aboutsummaryrefslogtreecommitdiff
blob: 69ce1bfcebace540ec5453539615379a4714f43e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
# -*- mode: ruby -*-
# vi: set ft=ruby :

# Provisioning script to install the reference policy
$install_refpolicy = <<-SHELL
  # fail as soon as a command failed
  set -e

  # we set to permissive to allow loading and working with reference policy as opposed to fedora's fork
  echo "Setting SELinux to Permissive Mode..."
  setenforce 0

  # build the reference policy
  sudo -su vagrant make -C /vagrant bare
  sudo -su vagrant make -C /vagrant conf
  sudo -su vagrant make -C /vagrant all
  sudo -su vagrant make -C /vagrant validate
  rm -f /usr/share/selinux/refpolicy/*.pp
  make -C /vagrant install
  make -C /vagrant install-headers
  semodule -s refpolicy -i /usr/share/selinux/refpolicy/*.pp

  # Load the module specific to Vagrant VM
  semodule -s refpolicy -i /vagrant/support/vagrant-vm.cil

  if ! (LANG=C sestatus -v | grep '^Loaded policy name:\s*refpolicy$' > /dev/null)
  then
      # Use the reference policy
      sed -i -e 's/^\\(SELINUXTYPE=\\).*/SELINUXTYPE=refpolicy/' /etc/selinux/config
  fi
  semodule --reload

  # allow every domain to use /dev/urandom
  semanage boolean --modify --on global_ssp

  # allow opening SSH sessions as unconfined_u and sysadm_u
  semanage boolean --modify --on ssh_sysadm_login

  # allow systemd-tmpfiles to manage every file
  semanage boolean --modify --on systemd_tmpfiles_manage_all

  # make vagrant user use unconfined_u context
  if ! (semanage login -l | grep '^vagrant' > /dev/null)
  then
      echo "Configuring SELinux context for vagrant user"
      semanage login -a -s unconfined_u vagrant
  fi

  # label /vagrant as vagrant's home files
  if semanage fcontext --list | grep '^/vagrant(/\.\*)?'
  then
      semanage fcontext -m -s unconfined_u -t user_home_t '/vagrant(/.*)?'
  else
      semanage fcontext -a -s unconfined_u -t user_home_t '/vagrant(/.*)?'
  fi

  # Update interface_info
  sepolgen-ifgen -o /var/lib/sepolgen/interface_info -i /usr/share/selinux/refpolicy

  echo "Relabelling the system..."
  restorecon -RF /

  echo "If this is a fresh install, you need to reboot in order to enable enforcing mode"
SHELL

# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
  # build a Fedora 30 VM
  config.vm.define "fedora" do |fedora|
    fedora.vm.box = "fedora/30-cloud-base"
    # assign a nice hostname
    fedora.vm.hostname = "selinux-fedora-devel"
    # give it a private internal IP address
    fedora.vm.network "private_network", type: "dhcp"

    # Customize the amount of memory on the VM
    fedora.vm.provider "virtualbox" do |vb|
      vb.memory = 1024
    end
    fedora.vm.provider "libvirt" do |lv|
      lv.memory = 1024
    end

    # Enable provisioning with a shell script. Additional provisioners such as
    # Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
    # documentation for more information about their specific syntax and use.
    fedora.vm.provision "shell", run: "once", inline: <<-SHELL
      # get the man pages
      echo "Upgrading DNF and installing man pages..."
      dnf install -q -y man-pages >/dev/null
      dnf upgrade -q -y dnf >/dev/null

      # install a few packages to make this machine ready to go out of the box
      echo "Installing SELinux dev dependencies..."
      dnf install -q -y \
        bash-completion \
        gcc \
        man-pages \
        vim \
        make \
        kernel-devel \
        selinux-policy-devel \
        libselinux-python3 \
        >/dev/null

      # configure the reference policy for Fedora
      if ! grep '^DISTRO = fedora$' /vagrant/build.conf > /dev/null
      then
        echo 'DISTRO = fedora' >> /vagrant/build.conf
        echo 'SYSTEMD = y' >> /vagrant/build.conf
        echo 'UBAC = n' >> /vagrant/build.conf
      fi

      #{$install_refpolicy}
    SHELL
  end

  # build a Debian 10 VM
  config.vm.define "debian" do |debian|
    debian.vm.box = "debian/buster64"
    # assign a nice hostname
    debian.vm.hostname = "selinux-debian-devel"
    # give it a private internal IP address
    debian.vm.network "private_network", type: "dhcp"

    # Customize the amount of memory on the VM
    debian.vm.provider "virtualbox" do |vb|
      vb.memory = 1024
    end
    debian.vm.provider "libvirt" do |lv|
      lv.memory = 1024
    end

    # redefine the /vagrant as a synced folder (not an NFS share), in order to work cleanly on it
    debian.vm.synced_folder ".", "/vagrant", disabled: true
    debian.vm.synced_folder ".", "/vagrant", type: "rsync",
      rsync__exclude: ".vagrant/"

    debian.vm.provision "shell", run: "once", inline: <<-SHELL
      # install a few packages to make this machine ready to go out of the box
      echo "Installing SELinux dev dependencies..."
      export DEBIAN_FRONTEND=noninteractive
      apt-get -qq update
      apt-get install --no-install-recommends --no-install-suggests -qy \
        bash-completion \
        gcc \
        git \
        libc6-dev \
        vim \
        make \
        auditd \
        selinux-basics \
        selinux-policy-default \
        selinux-policy-dev \
        setools

      # If SELinux is not enabled, enable it with Debian's policy and ask for a reboot
      if ! selinuxenabled
      then
        echo "Enabling SELinux for Debian according to https://wiki.debian.org/SELinux/Setup"
        selinux-activate
        echo "Please reboot now in order to enable SELinux:"
        echo "vagrant reload debian && vagrant provision debian"
        exit
      fi

      # configure the reference policy for Debian
      if ! grep '^DISTRO = debian$' /vagrant/build.conf > /dev/null
      then
        echo 'DISTRO = debian' >> /vagrant/build.conf
        echo 'SYSTEMD = y' >> /vagrant/build.conf
        echo 'UBAC = n' >> /vagrant/build.conf
      fi

      #{$install_refpolicy}
    SHELL
  end
end