update and add selinux

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>

SOURCES/icingadb.fc

@@ -0,0 +1,9 @@
+# Systemd unit file and its drop-in config directory (if any)
+/usr/lib/systemd/system/icingadb\..*  --     gen_context(system_u:object_r:icingadb_unit_file_t,s0)
+
+/etc/icingadb(/.*)?		gen_context(system_u:object_r:icingadb_etc_t,s0)
+
+# `sbindir` can be both `/usr/sbin` or `/usr/bin` depending on the used OS hence we need to make sure
+# that this pattern matches on both paths. You can check for the SELinux fcontext Equivalence (if any)
+# on your system as follows: `semanage fcontext -l | grep '/usr/sbin = /usr/bin'`
+/usr/s?bin/icingadb --	gen_context(system_u:object_r:icingadb_exec_t,s0)

SOURCES/icingadb.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=Icinga DB
-After=syslog.target network-online.target icingadb-redis.service mariadb.service
+After=syslog.target network-online.target icingadb-redis.service mariadb.service postgresql.service
 
 [Service]
 Type=notify

SOURCES/icingadb.te

@@ -0,0 +1,82 @@
+policy_module(icingadb, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow Icinga DB to connect to all ports
+## </p>
+## </desc>
+gen_tunable(icingadb_can_connect_all, false)
+
+type icingadb_t;
+type icingadb_exec_t;
+init_daemon_domain(icingadb_t, icingadb_exec_t)
+
+type icingadb_unit_file_t;
+systemd_unit_file(icingadb_unit_file_t)
+
+type icingadb_etc_t;
+files_config_file(icingadb_etc_t)
+
+########################################
+#
+# icingadb local policy
+#
+
+list_dirs_pattern(icingadb_t, icingadb_etc_t, icingadb_etc_t)
+read_files_pattern(icingadb_t, icingadb_etc_t, icingadb_etc_t)
+read_lnk_files_pattern(icingadb_t, icingadb_etc_t, icingadb_etc_t)
+
+miscfiles_read_generic_certs(icingadb_t)
+
+# Allow read access to the localization files like `/etc/localtime` etc. labeled with the `locale_t` type.
+miscfiles_read_localization(icingadb_t)
+
+# Allow to perform DNS name resolution. This will also call the `sysnet_read_config` interface implicitly,
+# which grants read access to all system config files labeled with the `net_conf_t` type.
+sysnet_dns_name_resolve(icingadb_t)
+
+# We don't explicitly access any sys kernel files, but the Go runtime seems to access some files at startup,
+# which is labeled with the `sysfs_t` type. So, we need to at least grant read access the `icingadb_t` domain
+# to these files. Use the following command to find out which files are accessed by the `icingadb` daemon:
+# $ strace -f -e trace=openat,read /usr/sbin/icingadb
+dev_read_sysfs(icingadb_t)
+
+# Starting with Go 1.25, the Go runtime tries to read cgroup information from `/sys/fs/cgroup`.
+# So, we need to allow Icinga DB to search and read these files. Use the above `strace` command
+# to verify which files are accessed.
+fs_search_cgroup_dirs(icingadb_t)
+fs_read_cgroup_files(icingadb_t)
+
+optional_policy(`
+    logging_send_syslog_msg(icingadb_t)
+')
+
+corenet_tcp_connect_redis_port(icingadb_t)
+# Consider using the `redis_stream_connect(icingadb_t)` interface once we've dropped AL2
+# to get rid of the `redis_t` and `redis_var_run_t` required types.
+optional_policy(`
+    require {
+        type redis_t;
+        type redis_var_run_t;
+    }
+    stream_connect_pattern(icingadb_t, redis_var_run_t, redis_var_run_t, redis_t)
+')
+
+corenet_tcp_connect_mysqld_port(icingadb_t)
+optional_policy(`
+    mysql_stream_connect(icingadb_t)
+')
+
+corenet_tcp_connect_postgresql_port(icingadb_t)
+optional_policy(`
+    postgresql_stream_connect(icingadb_t)
+')
+
+tunable_policy(`icingadb_can_connect_all',`
+    corenet_tcp_connect_all_ports(icingadb_t)
+')

SPECS/icingadb.spec

@@ -9,7 +9,7 @@
 %define service %{name}.service
 
 Name:           icingadb
-Version:        1.3.0
+Version:        1.5.0
 Release:        1%{?dist}
 Summary:        Icinga DB
 Group:          System Environment/Daemons
@@ -17,6 +17,8 @@ License:        GPLv2+
 URL:            https://%{provider_prefix}
 #Source0:        https://%{import_path}/archive/v%{version}.tar.gz
 Source1:        icingadb.service
+Source2:        icingadb.fc
+Source3:        icingadb.te
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}
 BuildRequires:  gcc
 BuildRequires:  git
@@ -25,17 +27,43 @@ Requires(pre):  shadow-utils
 
 
 %description
-Icinga DB
+Icinga DB is a set of components for publishing, synchronizing and
+visualizing monitoring data in the Icinga ecosystem.
+This is the Icinga DB daemon, which synchronizes monitoring data
+between a Redis® server and a database.
+
+
+%package selinux
+Summary: SELinux policy module for Icinga DB
+Group: System/Base
+Requires: icingadb = %{version}
+Requires: selinux-policy
+Requires: icinga-selinux-common
+Requires(post): policycoreutils
+Requires(postun): policycoreutils
+BuildArch: noarch
+BuildRequires: checkpolicy
+BuildRequires: selinux-policy-devel
+%description selinux
+SELinux policy module for Icinga DB daemon.
 
 
 %prep
 %setup -q -T -c %{name}-%{version}
 git clone https://%{provider_prefix} .
 
+
 %build
 git checkout v%{version}
 go build -v -gcflags "-m" -ldflags "-extldflags -s -w -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -buildid "%{version}"" -buildvcs=false -trimpath ./cmd/icingadb
 go build -v -gcflags "-m" -ldflags "-extldflags -s -w -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -buildid "%{version}"" -buildvcs=false -trimpath ./cmd/icingadb-migrate
+cp %{SOURCE2} .
+cp %{SOURCE3} .
+for variant in mls targeted; do
+make NAME=${variant} -f /usr/share/selinux/devel/Makefile
+mv icingadb.pp icingadb.pp.${variant}
+make NAME=${variant} -f /usr/share/selinux/devel/Makefile clean
+done
 
 
 %install
@@ -49,6 +77,9 @@ install -m 0644 config.example.yml %{buildroot}%{configdir}/config.yml
 install -m 0644 %{S:1} %{buildroot}%{_unitdir}/
 install -d -m 0755 %{buildroot}%{_datadir}/%{name}
 cp -rv schema/ %{buildroot}%{_datadir}/%{name}/
+for variant in mls targeted; do
+install -Dpm 644 icingadb.pp.${variant} %_topdir/BUILD/icingadb-1.5.0-build/BUILDROOT/usr/share/selinux/${variant}/icingadb.pp
+done
 
 
 %pre
@@ -62,6 +93,20 @@ getent passwd icingadb >/dev/null || useradd -r -g icingadb -d /etc/icingadb -s
 %systemd_postun %{service}
 
 
+%post selinux
+for variant in mls targeted; do
+  /usr/sbin/semodule --store ${variant} --install /usr/share/selinux/${variant}/icingadb.pp &> /dev/null || :
+done
+/sbin/fixfiles -R icingadb restore &> /dev/null || :
+%postun selinux
+if [ $1 -eq 0 ]; then
+  for variant in mls targeted; do
+    /usr/sbin/semodule --store ${variant} --remove icingadb &> /dev/null || :
+  done
+  /sbin/fixfiles -R icingadb restore &> /dev/null || :
+fi
+
+
 %clean
 rm -rf %{buildroot}
 
@@ -79,4 +124,9 @@ rm -rf %{buildroot}
 %config(noreplace) %{configdir}/config.yml
 
 
+%files selinux
+%{_datadir}/selinux/mls/icingadb.pp
+%{_datadir}/selinux/targeted/icingadb.pp
+
+
 %changelog