diff --git a/Jenkinsfile b/Jenkinsfile
index ad7b934..b23ab04 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -155,6 +155,51 @@ pipeline {
}
}
+
+ stage("Prepare selinux packages building") {
+ // when {
+ // anyOf {
+ // branch "develop*"
+ // branch "master_*"
+ // branch "master"
+ // tag pattern: "^[1-9]+\\.[0-9]+\\.[0-9]+-?[0-9]*\$", comparator: "REGEXP"
+ // }
+ // }
+ // when {
+ // environment(name: 'CHANGED_VITAM_PRODUCT', value: 'true')
+ // }
+ steps {
+ sh 'rm -rf selinux/target'
+ }
+ }
+
+ stage("Build selinux packages") {
+ // when {
+ // anyOf {
+ // branch "develop*"
+ // branch "master_*"
+ // branch "master"
+ // tag pattern: "^[1-9]+\\.[0-9]+\\.[0-9]+-?[0-9]*\$", comparator: "REGEXP"
+ // }
+ // }
+ // when {
+ // environment(name: 'CHANGED_VITAM_PRODUCT', value: 'true')
+ // }
+ environment {
+ http_proxy = credentials("http-proxy-url")
+ https_proxy = credentials("http-proxy-url")
+ }
+ steps {
+ parallel(
+ "Build selinux rpm": {
+ dir('selinux') {
+ sh './build-all.sh'
+ }
+ }
+ )
+ }
+ }
+
stage("Publish packages") {
steps {
parallel(
diff --git a/packaging/pom.xml b/packaging/pom.xml
index 9037dfb..82ec8bc 100644
--- a/packaging/pom.xml
+++ b/packaging/pom.xml
@@ -44,6 +44,16 @@
${maven.exec.version}
+
+ Build native selinux rpm
+ validate
+
+ exec
+
+
+ ../selinux/build-all.sh
+
+
Build external rpm
process-resources
diff --git a/selinux/build-all.sh b/selinux/build-all.sh
new file mode 100755
index 0000000..de1452c
--- /dev/null
+++ b/selinux/build-all.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+set -e
+#*******************************************************************************
+# Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2019)
+#
+# contact.vitam@culture.gouv.fr
+#
+# This software is a computer program whose purpose is to implement a digital archiving back-office system managing
+# high volumetry securely and efficiently.
+#
+# This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free
+# software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as
+# circulated by CEA, CNRS and INRIA at the following URL "http://www.cecill.info".
+#
+# As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license,
+# users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the
+# successive licensors have only limited liability.
+#
+# In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or
+# developing or reproducing the software by the user in light of its specific status of free software, that may mean
+# that it is complicated to manipulate, and that also therefore means that it is reserved for developers and
+# experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the
+# software's suitability as regards their requirements in conditions enabling the security of their systems and/or data
+# to be ensured and, more generally, to use and operate it in the same conditions as regards security.
+#
+# The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you
+# accept its terms.
+#*******************************************************************************
+WORKING_FOLDER=$(dirname $0)
+
+if [ ! -d ${WORKING_FOLDER}/target ]; then
+ mkdir ${WORKING_FOLDER}/target
+fi
+
+for item in $(ls -d ${WORKING_FOLDER}/*/ | grep -v "target" | awk -F "/" '{print $(NF-1)}'); do
+ # Need to give the target folder relatively to the base folder...
+ echo $item
+ ${WORKING_FOLDER}/build.sh $item target
+
+done
diff --git a/selinux/build.sh b/selinux/build.sh
new file mode 100755
index 0000000..80b3376
--- /dev/null
+++ b/selinux/build.sh
@@ -0,0 +1,125 @@
+#!/bin/bash
+#*******************************************************************************
+# Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2019)
+#
+# contact.vitam@culture.gouv.fr
+#
+# This software is a computer program whose purpose is to implement a digital archiving back-office system managing
+# high volumetry securely and efficiently.
+#
+# This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free
+# software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as
+# circulated by CEA, CNRS and INRIA at the following URL "http://www.cecill.info".
+#
+# As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license,
+# users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the
+# successive licensors have only limited liability.
+#
+# In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or
+# developing or reproducing the software by the user in light of its specific status of free software, that may mean
+# that it is complicated to manipulate, and that also therefore means that it is reserved for developers and
+# experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the
+# software's suitability as regards their requirements in conditions enabling the security of their systems and/or data
+# to be ensured and, more generally, to use and operate it in the same conditions as regards security.
+#
+# The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you
+# accept its terms.
+#*******************************************************************************
+
+WORKING_FOLDER=$(dirname $0)
+
+pushd ${WORKING_FOLDER}
+
+# Args check
+
+if [ -z "$1" ]; then
+ echo "Usage : build.sh []"
+ popd
+ exit 1
+fi
+
+COMPONENT=$1
+TARGET_FOLDER=$2
+
+COMPONENT_FOLDER=$(pwd)/${COMPONENT}
+
+if [ ! -d "${COMPONENT_FOLDER}" ]; then
+ echo "Folder ${COMPONENT_FOLDER} doesn't exist ! Aborting."
+ popd
+ exit 2
+fi
+
+# Default target folder definition
+if [ -z "${TARGET_FOLDER}" ]; then
+ TARGET_FOLDER=${COMPONENT_FOLDER}/target
+ mkdir -p ${TARGET_FOLDER}
+fi
+
+if [ ! -d "${TARGET_FOLDER}" ]; then
+ echo "Target folder ${TARGET_FOLDER} doesn't exist ! Aborting."
+ popd
+ exit 2
+fi
+# will create symlinks only if the file links exists in rpmbuild
+if [ -f "${COMPONENT_FOLDER}/rpmbuild/links" ]; then
+ ## list elements in $HOME
+ HOME_CONTENT=$(find ${HOME} -maxdepth 1 -mindepth 1)
+ for hid_item in ${HOME_CONTENT}; do
+ item_name=$(basename ${hid_item})
+ # only create symlink if the folder is in the links file. therefore do nothing if not in the file.
+ grep -q ${item_name} "${COMPONENT_FOLDER}/rpmbuild/links" || continue
+ # calculates link's full path
+ target_link="${COMPONENT_FOLDER}/${item_name}"
+ if [ -L ${target_link} ]; then
+ # test if link exists and is a symlink. if this link point to somewhere else, info and override
+ if [ $(readlink ${target_link}) != ${hid_item} ]; then
+ echo "Info: Updating Symlink ${target_link} to ${hid_item}."
+ fi
+ # test if exists and is a file or a folder. True => warn and do nothing
+ elif [ -f ${target_link} ] || [ -d ${target_link} ];then
+ echo "Warning: ${target_link} should be a symlink."
+ continue
+ fi
+ # create symlink in COMPONENT_FOLDER
+ ln -sf $hid_item ${target_link}
+ done
+fi
+# override exit function to delete created links when living.
+function clean_exit(){
+ returncode=${1:-0}
+ find ${COMPONENT_FOLDER} -maxdepth 1 -type l -exec rm -f {} \; >/dev/null 2>&1
+ exit ${returncode}
+}
+
+# Build RPM
+
+for SPECFILE in $(ls ${COMPONENT_FOLDER}/rpmbuild/SPECS/*.spec); do
+ echo "Building specfile ${SPECFILE}..."
+
+ HOME=${COMPONENT_FOLDER} spectool -g -R ${SPECFILE}
+ if [ ! $? -eq 0 ]; then
+ echo "Error preparing the build ! Aborting."
+ popd
+ clean_exit 2
+ fi
+
+ HOME=${COMPONENT_FOLDER} rpmbuild -bb ${SPECFILE}
+ if [ ! $? -eq 0 ]; then
+ echo "Error building the rpm ! Aborting."
+ popd
+ clean_exit 2
+ fi
+done
+
+# Copy result RPM in target folder
+
+RPMS=$(find ${COMPONENT_FOLDER} -name '*.rpm')
+
+mkdir -p ${TARGET_FOLDER}
+
+for RPM in ${RPMS}; do
+ mv ${RPM} ${TARGET_FOLDER}
+done
+
+popd
+clean_exit
diff --git a/selinux/siegfried-selinux/rpmbuild/SOURCES/Makefile b/selinux/siegfried-selinux/rpmbuild/SOURCES/Makefile
new file mode 100644
index 0000000..3aa8704
--- /dev/null
+++ b/selinux/siegfried-selinux/rpmbuild/SOURCES/Makefile
@@ -0,0 +1,15 @@
+TARGETS?= vitam_siegfried_griffin
+MODULES?=${TARGETS:=.pp.bz2}
+
+all: ${TARGETS:=.pp.bz2}
+
+%.pp.bz2: %.pp
+ @echo Compressing $^ -\ $@
+ bzip2 -9 $^
+
+%.pp: %.te
+ make -f /usr/share/selinux/devel/Makefile $@
+
+clean:
+ rm -f *~ *.tc *.pp *.pp.bz2
+ rm -rf tmp
\ No newline at end of file
diff --git a/selinux/siegfried-selinux/rpmbuild/SOURCES/vitam_siegfried_griffin.fc b/selinux/siegfried-selinux/rpmbuild/SOURCES/vitam_siegfried_griffin.fc
new file mode 100644
index 0000000..58bcd25
--- /dev/null
+++ b/selinux/siegfried-selinux/rpmbuild/SOURCES/vitam_siegfried_griffin.fc
@@ -0,0 +1,2 @@
+/vitam/bin/worker/griffins/siegfried-griffin(/.*)? gen_context(system_u:object_r:vitam_siegfried_griffin_exec_t,s0)
+/vitam/tmp/worker/griffins/siegfried-griffin(/.*)? gen_context(system_u:object_r:vitam_siegfried_griffin_data_t,s0)
\ No newline at end of file
diff --git a/selinux/siegfried-selinux/rpmbuild/SOURCES/vitam_siegfried_griffin.te b/selinux/siegfried-selinux/rpmbuild/SOURCES/vitam_siegfried_griffin.te
new file mode 100644
index 0000000..0527631
--- /dev/null
+++ b/selinux/siegfried-selinux/rpmbuild/SOURCES/vitam_siegfried_griffin.te
@@ -0,0 +1,38 @@
+policy_module(vitam_siegfried_griffin, 1.0.0)
+
+require {
+ type vitam_siegfried_griffin_exec_t;
+ type vitam_siegfried_port_t;
+ type vitam_worker_t;
+ type shell_exec_t;
+ class process { execmem fork };
+ class file { append create execute execute_no_trans getattr open read write unlink };
+ class dir search;
+ class file ioctl;
+}
+
+########################################
+#
+# Declarations
+#
+
+type vitam_siegfried_griffin_t;
+type vitam_siegfried_griffin_exec_t;
+init_daemon_domain(vitam_siegfried_griffin_t, vitam_siegfried_griffin_exec_t)
+
+type vitam_siegfried_griffin_data_t;
+files_type(vitam_siegfried_griffin_data_t)
+
+#============= vitam_siegfried_griffin_t ==============
+
+# Autoriser execution java
+java_exec(vitam_siegfried_griffin_t)
+
+allow vitam_siegfried_griffin_t self:process { execmem fork };
+
+allow vitam_siegfried_griffin_t vitam_siegfried_port_t:tcp_socket { name_connect create read write };
+allow vitam_worker_t vitam_siegfried_griffin_data_t:dir { getattr search open create read write add_name remove_name rmdir };
+allow vitam_worker_t vitam_siegfried_griffin_data_t:file { append create execute execute_no_trans getattr open read write unlink };
+allow vitam_worker_t vitam_siegfried_griffin_exec_t:dir { getattr search open create read write add_name remove_name rmdir };
+allow vitam_worker_t vitam_siegfried_griffin_exec_t:file { append create execute execute_no_trans getattr open read write unlink };
+allow vitam_worker_t vitam_siegfried_griffin_exec_t:file ioctl;
diff --git a/selinux/siegfried-selinux/rpmbuild/SPECS/siegfried-griffin-selinux.spec b/selinux/siegfried-selinux/rpmbuild/SPECS/siegfried-griffin-selinux.spec
new file mode 100644
index 0000000..7130bfd
--- /dev/null
+++ b/selinux/siegfried-selinux/rpmbuild/SPECS/siegfried-griffin-selinux.spec
@@ -0,0 +1,63 @@
+%global selinuxtype targeted
+%global moduletype contrib
+%global modulename vitam_siegfried_griffin
+
+Name: vitam-siegfried-griffin-selinux
+Version: 1.0
+Release: 1%{?dist}
+Summary: SELinux security policy module vitam-siegfried-griffin
+License: CeCILL 2.1
+URL: https://github.com/ProgrammeVitam/vitam
+Source0: %{modulename}.fc
+Source1: %{modulename}.te
+Source2: Makefile
+BuildArch: noarch
+BuildRequires: selinux-policy
+BuildRequires: selinux-policy-devel
+Requires: vitam-siegfried-griffin
+Requires: policycoreutils-python
+
+%description
+SELinux security policy module vitam-siegfried-griffin
+
+%prep
+rm -rf vitam_siegfried_griffin*
+cp %{SOURCE0} %{SOURCE1} %{SOURCE2} .
+
+%build
+make
+
+%install
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages
+bzip2 -d %{buildroot}%{_datadir}/selinux/packages/%{modulename}.pp.bz2
+
+%post
+# Install the module
+semodule -i %{_datadir}/selinux/packages/vitam_siegfried_griffin.pp
+# If it's an update, remove managed ports before adding them again
+# if [ $1 -gt 1 ]; then
+# semanage port -D -t vitam_siegfried_griffin_port_t
+# fi
+# Relabel
+restorecon -R /vitam/bin/worker/griffins/siegfried-griffin
+restorecon -R /vitam/tmp/worker/griffins/siegfried-griffin
+
+%postun
+# If it's a real uninstall (not an update), remove everything
+if [ $1 -eq 0 ]; then
+# semanage port -D -t vitam_siegfried_griffin_port_t
+ semodule -r vitam_siegfried_griffin
+ restorecon -R /vitam/bin/worker/griffins/siegfried-griffin
+ restorecon -R /vitam/tmp/worker/griffins/siegfried-griffin
+fi
+
+%files
+%attr(0644,root,root) %{_datadir}/selinux/packages/%{modulename}.pp
+
+%doc
+
+
+%changelog
+* Fri Oct 18 2019 French Prime minister Office/SGMAP/DINSIC/Vitam Program
+- Initial version