-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathkubernetes-selinux.spec
121 lines (100 loc) · 3.34 KB
/
kubernetes-selinux.spec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
%define selinuxtype targeted
%define modulenames kubernetes etcd
%define interface_dir %{_datadir}/selinux/devel/include/contrib
%define policy_dir %{_datadir}/selinux/packages
%define relabel_kube_files() \
restorecon -R /usr/bin/kube-apiserver; \
restorecon -R /usr/bin/kube-controller-manager; \
restorecon -R /usr/bin/kube-scheduler; \
restorecon -R /usr/bin/kubelet; \
restorecon -R /usr/bin/kube-proxy; \
restorecon -R /usr/lib/systemd/system/kube-apiserver.service; \
restorecon -R /usr/lib/systemd/system/kube-controller-manager.service; \
restorecon -R /usr/lib/systemd/system/kube-scheduler.service; \
restorecon -R /usr/lib/systemd/system/kubelet.service; \
restorecon -R /usr/lib/systemd/system/kube-proxy.service; \
restorecon -R /var/lib/kubelet; \
%define relabel_etcd_files() \
restorecon -R /usr/bin/etcd; \
restorecon -R /usr/lib/systemd/system/etcd.service; \
restorecon -R /var/lib/etcd;
# We do this in post install and post uninstall phases
%define relabel_files() \
%relabel_kube_files \
%relabel_etcd_files
# Version of SELinux we were using
%define selinux_policyver 3.13.1-72.fc21
# Package information
Name: kubernetes-selinux
Version: 0.1.0
Release: 1%{?dist}
License: GPLv2
Group: System Environment/Base
Summary: SELinux Policies for Kubernetes
BuildArch: noarch
URL: https://github.com/selinux-policy/selinux-policy
Requires: policycoreutils, libselinux-utils
Requires(post): selinux-policy-base >= %{selinux_policyver}, selinux-policy-targeted >= %{selinux_policyver}, policycoreutils
Requires(postun): policycoreutils
BuildRequires: selinux-policy selinux-policy-devel
Source0: kubernetes.te
Source1: kubernetes.fc
Source2: kubernetes.if
Source3: etcd.te
Source4: etcd.fc
Source5: etcd.if
%description
SELinux policy modules for Kubernetes, etcd, and maybe cadvisor
%prep
cp %{SOURCE0} .
cp %{SOURCE1} .
cp %{SOURCE2} .
cp %{SOURCE3} .
cp %{SOURCE4} .
cp %{SOURCE5} .
%build
for modulename in %{modulenames}; do
make -f /usr/share/selinux/devel/Makefile ${modulename}.pp
done
%install
install -d %{buildroot}%{interface_dir}
install -d %{buildroot}%{policy_dir}
for modulename in %{modulenames}; do
# Install SELinux interface
install -p -m 644 ${modulename}.if %{buildroot}%{interface_dir}
# Install policy module
install -m 0644 ${modulename}.pp %{buildroot}%{policy_dir}
done
%post
#
# Install kubernetes module in a single transaction
#
for modulename in %{modulenames}; do
%{_sbindir}/semodule -n -s %{selinuxtype} -i %{policy_dir}/${modulename}.pp
done
semanage port -n -m -t kubernetes_port_t -p tcp -r s0 8080
semanage port -n -m -t kubernetes_port_t -p tcp -r s0 10250-10252
semanage port -n -m -t kubernetes_port_t -p tcp -r s0 4001 #should be etcd_port_t
semanage port -n -m -t kubernetes_port_t -p tcp -r s0 7001 #should be etcd_port_t
if %{_sbindir}/selinuxenabled ; then
%{_sbindir}/load_policy
%relabel_files
fi
%postun
if [ $1 -eq 0 ]; then
for modulename in %{modulenames}; do
%{_sbindir}/semodule -n -r ${modulename} || :
done
if %{_sbindir}/selinuxenabled ; then
%{_sbindir}/load_policy
%relabel_files
fi
fi
%files
%attr(0600,root,root) %{policy_dir}/kubernetes.pp
%{interface_dir}/kubernetes.if
%attr(0600,root,root) %{policy_dir}/etcd.pp
%{interface_dir}/etcd.if
%changelog
* Mon Feb 11 2013 Miroslav Grepl <[email protected]> - 0.1.0-1
- Initial kubernetes SELinux policy