plautrba.fedorapeople.org
plautrba.fedorapeople.org

Deploying SELinux userspace and SETools4 using Ansible

in SELinux

Motivation When a bug comes to Fedora or Red Hat Enterprise Linux we need to check if it’s a downstream bug, or if the bug is still present or fixed upstream. For such cases it’s useful to have a simple mechanism to replace the downstream code from packages …

Motivation

When a bug comes to Fedora or Red Hat Enterprise Linux we need to check if it’s a downstream bug, or if the bug is still present or fixed upstream. For such cases it’s useful to have a simple mechanism to replace the downstream code from packages with a code build from the latest upstream sources.

Manual process is a little bit complicated

You need to do several steps in the right order to get rid of SELinux packages and to install SELinux userspace from sources.

  1. Install build dependencies 

    # dnf install git gcc make audit-libs-devel bison bzip2-devel dbus-devel dbus-glib-devel flex \
flex-devel flex-static glib2-devel libcap-devel libcap-ng-devel pam-devel pcre-devel python-devel \
swig ustr-devel xmlto redhat-rpm-config python-setuptools qt-devel

  2. Clone the repositories 

    # cd /usr/local/src

# git clone https://github.com/SELinuxProject/selinux.git

# git clone https://github.com/TresysTechnology/setools.git

  3. Build userspace and install it under a private directory

    First, we need to build sources and install them to a directory other than /. It will allow us to remove SELinux packages later while libselinux will be still available.

    # cd /usr/local/src/selinux

# make CFLAGS="`rpm --eval '%{optflags}'`" \
DESTDIR=/usr/local/selinux LIBDIR=/usr/local/selinux/usr/lib64 SHLIBDIR=/usr/local/selinux/lib64 \
install install-pywrap relabel

  4. Set the system to use new installed libraries 

    # export LD_LIBRARY_PATH=/usr/local/selinux/usr/lib64/:/usr/local/selinux/lib64/

  5. Remove SELinux packages 

    # rpm -qa libsepol\* libselinux\* libsemanage\* policycoreutils\* checkpolicy\* secilc\* setools\* \
| sed 's/\(.*\)-[^-]*-[^-]*/\1/' | xargs rpm -e --nodeps
    Note
    		 The system is unusable now. Almost every important service and tool depends on libselinux even when SELinux is disabled. But thanks to the previous command, the current shell uses the new installed libraries from /usr/local/selinux

  6. Install SELinux userspace to / 

    # make CFLAGS="`rpm --eval '%{optflags}'`" LIBDIR=/usr/lib64 SHLIBDIR=/lib64 \
install install-pywrap relabel

How to do it using Ansible

I wrote an Ansible role and Ansible playbook which can do the previous steps for me using two simple commands:

$ git clone https://gitlab.com/bachradsusi/SELinux-ansible-playbook.git

$ ansible-playbook -i plautrba-fedora-25.virt, -k \
--extra-vars "selinux_version=policycoreutils-2.6" SELinux-ansible-playbook/SELinuxuserspace.yml

SELinuxuserspace playbook

A simple playbook which prepares systems using SELinux_development role and uses build_and_install.sh script to do all needed action described above.

SELinux_development role

This is a simple role which prepares a system to contain all build requirements and clones source repositories. It can be configured using Ansible variables selinux_version and setools_version. E.g. in the example above, selinux is built from policycoreutils-2.6 tag.

Receive Updates

ATOM