Merge branch 'item_selinux' into 'master'

First SELinux implementation (Siegfried griffin)

See merge request vitam/vitam-griffins!79

Jenkinsfile

@@ -155,6 +155,51 @@ pipeline {
             }
 
         }
+
+        stage("Prepare selinux packages building") {
+            // when {
+            //     anyOf {
+            //         branch "develop*"
+            //         branch "master_*"
+            //         branch "master"
+            //         tag pattern: "^[1-9]+\\.[0-9]+\\.[0-9]+-?[0-9]*\$", comparator: "REGEXP"
+            //     }
+            // }
+            // when {
+            //     environment(name: 'CHANGED_VITAM_PRODUCT', value: 'true')
+            // }
+            steps {
+                sh 'rm -rf selinux/target'
+            }
+        }
+
+        stage("Build selinux packages") {
+            // when {
+            //     anyOf {
+            //         branch "develop*"
+            //         branch "master_*"
+            //         branch "master"
+            //         tag pattern: "^[1-9]+\\.[0-9]+\\.[0-9]+-?[0-9]*\$", comparator: "REGEXP"
+            //     }
+            // }
+            // when {
+            //     environment(name: 'CHANGED_VITAM_PRODUCT', value: 'true')
+            // }
+            environment {
+                http_proxy = credentials("http-proxy-url")
+                https_proxy = credentials("http-proxy-url")
+            }
+            steps {
+                parallel(
+                    "Build selinux rpm": {
+                        dir('selinux') {
+                            sh './build-all.sh'
+                        }
+                    }
+                )
+            }
+        }
+
         stage("Publish packages") {
             steps {
                 parallel(

packaging/pom.xml

@@ -44,6 +44,16 @@
 				<version>${maven.exec.version}</version>
 				<executions>
 					<!-- rpm -->
+					<execution>
+						<id>Build native selinux rpm</id>
+						<phase>validate</phase>
+						<goals>
+							<goal>exec</goal>
+						</goals>
+						<configuration>
+							<executable>../selinux/build-all.sh</executable>
+						</configuration>
+					</execution>					
 					<execution>
 						<id>Build external rpm</id>
 						<phase>process-resources</phase>

selinux/build-all.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+set -e
+#*******************************************************************************
+# Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2019)
+#
+# [email protected]
+#
+# This software is a computer program whose purpose is to implement a digital archiving back-office system managing
+# high volumetry securely and efficiently.
+#
+# This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free
+# software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as
+# circulated by CEA, CNRS and INRIA at the following URL "http://www.cecill.info".
+#
+# As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license,
+# users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the
+# successive licensors have only limited liability.
+#
+# In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or
+# developing or reproducing the software by the user in light of its specific status of free software, that may mean
+# that it is complicated to manipulate, and that also therefore means that it is reserved for developers and
+# experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the
+# software's suitability as regards their requirements in conditions enabling the security of their systems and/or data
+# to be ensured and, more generally, to use and operate it in the same conditions as regards security.
+#
+# The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you
+# accept its terms.
+#*******************************************************************************
+WORKING_FOLDER=$(dirname $0)
+
+if [ ! -d ${WORKING_FOLDER}/target ]; then
+	mkdir ${WORKING_FOLDER}/target
+fi
+
+for item in $(ls -d ${WORKING_FOLDER}/*/ | grep -v "target" | awk -F "/" '{print $(NF-1)}'); do
+	# Need to give the target folder relatively to the base folder...
+	echo $item
+	${WORKING_FOLDER}/build.sh $item target
+
+done

selinux/build.sh

@@ -0,0 +1,125 @@
+#!/bin/bash
+#*******************************************************************************
+# Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2019)
+#
+# [email protected]
+#
+# This software is a computer program whose purpose is to implement a digital archiving back-office system managing
+# high volumetry securely and efficiently.
+#
+# This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free
+# software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as
+# circulated by CEA, CNRS and INRIA at the following URL "http://www.cecill.info".
+#
+# As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license,
+# users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the
+# successive licensors have only limited liability.
+#
+# In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or
+# developing or reproducing the software by the user in light of its specific status of free software, that may mean
+# that it is complicated to manipulate, and that also therefore means that it is reserved for developers and
+# experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the
+# software's suitability as regards their requirements in conditions enabling the security of their systems and/or data
+# to be ensured and, more generally, to use and operate it in the same conditions as regards security.
+#
+# The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you
+# accept its terms.
+#*******************************************************************************
+
+WORKING_FOLDER=$(dirname $0)
+
+pushd ${WORKING_FOLDER}
+
+# Args check
+
+if [ -z "$1" ]; then
+	echo "Usage : build.sh <component> [<target_folder>]"
+	popd
+	exit 1
+fi
+
+COMPONENT=$1
+TARGET_FOLDER=$2
+
+COMPONENT_FOLDER=$(pwd)/${COMPONENT}
+
+if [ ! -d "${COMPONENT_FOLDER}" ]; then
+	echo "Folder ${COMPONENT_FOLDER} doesn't exist ! Aborting."
+	popd
+	exit 2
+fi
+
+# Default target folder definition
+if [ -z "${TARGET_FOLDER}" ]; then
+	TARGET_FOLDER=${COMPONENT_FOLDER}/target
+	mkdir -p ${TARGET_FOLDER}
+fi
+
+if [ ! -d "${TARGET_FOLDER}" ]; then
+	echo "Target folder ${TARGET_FOLDER} doesn't exist ! Aborting."
+	popd
+	exit 2
+fi
+# will create symlinks only if the file links exists in rpmbuild
+if [ -f "${COMPONENT_FOLDER}/rpmbuild/links" ]; then
+	## list elements in $HOME
+	HOME_CONTENT=$(find ${HOME} -maxdepth 1 -mindepth 1)
+	for hid_item in ${HOME_CONTENT}; do
+		item_name=$(basename ${hid_item})
+		# only create symlink if the folder is in the links file. therefore do nothing if not in the file.
+		grep -q ${item_name} "${COMPONENT_FOLDER}/rpmbuild/links" || continue
+    # calculates link's full path
+		target_link="${COMPONENT_FOLDER}/${item_name}"
+		if [ -L ${target_link} ]; then
+		# test if link exists and is a symlink. if this link point to somewhere else, info and override
+			if [ $(readlink ${target_link}) != ${hid_item} ]; then
+				echo "Info: Updating Symlink ${target_link} to ${hid_item}."
+		  fi
+	  # test if exists and is a file or a folder. True => warn and do nothing
+		elif [ -f ${target_link} ] || [ -d ${target_link} ];then
+			echo "Warning: ${target_link} should be a symlink."
+			continue
+		fi
+		# create symlink in COMPONENT_FOLDER
+		ln -sf $hid_item ${target_link}
+	done
+fi
+# override exit function to delete created links when living.
+function clean_exit(){
+	returncode=${1:-0}
+	find ${COMPONENT_FOLDER} -maxdepth 1 -type l -exec rm -f {} \; >/dev/null 2>&1
+	exit ${returncode}
+}
+
+# Build RPM
+
+for SPECFILE in $(ls ${COMPONENT_FOLDER}/rpmbuild/SPECS/*.spec); do
+	echo "Building specfile ${SPECFILE}..."
+
+	HOME=${COMPONENT_FOLDER} spectool -g -R ${SPECFILE}
+	if [ ! $? -eq 0 ]; then
+		echo "Error preparing the build ! Aborting."
+		popd
+		clean_exit 2
+	fi
+
+	HOME=${COMPONENT_FOLDER} rpmbuild -bb ${SPECFILE}
+	if [ ! $? -eq 0 ]; then
+		echo "Error building the rpm ! Aborting."
+		popd
+		clean_exit 2
+	fi
+done
+
+# Copy result RPM in target folder
+
+RPMS=$(find ${COMPONENT_FOLDER} -name '*.rpm')
+
+mkdir -p ${TARGET_FOLDER}
+
+for RPM in ${RPMS}; do
+ 	mv ${RPM} ${TARGET_FOLDER}
+done
+
+popd
+clean_exit

selinux/siegfried-selinux/rpmbuild/SOURCES/Makefile

@@ -0,0 +1,15 @@
+TARGETS?= vitam_siegfried_griffin
+MODULES?=${TARGETS:=.pp.bz2}
+
+all: ${TARGETS:=.pp.bz2}
+
+%.pp.bz2: %.pp
+	@echo Compressing $^ -\ $@
+	bzip2 -9 $^
+
+%.pp: %.te
+	make -f /usr/share/selinux/devel/Makefile $@
+
+clean:
+	rm -f *~ *.tc *.pp *.pp.bz2
+	rm -rf tmp

selinux/siegfried-selinux/rpmbuild/SOURCES/vitam_siegfried_griffin.fc

@@ -0,0 +1,2 @@
+/vitam/bin/worker/griffins/siegfried-griffin(/.*)? gen_context(system_u:object_r:vitam_siegfried_griffin_exec_t,s0) 
+/vitam/tmp/worker/griffins/siegfried-griffin(/.*)? gen_context(system_u:object_r:vitam_siegfried_griffin_data_t,s0) 

selinux/siegfried-selinux/rpmbuild/SOURCES/vitam_siegfried_griffin.te

@@ -0,0 +1,38 @@
+policy_module(vitam_siegfried_griffin, 1.0.0)
+
+require {
+	type vitam_siegfried_griffin_exec_t;
+    type vitam_siegfried_port_t; 
+    type vitam_worker_t; 
+	type shell_exec_t;
+	class process { execmem fork };
+	class file { append create execute execute_no_trans getattr open read write unlink };
+	class dir search;
+	class file ioctl;
+}
+
+########################################
+#
+# Declarations
+#
+
+type vitam_siegfried_griffin_t;
+type vitam_siegfried_griffin_exec_t;
+init_daemon_domain(vitam_siegfried_griffin_t, vitam_siegfried_griffin_exec_t)
+
+type vitam_siegfried_griffin_data_t;
+files_type(vitam_siegfried_griffin_data_t)
+
+#============= vitam_siegfried_griffin_t ==============
+
+# Autoriser execution java
+java_exec(vitam_siegfried_griffin_t)
+
+allow vitam_siegfried_griffin_t self:process { execmem fork };
+
+allow vitam_siegfried_griffin_t vitam_siegfried_port_t:tcp_socket { name_connect create read write };
+allow vitam_worker_t vitam_siegfried_griffin_data_t:dir { getattr search open create read write add_name remove_name rmdir };
+allow vitam_worker_t vitam_siegfried_griffin_data_t:file { append create execute execute_no_trans getattr open read write unlink };
+allow vitam_worker_t vitam_siegfried_griffin_exec_t:dir { getattr search open create read write add_name remove_name rmdir };
+allow vitam_worker_t vitam_siegfried_griffin_exec_t:file { append create execute execute_no_trans getattr open read write unlink };
+allow vitam_worker_t vitam_siegfried_griffin_exec_t:file ioctl;

selinux/siegfried-selinux/rpmbuild/SPECS/siegfried-griffin-selinux.spec

@@ -0,0 +1,63 @@
+%global selinuxtype	targeted
+%global moduletype	contrib
+%global modulename	vitam_siegfried_griffin
+
+Name: vitam-siegfried-griffin-selinux
+Version: 1.0
+Release: 1%{?dist}
+Summary: SELinux security policy module vitam-siegfried-griffin
+License: CeCILL 2.1
+URL:     https://github.com/ProgrammeVitam/vitam
+Source0: %{modulename}.fc
+Source1: %{modulename}.te
+Source2: Makefile
+BuildArch: noarch
+BuildRequires: selinux-policy
+BuildRequires: selinux-policy-devel
+Requires: vitam-siegfried-griffin
+Requires: policycoreutils-python
+
+%description
+SELinux security policy module vitam-siegfried-griffin
+
+%prep
+rm -rf vitam_siegfried_griffin*
+cp %{SOURCE0} %{SOURCE1} %{SOURCE2} .
+
+%build
+make
+
+%install
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages
+bzip2 -d %{buildroot}%{_datadir}/selinux/packages/%{modulename}.pp.bz2
+
+%post
+# Install the module
+semodule -i %{_datadir}/selinux/packages/vitam_siegfried_griffin.pp
+# If it's an update, remove managed ports before adding them again
+# if [ $1 -gt 1 ]; then
+#    semanage port -D -t vitam_siegfried_griffin_port_t
+# fi
+# Relabel
+restorecon -R /vitam/bin/worker/griffins/siegfried-griffin
+restorecon -R /vitam/tmp/worker/griffins/siegfried-griffin
+
+%postun
+# If it's a real uninstall (not an update), remove everything
+if [ $1 -eq 0 ]; then
+#    semanage port -D -t vitam_siegfried_griffin_port_t
+    semodule -r vitam_siegfried_griffin
+    restorecon -R /vitam/bin/worker/griffins/siegfried-griffin
+    restorecon -R /vitam/tmp/worker/griffins/siegfried-griffin
+fi
+
+%files
+%attr(0644,root,root) %{_datadir}/selinux/packages/%{modulename}.pp
+
+%doc
+
+
+%changelog
+* Fri Oct 18 2019 French Prime minister Office/SGMAP/DINSIC/Vitam Program <[email protected]>
+- Initial version