOW/Gemfile.lock	system_u:object_r:passenger_tmp_t:s0
diff --git a/now.te b/now.te
new file mode 100644
index 0000000..1a4c914
--- /dev/null
+++ b/now.te
@@ -0,0 +1,18 @@
+module now 0.1.0;
+
+require {
+	type httpd_t;
+
+	class capability { fowner fsetid sys_resource sys_ptrace };
+}
+
+#============= httpd_t ==============
+
+# This avc can be allowed using one of the these booleans:
+# httpd_run_stickshift, httpd_setrlimit
+allow httpd_t self:capability { fowner sys_resource };
+
+# This avc can be allowed using the boolean 'httpd_run_stickshift'
+allow httpd_t self:capability fsetid;
+
+allow httpd_t self:capability sys_ptrace;
