preflight.sh: Write SELinux policy if needed

* preflight.sh: write selinux policy if needed SSH Push in the "tunnel" flavor can conflict with SELinux policies shipped by operating systems. The default policies are not aware of the additional port we need for the tunnel. The preflight.sh script is executed at the beginning of bootstrapping to download the Salt Bundle and allow Salt code execution. To allow for this download, a custom policy is written when SELinux is enabled and the system is managed via a tunnel. The policy is only written and loaded once. Fixes bsc#1217594 (cherry picked from commit bc2d962) * preflight.sh: Fix shell syntax (uyuni-project#8165) In Bash, the string to the right of the =~ operator is interpreted as a POSIX extended regular expression. A quoted expression is matched literally, therefore we can't quote the string on the right side. Other than that, there were a few slips (redirection, missing "fi", missing "+" in regex) (cherry picked from commit 3eaae2b)
m-czernek · Feb 1, 2024 · 42d4c86 · 42d4c86
1 parent 4d2863f
commit 42d4c86
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/susemanager-utils/susemanager-sls/salt-ssh/preflight.sh b/susemanager-utils/susemanager-sls/salt-ssh/preflight.sh
@@ -14,7 +14,12 @@ if ! [ "${SH_NAME}" = "bash" ]; then
 fi
 
 REPO_HOST=$1
-REPO_PORT=$2
+if [[ $2 =~ ^[0-9]+$ ]]; then
+   REPO_PORT=$2
+else
+   echo 'Error: $2 (REPO_PORT) must be an integer.' >&2
+   exit 254
+fi
 FAIL_ON_ERROR=1
 if [ "$3" = "1" ]; then
     FAIL_ON_ERROR=0
@@ -195,6 +200,21 @@ elif [ "${INSTALLER}" = "apt" ]; then
     fi
 fi
 
+SELINUX_POLICY_FILENAME="salt_ssh_port_forwarding.cil"
+function selinux_policy_loaded {
+    semodule -l | grep -x $SELINUX_POLICY_FILENAME
+}
+
+# Our SSH tunnel uses a custom port and we must configure SELinux to account for it
+if [[ $REPO_HOST == "localhost" ]] && command -v selinuxenabled && selinuxenabled; then
+    if ! selinux_policy_loaded; then
+        echo "(portcon tcp ${REPO_PORT} (system_u object_r ssh_port_t ((s0)(s0))))" >$SELINUX_POLICY_FILENAME
+        if ! semodule -i $SELINUX_POLICY_FILENAME; then
+            exit_with_message_code "Error: Failed to install SELinux policy." 7
+        fi
+    fi
+fi
+
 VENV_FILE="venv-enabled-${ARCH}.txt"
 VENV_ENABLED_URL="${CLIENT_REPO_URL}/${VENV_FILE}"
 $FETCH $VENV_ENABLED_URL > /dev/null 2>&1

diff --git a/...anager-utils/susemanager-sls/susemanager-sls.changes.agraul.ssh-tunnel-add-selinux-policy b/...anager-utils/susemanager-sls/susemanager-sls.changes.agraul.ssh-tunnel-add-selinux-policy
@@ -0,0 +1,2 @@
+- Dynamically load an SELinux policy for "Push via SSH tunnel" for SELinux
+  enabled clients. This policy allows communication over a custom SSH port.