From 180cc1c36f004514a9b41089498a1719dca4a3ba Mon Sep 17 00:00:00 2001 From: Trevor Batley Date: Tue, 29 Aug 2023 11:00:22 +1000 Subject: [PATCH] Add selinux settings --- README.md | 18 +++++++----------- koji-setup/deploy-koji.sh | 25 ++++++++++++++++++++----- koji-setup/globals.sh | 2 +- 3 files changed, 28 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index b132528..ab4b50a 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ The purpose of these scripts it to enable setting up a koji environment quickly with reasonable configurations. -These scripts have been borrowed from Clear Linux and modofied to suit the smeserver (Koozali.org) setup. +These scripts have been borrowed from Clear Linux and modified to suit the smeserver (Koozali.org) setup. ## Assumptions @@ -15,16 +15,14 @@ These scripts have been borrowed from Clear Linux and modofied to suit the smese * Basic configurations (e.g. network, time, etc.) have been applied * Only one koji builder is required -## Unsupported Environments - -* Systems that are not starting as dedicated and clean -* Systems that are not based on Rocky 8 Linux OS* - -For unsupported environments, it will be up to the sysadmin to proceed at their -own discretion and fix issues that may arise on their own. - ## Getting Going +1. Copy these scripts into your ~/bin directory and make sure they are executeable + + mkdir -p ~/bin + cp ~/bin/. + chmod a+x ~/bin/*.sh + 1. Edit parameters.sh as needed. If running in a production environment, be sure to supply reasonable SSL certificate field values. @@ -54,5 +52,3 @@ builder machine deploy-koji-nfs-client.sh deploy-koji-builder.sh - -*Other names and brands may be claimed as the property of others. diff --git a/koji-setup/deploy-koji.sh b/koji-setup/deploy-koji.sh index d22b425..4a6689d 100755 --- a/koji-setup/deploy-koji.sh +++ b/koji-setup/deploy-koji.sh @@ -7,11 +7,12 @@ SCRIPT_DIR="$(dirname "$(realpath "$0")")" source "$SCRIPT_DIR"/globals.sh source "$SCRIPT_DIR"/parameters.sh -swupd bundle-add koji || : -check_dependency koji -check_dependency httpd -check_dependency kojira -check_dependency postgres +# Install all the required packages (some live in the epel repo, so we need to install that too) +dnf config-manager --set-enabled powertools +dnf install epel-release +dnf install koji-hub mod_ssl koji koji-web koji-utils +dnf module enable postgresql:10 +dnf install postgresql-server ## SETTING UP SSL CERTIFICATES FOR AUTHENTICATION mkdir -p "$KOJI_PKI_DIR"/{certs,private} @@ -202,6 +203,9 @@ Alias /kojifiles "$KOJI_DIR" EOF +# SELinux changes to allow db access +setsebool -P httpd_can_network_connect_db 1 + # Koji Web mkdir -p /etc/kojiweb cat > /etc/kojiweb/web.conf <<- EOF @@ -252,6 +256,11 @@ chown kojiadmin:kojiadmin "$ADMIN_KOJI_DIR"/config mkdir -p "$KOJI_DIR"/{packages,repos,work,scratch,repos-dist} chown -R "$HTTPD_USER":"$HTTPD_USER" "$KOJI_DIR" +# twealk SELinux to allow $HTTPD_USER write access +setsebool -P allow_httpd_anon_write=1 +semanage fcontext -a -t public_content_rw_t "/mnt/koji(/.*)?" +restorecon -r -v /mnt/koji + ## Apache Configuration Files mkdir -p /etc/httpd/conf.d cat > /etc/httpd/conf.d/ssl.conf <<- EOF @@ -302,6 +311,12 @@ cat > /etc/httpd/conf.modules.d/ssl.conf <<- EOF LoadModule ssl_module lib/httpd/modules/mod_ssl.so EOF +# allow httpd access through firewall +firewall-cmd --permanent --add-service=http +firewall-cmd --permanent --add-service=https +firewall-cmd --reload + +# enable and start the httpd service systemctl enable --now httpd diff --git a/koji-setup/globals.sh b/koji-setup/globals.sh index d7fceb7..69d2f27 100644 --- a/koji-setup/globals.sh +++ b/koji-setup/globals.sh @@ -9,7 +9,7 @@ export GIT_DEFAULT_DIR=/var/lib/gitolite export POSTGRES_USER=postgres export POSTGRES_DEFAULT_DIR=/var/lib/pgsql -export HTTPD_USER=httpd +export HTTPD_USER=apache export HTTPD_DOCUMENT_ROOT=/var/www/html export KOJI_PKI_DIR=/etc/pki/koji