Merge pull request #55 from fuero/feature-rpm-package

RPM package + SELinux policy
2026-03-30 12:05:38 +00:00 · 2019-09-11 21:05:49 +08:00
parent b78329afbc 637d50ad91
commit 48618aa6e2
8 changed files with 596 additions and 0 deletions
--- a/contrib/rpm/dns-over-https-2.1.2-systemd.patch
+++ b/contrib/rpm/dns-over-https-2.1.2-systemd.patch
@@ -0,0 +1,36 @@
+diff -Naur dns-over-https-2.1.2.org/systemd/doh-client.service dns-over-https-2.1.2/systemd/doh-client.service
+--- dns-over-https-2.1.2.org/systemd/doh-client.service	2019-09-10 12:08:35.177574074 +0200
+++ dns-over-https-2.1.2/systemd/doh-client.service	2019-09-10 12:10:05.473700374 +0200
+@@ -7,12 +7,12 @@
+ 
+ [Service]
+ AmbientCapabilities=CAP_NET_BIND_SERVICE
+-ExecStart=/usr/local/bin/doh-client -conf /etc/dns-over-https/doh-client.conf
+ExecStart=/usr/bin/doh-client -conf /etc/dns-over-https/doh-client.conf
+ LimitNOFILE=1048576
+ Restart=always
+ RestartSec=3
+ Type=simple
+-User=nobody
+User=doh-client
+ 
+ [Install]
+ WantedBy=multi-user.target
+diff -Naur dns-over-https-2.1.2.org/systemd/doh-server.service dns-over-https-2.1.2/systemd/doh-server.service
+--- dns-over-https-2.1.2.org/systemd/doh-server.service	2019-09-10 12:08:35.177574074 +0200
+++ dns-over-https-2.1.2/systemd/doh-server.service	2019-09-10 12:10:20.980273992 +0200
+@@ -5,12 +5,12 @@
+ 
+ [Service]
+ AmbientCapabilities=CAP_NET_BIND_SERVICE
+-ExecStart=/usr/local/bin/doh-server -conf /etc/dns-over-https/doh-server.conf
+ExecStart=/usr/bin/doh-server -conf /etc/dns-over-https/doh-server.conf
+ LimitNOFILE=1048576
+ Restart=always
+ RestartSec=3
+ Type=simple
+-User=nobody
+User=doh-server
+ 
+ [Install]
+ WantedBy=multi-user.target
--- a/contrib/rpm/doh.spec
+++ b/contrib/rpm/doh.spec
@@ -0,0 +1,240 @@
+# vim: tabstop=4 shiftwidth=4 expandtab
+%global _hardened_build 1
+# Debug package is empty anyway
+%define debug_package %{nil}
+
+%global _release        1
+%global provider        github
+%global provider_tld    com
+%global project         m13253
+%global repo            dns-over-https
+%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
+%global import_path     %{provider_prefix}
+
+#define commit          984df34ca7b45897ecb5871791e398cc160a4b93
+
+%if 0%{?commit:1}
+%define shortcommit     %(c=%{commit}; echo ${c:0:7})
+%define _date           %(date +'%%Y%%m%%dT%%H%%M%%S')
+%endif
+
+%define rand_id         %(head -c20 /dev/urandom|od -An -tx1|tr -d '[[:space:]]')
+
+%if ! 0%{?gobuild:1}
+%define gobuild(o:) go build -ldflags "${LDFLAGS:-} -B 0x%{rand_id}" -a -v -x %{?**};
+%endif
+
+%if ! 0%{?gotest:1}
+%define gotest() go test -ldflags "${LDFLAGS:-}" %{?**}
+%endif
+
+Name:           %{repo}
+Version:        2.1.2
+%if 0%{?commit:1}
+Release:    %{_release}.git%{shortcommit}.%{_date}%{?dist}
+Source0:        https://%{import_path}/archive/%{commit}.tar.gz
+%else
+Release:        %{_release}%{?dist}
+Source0:        https://%{import_path}/archive/v%{version}.tar.gz
+%endif
+Patch0:         %{name}-%{version}-systemd.patch
+
+Summary:        High performance DNS over HTTPS client & server
+License:        MIT
+URL:            https://github.com/m13253/dns-over-https
+
+
+# e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
+# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
+#BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} >= 1.10
+BuildRequires:  golang >= 1.10
+BuildRequires:  systemd
+BuildRequires:  upx
+
+%description
+%{summary}
+
+%package common
+BuildArch: noarch
+Summary: %{summary} - common files
+
+%description common
+%{summary}
+
+%package server
+ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}}
+Summary: %{summary} - Server
+Requires(pre):          shadow-utils
+Requires(post):         systemd
+Requires(preun):        systemd
+Requires(postun):       systemd
+
+%description server
+%{summary}
+
+%package client
+ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}}
+Summary: %{summary} - Client
+Requires(pre):          shadow-utils
+Requires(post):         systemd
+Requires(preun):        systemd
+Requires(postun):       systemd
+
+%description client
+%{summary}
+
+%package selinux
+BuildArch:      noarch
+
+Source3:        doh_server.fc
+Source4:        doh_server.if
+Source5:        doh_server.te
+Source6:        doh_client.fc
+Source7:        doh_client.if
+Source8:        doh_client.te
+
+BuildRequires:  selinux-policy
+BuildRequires:  selinux-policy-devel
+Requires:       %{name}
+
+Requires(post):     policycoreutils
+Requires(post):     policycoreutils-python 
+Requires(postun):   policycoreutils
+
+Summary: SELinux policy for %{name}
+
+%description selinux
+%summary
+ 
+%prep
+%if 0%{?commit:1}
+%autosetup -n %{name}-%{commit} -p1
+%else
+%autosetup -n %{name}-%{version} -p1
+%endif
+
+mkdir -p selinux
+cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE7} %{SOURCE8} selinux
+
+%build
+cd selinux
+make -f /usr/share/selinux/devel/Makefile doh_server.pp doh_client.pp || exit
+cd -
+
+%set_build_flags
+%make_build \
+    PREFIX=%{_prefix} \
+    GOBUILD="go build -ldflags \"-s -w -B 0x%{rand_id}\" -a -v -x"
+
+%install
+%make_install \
+    PREFIX=%{_prefix}
+install -Dpm 0600 selinux/doh_server.pp %{buildroot}%{_datadir}/selinux/packages/doh_server.pp
+install -Dpm 0644 selinux/doh_server.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/doh_server.if
+install -Dpm 0600 selinux/doh_client.pp %{buildroot}%{_datadir}/selinux/packages/doh_client.pp
+install -Dpm 0644 selinux/doh_client.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/doh_client.if
+
+mkdir -p %{buildroot}%{_docdir}/%{name}
+mv %{buildroot}%{_sysconfdir}/%{name}/*.example %{buildroot}%{_docdir}/%{name}
+
+mkdir -p %{buildroot}%{_libdir}
+mv %{buildroot}%{_sysconfdir}/NetworkManager %{buildroot}%{_libdir}/
+
+for i in $(find %{_buildroot}%{_bindir} -type f)
+do
+    upx $i
+done
+
+%files common
+%license LICENSE
+%doc Changelog.md Readme.md
+
+%files server
+%{_libdir}/NetworkManager/dispatcher.d/doh-server
+%{_docdir}/%{name}/doh-server.conf.example
+%config(noreplace) %{_sysconfdir}/%{name}/doh-server.conf
+%{_bindir}/doh-server
+%{_unitdir}/doh-server.service
+
+%files client
+%{_libdir}/NetworkManager/dispatcher.d/doh-client
+%{_docdir}/%{name}/doh-client.conf.example
+%config(noreplace) %{_sysconfdir}/%{name}/doh-client.conf
+%{_bindir}/doh-client
+%{_unitdir}/doh-client.service
+
+%pre server
+test -d %{_sharedstatedir}/home || mkdir -p %{_sharedstatedir}/home
+getent group doh-server > /dev/null || groupadd -r doh-server
+getent passwd doh-server > /dev/null || \
+    useradd -r -d %{_sharedstatedir}/home/doh-server -g doh-server \
+    -s /sbin/nologin -c "%{name} - server" doh-server
+exit 0
+
+%pre client
+test -d %{_sharedstatedir}/home || mkdir -p %{_sharedstatedir}/home
+getent group doh-client > /dev/null || groupadd -r doh-client
+getent passwd doh-client > /dev/null || \
+    useradd -r -d %{_sharedstatedir}/home/doh-client -g doh-client \
+    -s /sbin/nologin -c "%{name} - client" doh-client
+exit 0
+
+%post server
+%systemd_post doh-server.service
+
+%preun server
+%systemd_preun doh-server.service
+
+%postun server
+%systemd_postun_with_restart doh-server.service
+
+%post client
+%systemd_post doh-client.service
+
+%preun client
+%systemd_preun doh-client.service
+
+%postun client
+%systemd_postun_with_restart doh-client.service
+
+%files selinux
+%{_datadir}/selinux/packages/doh_server.pp
+%{_datadir}/selinux/devel/include/contrib/doh_server.if
+%{_datadir}/selinux/packages/doh_client.pp
+%{_datadir}/selinux/devel/include/contrib/doh_client.if
+
+%post selinux
+semodule -n -i %{_datadir}/selinux/packages/doh_server.pp
+semodule -n -i %{_datadir}/selinux/packages/doh_client.pp
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    /usr/sbin/fixfiles -R %{name}-server restore
+    /usr/sbin/fixfiles -R %{name}-client restore
+fi;
+semanage -i - << __eof
+port -a -t doh_server_port_t -p tcp "8053"
+port -a -t doh_client_port_t -p udp "5380"
+__eof
+exit 0
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    semanage -i - << __eof
+port -d -t doh_server_port_t -p tcp "8053"
+port -d -t doh_client_port_t -p udp "5380"
+__eof
+
+    semodule -n -r doh_server
+    semodule -n -r doh_client
+    if /usr/sbin/selinuxenabled ; then
+       /usr/sbin/load_policy
+       /usr/sbin/fixfiles -R %{name}-server restore
+       /usr/sbin/fixfiles -R %{name}-client restore
+    fi;
+fi;
+exit 0
+
+%changelog
+* Tue Sep 10 2019 fuero <fuerob@gmail.com> 2.1.2-1
+- initial package
+
--- a/contrib/rpm/doh_client.fc
+++ b/contrib/rpm/doh_client.fc
@@ -0,0 +1,2 @@
+/usr/bin/doh-client					--	gen_context(system_u:object_r:doh_client_exec_t,s0)
+/usr/lib/systemd/system/doh-client.service		--	gen_context(system_u:object_r:doh_client_unit_file_t,s0)
--- a/contrib/rpm/doh_client.if
+++ b/contrib/rpm/doh_client.if
@@ -0,0 +1,103 @@
+
+## <summary>policy for doh_client</summary>
+
+########################################
+## <summary>
+##	Execute doh_client_exec_t in the doh_client domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`doh_client_domtrans',`
+	gen_require(`
+		type doh_client_t, doh_client_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, doh_client_exec_t, doh_client_t)
+')
+
+######################################
+## <summary>
+##	Execute doh_client in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`doh_client_exec',`
+	gen_require(`
+		type doh_client_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, doh_client_exec_t)
+')
+########################################
+## <summary>
+##	Execute doh_client server in the doh_client domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`doh_client_systemctl',`
+	gen_require(`
+		type doh_client_t;
+		type doh_client_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 doh_client_unit_file_t:file read_file_perms;
+	allow $1 doh_client_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, doh_client_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an doh_client environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`doh_client_admin',`
+	gen_require(`
+		type doh_client_t;
+	type doh_client_unit_file_t;
+	')
+
+	allow $1 doh_client_t:process { signal_perms };
+	ps_process_pattern($1, doh_client_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 doh_client_t:process ptrace;
+    ')
+
+	doh_client_systemctl($1)
+	admin_pattern($1, doh_client_unit_file_t)
+	allow $1 doh_client_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
--- a/contrib/rpm/doh_client.te
+++ b/contrib/rpm/doh_client.te
@@ -0,0 +1,49 @@
+policy_module(doh_client, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type doh_client_t;
+type doh_client_exec_t;
+init_daemon_domain(doh_client_t, doh_client_exec_t)
+
+type doh_client_port_t;
+
+corenet_port(doh_client_port_t)
+
+type doh_client_unit_file_t;
+systemd_unit_file(doh_client_unit_file_t)
+
+########################################
+#
+# doh_client local policy
+#
+allow doh_client_t self:fifo_file rw_fifo_file_perms;
+allow doh_client_t self:unix_stream_socket create_stream_socket_perms;
+
+allow doh_client_t self:capability net_bind_service;
+allow doh_client_t self:process execmem;
+allow doh_client_t self:tcp_socket { accept bind connect create getattr getopt listen read setopt write };
+allow doh_client_t self:udp_socket { bind connect create getattr read setopt write };
+
+allow doh_client_t doh_client_exec_t:file execmod;
+allow doh_client_t doh_client_port_t:tcp_socket name_bind;
+
+corenet_tcp_bind_dns_port(doh_client_t)
+corenet_tcp_bind_generic_node(doh_client_t)
+corenet_tcp_connect_http_port(doh_client_t)
+corenet_udp_bind_dns_port(doh_client_t)
+corenet_udp_bind_generic_node(doh_client_t)
+corenet_udp_bind_generic_port(doh_client_t)
+kernel_read_net_sysctls(doh_client_t)
+kernel_search_network_sysctl(doh_client_t)
+miscfiles_read_certs(doh_client_t)
+sysnet_read_config(doh_client_t)
+
+domain_use_interactive_fds(doh_client_t)
+
+files_read_etc_files(doh_client_t)
+
+miscfiles_read_localization(doh_client_t)
--- a/contrib/rpm/doh_server.fc
+++ b/contrib/rpm/doh_server.fc
@@ -0,0 +1,2 @@
+/usr/bin/doh-server					--	gen_context(system_u:object_r:doh_server_exec_t,s0)
+/usr/lib/systemd/system/doh-server.service		--	gen_context(system_u:object_r:doh_server_unit_file_t,s0)
--- a/contrib/rpm/doh_server.if
+++ b/contrib/rpm/doh_server.if
@@ -0,0 +1,122 @@
+
+## <summary>policy for doh_server</summary>
+
+########################################
+## <summary>
+##	Execute doh_server_exec_t in the doh_server domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`doh_server_domtrans',`
+	gen_require(`
+		type doh_server_t, doh_server_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, doh_server_exec_t, doh_server_t)
+')
+
+######################################
+## <summary>
+##	Execute doh_server in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`doh_server_exec',`
+	gen_require(`
+		type doh_server_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, doh_server_exec_t)
+')
+########################################
+## <summary>
+##	Execute doh_server server in the doh_server domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`doh_server_systemctl',`
+	gen_require(`
+		type doh_server_t;
+		type doh_server_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 doh_server_unit_file_t:file read_file_perms;
+	allow $1 doh_server_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, doh_server_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an doh_server environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`doh_server_admin',`
+	gen_require(`
+		type doh_server_t;
+	type doh_server_unit_file_t;
+	')
+
+	allow $1 doh_server_t:process { signal_perms };
+	ps_process_pattern($1, doh_server_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 doh_server_t:process ptrace;
+    ')
+
+	doh_server_systemctl($1)
+	admin_pattern($1, doh_server_unit_file_t)
+	allow $1 doh_server_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+########################################
+## <summary>
+##      Make a TCP connection to the vault_ocsp_responder port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`doh_server_connect',`
+        gen_require(`
+                type doh_server_port_t;
+		type $1;
+        ')
+
+        allow $1 doh_server_port_t:tcp_socket name_connect;
+')
--- a/contrib/rpm/doh_server.te
+++ b/contrib/rpm/doh_server.te
@@ -0,0 +1,42 @@
+policy_module(doh_server, 1.0.0)
+
+require {
+	class process execmem;
+	class tcp_socket { accept bind create read write getattr listen setopt connect getopt };
+	class udp_socket { connect create getattr setopt read write };
+	class file execmod;
+}
+
+type doh_server_t;
+type doh_server_exec_t;
+
+init_daemon_domain(doh_server_t, doh_server_exec_t)
+
+type doh_server_port_t;
+
+corenet_port(doh_server_port_t)
+
+type doh_server_unit_file_t;
+systemd_unit_file(doh_server_unit_file_t)
+
+allow doh_server_t self:fifo_file rw_fifo_file_perms;
+allow doh_server_t self:unix_stream_socket create_stream_socket_perms;
+allow doh_server_t self:process execmem;
+allow doh_server_t self:tcp_socket { accept read write bind create getattr listen setopt connect getopt};
+allow doh_server_t self:udp_socket { connect create getattr setopt read write };
+
+allow doh_server_t doh_server_exec_t:file execmod;
+allow doh_server_t doh_server_port_t:tcp_socket name_bind;
+
+domain_use_interactive_fds(doh_server_t)
+
+files_read_etc_files(doh_server_t)
+
+corenet_tcp_bind_generic_node(doh_server_t)
+corenet_tcp_connect_dns_port(doh_server_t)
+doh_server_connect(httpd_t)
+
+kernel_read_net_sysctls(doh_server_t)
+kernel_search_network_sysctl(doh_server_t)
+
+miscfiles_read_localization(doh_server_t)