CFY-3237-Enable-enforcing-selinux

new/components/amqpinflux/scripts/create.sh

@@ -17,7 +17,6 @@ export RABBITMQ_CERT_ENABLED="$(ctx -j node properties rabbitmq_ssl_enabled)"
 export RABBITMQ_CERT_PUBLIC="$(ctx node properties rabbitmq_cert_public)"
 
 ctx logger info "Installing AQMPInflux..."
-set_selinux_permissive
 
 copy_notice "amqpinflux"
 create_dir "${AMQPINFLUX_HOME}"

new/components/elasticsearch/scripts/create.sh

@@ -25,7 +25,6 @@ export ES_CONF_PATH="/etc/elasticsearch"
 
 function install_elasticsearch() {
     ctx logger info "Installing Elasticsearch..."
-    set_selinux_permissive
 
     copy_notice "elasticsearch"
     create_dir ${ES_HOME}

new/components/influxdb/scripts/create.sh

@@ -19,7 +19,6 @@ export INFLUXDB_LOG_PATH="/var/log/cloudify/influxdb"
 
 function install_influxdb() {
     ctx logger info "Installing InfluxDB..."
-    set_selinux_permissive
 
     copy_notice "influxdb"
     create_dir ${INFLUXDB_HOME}

new/components/java/scripts/create.sh

@@ -6,17 +6,12 @@ JAVA_SOURCE_URL=$(ctx node properties java_rpm_source_url)
 
 
 ctx logger info "Installing Java..."
-set_selinux_permissive
 copy_notice "java"
 
 if [[ "$JAVA_SOURCE_URL" == *rpm ]]; then
     yum_install ${JAVA_SOURCE_URL}
 fi
 
-# Make sure the cloudify logs dir exists before we try moving the java log there
-# -p will cause it not to error if the dir already exists
-create_dir "/var/log/cloudify"
-
 # Java install log is dropped in /var/log. Move it to live with the rest of the cloudify logs
 if [ -f "/var/log/java_install.log" ]; then
     sudo mv "/var/log/java_install.log" "/var/log/cloudify"

new/components/logstash/scripts/create.sh

@@ -26,7 +26,6 @@ if [[ -z "${RABBITMQ_USERNAME}" ]] ||
 fi
 
 ctx logger info "Installing Logstash..."
-set_selinux_permissive
 
 copy_notice "logstash"
 

new/components/mgmtworker/scripts/create.sh

@@ -41,7 +41,6 @@ broker_ssl_enabled="$(echo ${RABBITMQ_SSL_ENABLED} | tr '[:upper:]' '[:lower:]')
 ctx instance runtime_properties rabbitmq_ssl_enabled "${broker_ssl_enabled}"
 
 ctx logger info "Installing Management Worker..."
-set_selinux_permissive
 
 copy_notice "mgmtworker"
 create_dir ${MGMTWORKER_HOME}

new/components/nginx/config/default.conf

@@ -26,8 +26,8 @@ server {
   listen              {{ ctx.instance.runtime_properties.ssl_rest_service_port }} ssl;
   server_name         _;
 
-  ssl_certificate     /root/cloudify/server.crt;
-  ssl_certificate_key /root/cloudify/server.key;
+  ssl_certificate     /etc/nginx/cloudify.crt;
+  ssl_certificate_key /etc/nginx/cloudify.key;
 
   access_log          /var/log/cloudify/nginx/cloudify.access.log;
   error_log           /var/log/cloudify/nginx/cloudify.error.log;
@@ -98,4 +98,4 @@ server {
     allow             all;
     deny              all;
   }
-}
+}

new/components/nginx/config/selinux/file-contexts

@@ -0,0 +1,3 @@
+# Ensure there is a new line at the end of this file or it may break when deployed
+/var/log/cloudify/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+

new/components/nginx/config/selinux/type-enforcement

@@ -0,0 +1,11 @@
+# This file must exist with the above line for the policy (with file contexts, etc) to be compiled
+# Ensure there is a new line at the end of this file or it may break when deployed
+policy_module(cloudify-nginx, 1.0.0)
+
+require {
+  type httpd_t;
+  type tor_port_t;
+}
+
+allow httpd_t tor_port_t:tcp_socket name_connect;
+

new/components/nginx/scripts/create.sh

@@ -13,7 +13,9 @@ export MANAGER_RESOURCES_HOME="/opt/manager/resources"
 export MANAGER_AGENTS_PATH="${MANAGER_RESOURCES_HOME}/packages/agents"
 export MANAGER_SCRIPTS_PATH="${MANAGER_RESOURCES_HOME}/packages/scripts"
 export MANAGER_TEMPLATES_PATH="${MANAGER_RESOURCES_HOME}/packages/templates"
-export SSL_CERTS_ROOT="/root/cloudify"
+export SSL_CERTS_ROOT="/etc/nginx"
+
+export SELINUX_ENFORCING="$(ctx -j node properties selinux_enforcing)"
 
 # this is propagated to the agent retrieval script later on so that it's not defined twice.
 ctx instance runtime_properties agent_packages_path "${MANAGER_AGENTS_PATH}"
@@ -24,7 +26,6 @@ ctx instance runtime_properties ssl_rest_service_port "443"
 ctx instance runtime_properties internal_rest_service_port "8101"
 
 ctx logger info "Installing Nginx..."
-set_selinux_permissive
 
 copy_notice "nginx"
 create_dir ${NGINX_LOG_PATH}
@@ -45,8 +46,23 @@ deploy_blueprint_resource "${CONFIG_REL_PATH}/rest-location.cloudify" "/etc/ngin
 deploy_logrotate_config "nginx"
 
 ctx logger info "Copying SSL Certs..."
-deploy_blueprint_resource "${SSL_RESOURCES_REL_PATH}/server.crt" "${SSL_CERTS_ROOT}/server.crt"
-deploy_blueprint_resource "${SSL_RESOURCES_REL_PATH}/server.key" "${SSL_CERTS_ROOT}/server.key"
+deploy_blueprint_resource "${SSL_RESOURCES_REL_PATH}/server.crt" "${SSL_CERTS_ROOT}/cloudify.crt"
+sudo chown root.root "${SSL_CERTS_ROOT}/cloudify.crt"
+deploy_blueprint_resource "${SSL_RESOURCES_REL_PATH}/server.key" "${SSL_CERTS_ROOT}/cloudify.key"
+sudo chown root.root "${SSL_CERTS_ROOT}/cloudify.key"
+sudo chmod 400 "${SSL_CERTS_ROOT}/cloudify.key"
+
+if [[ "${SELINUX_ENFORCING}" == 'true' ]]; then
+  apply_selinux_policy nginx "${CONFIG_REL_PATH}/selinux"
+
+  fix_selinux_file_contexts /etc/nginx
+  fix_selinux_file_contexts /var/log/cloudify/nginx
+
+  allow_selinux_port_tcp http_port_t 8101
+  allow_selinux_port_tcp http_port_t 53229
+  # tcp/9001 is required as well, but this is defined in another policy, from which it cannot be removed
+  # as a result, it access has been allowed for httpd_t to tor_port_t to allow use of this port
+fi
 
 sudo systemctl enable nginx.service &>/dev/null
 

new/components/python/scripts/create.sh

@@ -7,7 +7,6 @@ PIP_SOURCE_RPM_URL=$(ctx node properties pip_source_rpm_url)
 INSTALL_PYTHON_COMPILERS=$(ctx node properties install_python_compilers)
 
 ctx logger info "Installing Python requirements..."
-set_selinux_permissive
 copy_notice "python"
 
 yum_install ${PIP_SOURCE_RPM_URL}

new/components/rabbitmq/config/selinux/file-contexts

@@ -0,0 +1,4 @@
+# Ensure there is a new line at the end of this file or it may break when deployed
+/var/log/cloudify/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
+/etc/rabbitmq(/.*)? gen_context(system_u:object_r:etc_t,s0)
+

new/components/rabbitmq/config/selinux/type-enforcement

@@ -0,0 +1,4 @@
+# This file must exist with the above line for the policy (with file contexts, etc) to be compiled
+# Ensure there is a new line at the end of this file or it may break when deployed
+policy_module(cloudify-rabbitmq, 1.0.0)
+

new/components/rabbitmq/scripts/create.sh

@@ -10,9 +10,9 @@ export RABBITMQ_FD_LIMIT=$(ctx node properties rabbitmq_fd_limit)
 
 export RABBITMQ_LOG_PATH="/var/log/cloudify/rabbitmq"
 
+export SELINUX_ENFORCING="$(ctx -j node properties selinux_enforcing)"
 
 ctx logger info "Installing RabbitMQ..."
-set_selinux_permissive
 
 copy_notice "rabbitmq"
 create_dir "${RABBITMQ_LOG_PATH}"
@@ -41,22 +41,6 @@ sudo systemctl daemon-reload
 ctx logger info "Chowning RabbitMQ logs path..."
 sudo chown rabbitmq:rabbitmq ${RABBITMQ_LOG_PATH}
 
-ctx logger info "Starting RabbitMQ Server in Daemonized mode..."
-sudo systemctl start cloudify-rabbitmq.service
-
-ctx logger info "Enabling RabbitMQ Plugins..."
-# Occasional timing issues with rabbitmq starting have resulted in failures when first trying to enable plugins
-run_command_with_retries "sudo rabbitmq-plugins enable rabbitmq_management"
-run_command_with_retries "sudo rabbitmq-plugins enable rabbitmq_tracing"
-
-ctx logger info "Disabling RabbitMQ guest user"
-run_command_with_retries "sudo rabbitmqctl clear_permissions guest"
-run_command_with_retries "sudo rabbitmqctl delete_user guest"
-
-ctx logger info "Creating new RabbitMQ user and setting permissions"
-run_command_with_retries sudo rabbitmqctl add_user ${RABBITMQ_USERNAME} ${RABBITMQ_PASSWORD}
-run_noglob_command_with_retries sudo rabbitmqctl set_permissions ${RABBITMQ_USERNAME} '.*' '.*' '.*'
-
 # Deploy certificates if both have been provided. Complain loudly if one has been provided and the other hasn't.
 if [[ "${RABBITMQ_SSL_ENABLED}" == 'true' ]]; then
   if [[ -n "${RABBITMQ_CERT_PRIVATE}" ]]; then
@@ -81,6 +65,29 @@ else
   fi
 fi
 
+if [[ "${SELINUX_ENFORCING}" == 'true' ]]; then
+  apply_selinux_policy rabbitmq "${CONFIG_REL_PATH}/selinux"
+
+  fix_selinux_file_contexts /etc/rabbitmq
+  fix_selinux_file_contexts /var/log/cloudify/rabbitmq
+fi
+
+ctx logger info "Starting RabbitMQ Server in Daemonized mode..."
+sudo systemctl start cloudify-rabbitmq.service
+
+ctx logger info "Enabling RabbitMQ Plugins..."
+# Occasional timing issues with rabbitmq starting have resulted in failures when first trying to enable plugins
+run_command_with_retries "sudo rabbitmq-plugins enable rabbitmq_management"
+run_command_with_retries "sudo rabbitmq-plugins enable rabbitmq_tracing"
+
+ctx logger info "Disabling RabbitMQ guest user"
+run_command_with_retries "sudo rabbitmqctl clear_permissions guest"
+run_command_with_retries "sudo rabbitmqctl delete_user guest"
+
+ctx logger info "Creating new RabbitMQ user and setting permissions"
+run_command_with_retries sudo rabbitmqctl add_user ${RABBITMQ_USERNAME} ${RABBITMQ_PASSWORD}
+run_noglob_command_with_retries sudo rabbitmqctl set_permissions ${RABBITMQ_USERNAME} '.*' '.*' '.*'
+
 ctx logger info "Stopping RabbitMQ Service..."
 # Systemd service stopping has been returning non zero when successful
 set +e

new/components/restservice/config/selinux/file-contexts

@@ -0,0 +1,10 @@
+# Ensure there is a new line at the end of this file or it may break when deployed
+/opt/manager/resources(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/lib/systemd/system/cloudify-restservice.service gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/opt/manager/run_manager gen_context(system_u:object_r:httpd_exec_t,s0)
+/opt/manager/env(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+# This must come after the /env(/.*)? definition or it will be overridden
+/opt/manager/env/bin/.* gen_context(system_u:object_r:httpd_exec_t,s0)
+/opt/manager/.*\.conf gen_context(system_u:object_r:httpd_config_t,s0)
+/var/log/cloudify/rest(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+

new/components/restservice/config/selinux/type-enforcement

@@ -0,0 +1,13 @@
+# This file must exist with the above line for the policy (with file contexts, etc) to be compiled
+# Ensure there is a new line at the end of this file or it may break when deployed
+policy_module(cloudify-restservice, 1.0.0)
+
+require {
+  type httpd_t;
+  type httpd_var_lib_t;
+}
+
+allow httpd_t httpd_var_lib_t:file entrypoint;
+allow httpd_t httpd_var_lib_t:lnk_file read;
+allow httpd_t httpd_var_lib_t:lnk_file getattr;
+

new/components/restservice/scripts/create.sh

@@ -36,7 +36,6 @@ export MANAGER_REST_SECURITY_CONFIG_PATH="${REST_SERVICE_HOME}/rest-security.con
 export REST_SERVICE_LOG_PATH="/var/log/cloudify/rest"
 
 ctx logger info "Installing REST Service..."
-set_selinux_permissive
 
 copy_notice "restservice"
 create_dir ${REST_SERVICE_HOME}

new/components/restservice/scripts/preconfigure.sh

@@ -4,8 +4,23 @@
 CONFIG_REL_PATH="components/restservice/config"
 REST_SERVICE_HOME="/opt/manager"
 
+export SELINUX_ENFORCING="$(ctx -j source node properties selinux_enforcing)"
+
 ctx logger info "Deploying REST Security configuration file..."
 sec_settings=$(ctx -j target node properties security)
 # TODO: do not print to stdout
 echo $sec_settings | sudo tee "${REST_SERVICE_HOME}/rest-security.conf"
-configure_systemd_service "restservice"
+configure_systemd_service "restservice"
+
+if [[ "${SELINUX_ENFORCING}" == 'true' ]]; then
+  apply_selinux_policy restservice "${CONFIG_REL_PATH}/selinux"
+
+  fix_selinux_file_contexts /usr/lib/systemd/system/cloudify-restservice.service
+  fix_selinux_file_contexts /opt/manager
+  fix_selinux_file_contexts /var/log/cloudify/rest
+
+  allow_selinux_port_tcp http_port_t 9200
+  allow_selinux_port_tcp http_port_t 8100
+  allow_selinux_port_tcp http_port_t 5672
+  allow_selinux_port_tcp http_port_t 5671
+fi

new/components/riemann/scripts/create.sh

@@ -28,7 +28,6 @@ if [[ -z "${RABBITMQ_USERNAME}" ]] ||
 fi
 
 ctx logger info "Installing Riemann..."
-set_selinux_permissive
 
 copy_notice "riemann"
 create_dir ${RIEMANN_LOG_PATH}

new/components/selinux/config/config

@@ -0,0 +1,11 @@
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+#     enforcing - SELinux security policy is enforced.
+#     permissive - SELinux prints warnings instead of enforcing.
+#     disabled - No SELinux policy is loaded.
+SELINUX={{ ctx.instance.runtime_properties.selinux_mode }}
+# SELINUXTYPE= can take one of three two values:
+#     targeted - Targeted processes are protected,
+#     minimum - Modification of targeted policy. Only selected processes are protected. 
+#     mls - Multi Level Security protection.
+SELINUXTYPE=targeted

new/components/selinux/scripts/create.sh

@@ -0,0 +1,38 @@
+#!/bin/bash -e
+
+. $(ctx download-resource "components/utils")
+
+CONFIG_REL_PATH="components/selinux/config"
+
+export SELINUX_ENFORCING="$(ctx -j node properties selinux_enforcing)"
+
+# Ensure log directories exist before we start (they may be needed here and will be needed elsewhere)
+create_dir /var/log/cloudify
+
+if [[ "${SELINUX_ENFORCING}" == 'true' ]]; then
+  # Make SELinux enforce policy
+  ctx instance runtime_properties selinux_mode enforcing
+
+  # Apply the change without a reboot
+  sudo setenforce 1
+
+  # Install required tools for managing SELinux
+  yum_install "policycoreutils-python" >/dev/null
+  yum_install "selinux-policy-devel" >/dev/null
+
+  # Ensure general SELinux policies are set that apply across most applications
+  sudo semanage fcontext -a -s system_u -t var_log_t '/var/log/cloudify(/.*)?'
+  sudo restorecon -F -R -v /var/log/cloudify
+else
+  # Make SELinux only log violations of policy
+  # This is preferred to 'disabled' as it allows enabling without a reboot if so desired later
+  ctx instance runtime_properties selinux_mode permissive
+
+  # Apply the change without a reboot
+  sudo setenforce 0
+fi
+
+# Persist the setting after reboot
+deploy_blueprint_resource "${CONFIG_REL_PATH}/config" "/etc/selinux/config"
+sudo chown root.root /etc/selinux/config
+sudo chmod 644 /etc/selinux/config