Add selinux settings

README.md

@@ -5,7 +5,7 @@
 The purpose of these scripts it to enable setting up a koji environment quickly
 with reasonable configurations.
 
-These scripts have been borrowed from Clear Linux and modofied to suit the smeserver (Koozali.org) setup.
+These scripts have been borrowed from Clear Linux and modified to suit the smeserver (Koozali.org) setup.
 
 ## Assumptions
 
@@ -15,16 +15,14 @@ These scripts have been borrowed from Clear Linux and modofied to suit the smese
 * Basic configurations (e.g. network, time, etc.) have been applied
 * Only one koji builder is required
 
-## Unsupported Environments
-
-* Systems that are not starting as dedicated and clean
-* Systems that are not based on Rocky 8 Linux OS*
-
-For unsupported environments, it will be up to the sysadmin to proceed at their
-own discretion and fix issues that may arise on their own.
-
 ## Getting Going
 
+1. Copy these scripts into your ~/bin directory and make sure they are executeable
+
+        mkdir -p ~/bin
+        cp <path where you copied the scripts> ~/bin/.
+        chmod a+x ~/bin/*.sh
+
 1. Edit parameters.sh as needed. If running in a production environment, be
 sure to supply reasonable SSL certificate field values.
 
@@ -54,5 +52,3 @@ builder machine
 
         deploy-koji-nfs-client.sh
         deploy-koji-builder.sh
-
-*Other names and brands may be claimed as the property of others.

koji-setup/deploy-koji.sh

@@ -7,11 +7,12 @@ SCRIPT_DIR="$(dirname "$(realpath "$0")")"
 source "$SCRIPT_DIR"/globals.sh
 source "$SCRIPT_DIR"/parameters.sh
 
-swupd bundle-add koji || :
+# Install all the required packages (some live in the epel repo, so we need to install that too)
-check_dependency koji
+dnf config-manager --set-enabled powertools
-check_dependency httpd
+dnf install epel-release
-check_dependency kojira
+dnf install koji-hub mod_ssl koji koji-web koji-utils
-check_dependency postgres
+dnf module enable postgresql:10
+dnf install postgresql-server
 
 ## SETTING UP SSL CERTIFICATES FOR AUTHENTICATION
 mkdir -p "$KOJI_PKI_DIR"/{certs,private}
@@ -202,6 +203,9 @@ Alias /kojifiles "$KOJI_DIR"
 </Location>
 EOF
 
+# SELinux changes to allow db access
+setsebool -P httpd_can_network_connect_db 1
+
 # Koji Web
 mkdir -p /etc/kojiweb
 cat > /etc/kojiweb/web.conf <<- EOF
@@ -252,6 +256,11 @@ chown kojiadmin:kojiadmin "$ADMIN_KOJI_DIR"/config
 mkdir -p "$KOJI_DIR"/{packages,repos,work,scratch,repos-dist}
 chown -R "$HTTPD_USER":"$HTTPD_USER" "$KOJI_DIR"
 
+# twealk SELinux to allow $HTTPD_USER write access
+setsebool -P allow_httpd_anon_write=1
+semanage fcontext -a -t public_content_rw_t "/mnt/koji(/.*)?"
+restorecon -r -v /mnt/koji
+
 ## Apache Configuration Files
 mkdir -p /etc/httpd/conf.d
 cat > /etc/httpd/conf.d/ssl.conf <<- EOF
@@ -302,6 +311,12 @@ cat > /etc/httpd/conf.modules.d/ssl.conf <<- EOF
 LoadModule ssl_module lib/httpd/modules/mod_ssl.so
 EOF
 
+# allow httpd access through firewall
+firewall-cmd --permanent --add-service=http
+firewall-cmd --permanent --add-service=https
+firewall-cmd --reload
+
+# enable and start the httpd service
 systemctl enable --now httpd
 
 

koji-setup/globals.sh

@@ -9,7 +9,7 @@ export GIT_DEFAULT_DIR=/var/lib/gitolite
 export POSTGRES_USER=postgres
 export POSTGRES_DEFAULT_DIR=/var/lib/pgsql
 
-export HTTPD_USER=httpd
+export HTTPD_USER=apache
 export HTTPD_DOCUMENT_ROOT=/var/www/html
 
 export KOJI_PKI_DIR=/etc/pki/koji