dispatcher_action v1.3.0

interface-dispatcher renamed dispatcher_action and modified to be sourced
from NM dispatcher file.  The new usage allows for the correct SELinux
labeling with recent NetworkManager releases.

SELinux policy module has been updated to correctly work with newer
NetworkManager releases, while remaining compatible with current releases.
Policy module now has its own Makefile.

nmutils.spec file has been updated to build new SELinux module and use
new dispatcher_action naming.

.gitignore

@@ -3,7 +3,6 @@
 *.bak
 /test/run/
 /test/results/
-/selinux/nmutils.fc
 /selinux/nmutils.if
 /selinux/nmutils.pp*
 /selinux/tmp/

etc/nmutils/interface-dispatcher → etc/nmutils/dispatcher_action

@@ -2,7 +2,7 @@
 # -*- mode: sh; sh-basic-offset: 2; indent-tabs-mode: nil; -*-
 # vim:set ft=sh et sw=2 ts=2:
 #
-# interface-dispatcher v1.2.1 - service restart on interface change
+# dispatcher_action v1.3.0 - service restart on interface change
 # Author: Scott Shambarger <[email protected]>
 #
 # Copyright (C) 2015-2022 Scott Shambarger
@@ -20,11 +20,18 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
-# Copy this file to /etc/NetworkManager/dispatcher.d/<##>-<service>
+# Create a file named /etc/NetworkManager/dispatcher.d/<##>-ifd-<service>
 # (or wherever your distro has these files) where <##> is a 2-digit
-# number, and <service> is a systemd service name.  This dispatcher
-# will then restart or stop <service> based on interface availability
-# (ie, if daemon has a UDP listener)
+# number, and <service> is a systemd service name.  The file should be
+# executable and contain the following:
+#
+# --- start
+# #!/bin/bash
+# . /etc/nmutils/dispatcher_action
+# --- end
+#
+# This dispatcher will then restart or stop <service> based on interface
+# availability (ie, if daemon has a UDP listener)
 #
 # Config file required for operation:
 #   /etc/nmutils/conf/ifd-<service>-<interface>.conf (config)
@@ -60,43 +67,43 @@ NMG=${NMG:-${NMUTILS}/general-functions}
 { [[ -r ${NMG} ]] && . "${NMG}"; } || {
   echo 1>&2 "Unable to load $NMG" && exit 2; }
 
-# check dispatcher name format for ##-service
-echo "$0" | /bin/grep -q '^.*[0-9][0-9]-'
-[ $? -ne 0 ] && nmg_err "Invalid command name: $0" && exit 3
-
-SVC_UNIT=$(echo "$0" | sed 's/^.*[0-9][0-9]-//')
-[ -z "$SVC_UNIT" ] && nmg_err "Missing service name on $0" && exit 4
+# check dispatcher name format for ##-ifd-service
+SVC_UNIT=$0
+[[ ${SVC_UNIT} =~ ^.*[0-9][0-9]-ifd-([^/]+)$ ]] || {
+  nmg_err "Invalid command name: ${SVC_UNIT}" && exit 3
+}
+SVC_UNIT=${BASH_REMATCH[1]}
 
-SVC_CONFIG="$NMCONF/ifd-${SVC_UNIT}-${interface}.conf"
+SVC_CONFIG="${NMCONF}/ifd-${SVC_UNIT}-${interface}.conf"
 
 # see if we're configured for this interface
-nmg_read_config "$SVC_CONFIG" || exit 0
+nmg_read_config "${SVC_CONFIG}" || exit 0
 
 function svc_action() {
   # <restart-value> <stop-value>
-  local restart="$1" stop="$2"
-  if [ -n "$restart" ]; then
-    [ -n "$STATE_FILE" ] && nmg_write "$STATE_FILE" "$restart"
-    /usr/bin/systemctl 2>/dev/null -q is-enabled "$SVC_UNIT" || return 0
-    /usr/bin/systemctl reload-or-restart "$SVC_UNIT"
-  elif [ -n "$stop" ]; then
-    [ -n "$STATE_FILE" ] && nmg_remove "$STATE_FILE"
-    /usr/bin/systemctl stop "$SVC_UNIT"
+  local restart=$1 stop=$2
+  if [[ ${restart} ]]; then
+    [[ ${STATE_FILE} ]] && nmg_write "${STATE_FILE}" "${restart}"
+    /usr/bin/systemctl 2>/dev/null -q is-enabled "${SVC_UNIT}" || return 0
+    /usr/bin/systemctl reload-or-restart "${SVC_UNIT}"
+  elif [[ ${stop} ]]; then
+    [[ ${STATE_FILE} ]] && nmg_remove "${STATE_FILE}"
+    /usr/bin/systemctl stop "${SVC_UNIT}"
   fi
 }
 
-case "$action" in
+case "${action}" in
   up)
-    svc_action "$RESTART_UP" "$STOP_UP"
+    svc_action "${RESTART_UP}" "${STOP_UP}"
     ;;
   down)
-    svc_action "$RESTART_DOWN" "$STOP_DOWN"
+    svc_action "${RESTART_DOWN}" "${STOP_DOWN}"
     ;;
   dhcp4-change)
-    svc_action "$RESTART_CHANGE" "$STOP_CHANGE"
+    svc_action "${RESTART_CHANGE}" "${STOP_CHANGE}"
     ;;
   dhcp6-change)
-    svc_action "$RESTART_CHANGE6" "$STOP_CHANGE6"
+    svc_action "${RESTART_CHANGE6}" "${STOP_CHANGE6}"
     ;;
 esac
 

nmutils.spec

@@ -21,7 +21,7 @@
 %global selinuxmodulename nmutils
 
 Name:           nmutils
-Version:        20220612
+Version:        20220621
 Release:        1%{?dist}
 Summary:        Network Manager Utility Scripts
 BuildArch:      noarch
@@ -56,10 +56,10 @@ use with Gnome's NetworkManager dispatcher.
 Summary:        Selinux policy module
 BuildArch:      noarch
 License:        GPLv3+
-Requires:       selinux-policy-%{selinuxtype}
-Requires(post): selinux-policy-%{selinuxtype}
-Requires:       selinux-policy >= %{_selinux_policy_version}
+BuildRequires:  make
+BuildRequires:  bzip2
 BuildRequires:  selinux-policy-devel
+Requires(post): policycoreutils
 %{?selinux_requires}
 
 %description selinux
@@ -70,22 +70,13 @@ manage radvd and perform DDNS operations.
 
 %prep
 %autosetup
-# /etc/nmutils -> /usr/share/nmutils
+# /etc/nmutils -> <datadir>/nmutils
 # /usr/share/nmutils/conf -> <sysconf>/nmutils/conf
-# /etc/NM/dispatcher.d -> /usr/lib/NM/dispatcher.d
+# /etc/NM/dispatcher.d -> <prefix>/lib/NM/dispatcher.d
 # /etc/NetworkManager - > <sysconf>/NetworkManager
 find . -type f -exec bash -c 't=$(stat -c %y "$0"); %{__sed} -i -e "s|/etc/nmutils|%{_datadir}/nmutils|g" -e "s|%{_datadir}/nmutils/conf|%{_sysconfdir}/nmutils/conf|g" -e "s|/etc/NetworkManager/dispatcher.d|%{_prefix}/lib/NetworkManager/dispatcher.d|g" -e "s|/etc/NetworkManager|%{_sysconfdir}/NetworkManager|g" "$0"; touch -d "$t" "$0"' {} \;
-# interface-dispatcher doc is copy to <sysconf>/NetworkManager/dispatcher.d
-find . -type f -name interface-dispatcher -exec bash -c 't=$(stat -c %y "$0"); %{__sed} -i -e "s|%{_prefix}/lib/NetworkManager/dispatcher.d|%{_sysconfdir}/NetworkManager/dispatcher.d|g" "$0"; touch -d "$t" "$0"' {} \;
-
-%if %{with selinux}
-%build selinux
-pushd selinux
-%{__make} -f %{_datadir}/selinux/devel/Makefile %{selinuxmodulename}.pp
-%{__rm} -f %{selinuxmodulename}.pp.bz2
-bzip2 -9 %{selinuxmodulename}.pp
-popd
-%endif
+# Fix dispatcher_action doc to ref <sysconf>/NetworkManager/dispatcher.d
+find . -type f -name dispatcher_action -exec bash -c 't=$(stat -c %y "$0"); %{__sed} -i -e "s|%{_prefix}/lib/NetworkManager/dispatcher.d|%{_sysconfdir}/NetworkManager/dispatcher.d|g" "$0"; touch -d "$t" "$0"' {} \;
 
 %check
 %{__make} SRC_ROOT=%{buildroot} -C test
@@ -98,7 +89,6 @@ popd
 
 %{__install} -p etc/NetworkManager/dispatcher.d/* %{buildroot}%{_prefix}/lib/NetworkManager/dispatcher.d
 %{__install} -p -m 0644 etc/nmutils/* %{buildroot}%{_datadir}/nmutils
-%{__chmod} +x %{buildroot}%{_datadir}/nmutils/interface-dispatcher
 %{__install} -p -m 0644 etc/systemd/system/* %{buildroot}%{_unitdir}
 
 %if %{with selinux}
@@ -116,17 +106,6 @@ if [[ $1 -eq 0 ]] && command -v systemctl >/dev/null; then
   fi
 fi
 
-%if %{with selinux}
-%post selinux
-%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{selinuxmodulename}.pp.bz2 &> /dev/null
-
-%postun selinux
-if [ $1 -eq 0 ]; then
-  # Package removal, not upgrade
-  %selinux_modules_uninstall -s %{selinuxtype} %{selinuxmodulename}
-fi
-%endif
-
 %files
 %license LICENSE.md
 %doc README.md examples
@@ -136,14 +115,37 @@ fi
 %{_unitdir}/*
 
 %if %{with selinux}
+
+%build selinux
+pushd selinux
+%{__make} %{selinuxmodulename}.pp
+%{__rm} -f %{selinuxmodulename}.pp.bz2
+bzip2 -9 %{selinuxmodulename}.pp
+popd
+
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{selinuxmodulename}.pp.bz2 || :
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+  # Package removal, not upgrade
+  %selinux_modules_uninstall -s %{selinuxtype} %{selinuxmodulename} || :
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype} || :
+
 %files selinux
 %license LICENSE.md
-%attr(0644,root,root) %{_datadir}/selinux/packages/%{selinuxtype}/%{selinuxmodulename}.pp.bz2 
+%attr(0644,root,root) %{_datadir}/selinux/packages/%{selinuxtype}/%{selinuxmodulename}.pp.bz2
 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{selinuxmodulename}
 %endif
 
 %changelog
-* Sun Jun 12 2022 Scott Shambarger <devel at shambarger.net> 20220612-1
+* Tue Jun 21 2022 Scott Shambarger <devel at shambarger.net> 20220621-1
 - Moved script libraries to datadir, handle instanced systemd files
 - Added SELinux subpackage
 

selinux/Makefile

@@ -0,0 +1,12 @@
+
+all: nmutils.pp
+
+nmutils.pp: nmutils.te nmutils.fc
+	@[ -f /usr/share/selinux/devel/Makefile ] || \
+	{ echo "Install selinux-policy-devel before compiling policy"; exit 1; }
+	make -f /usr/share/selinux/devel/Makefile $@
+
+clean:
+	@rm -f nmutils.pp
+	@rm -f nmutils.if
+	@rm -rf tmp/

selinux/nmutils.fc

@@ -0,0 +1,9 @@
+/etc/NetworkManager/dispatcher\.d/[0-9][0-9]-ifd-.* -- gen_context(system_u:object_r:nmutils_exec_t,s0)
+/etc/NetworkManager/dispatcher\.d/08-ipv6-prefix -- gen_context(system_u:object_r:nmutils_exec_t,s0)
+/etc/NetworkManager/dispatcher\.d/09-ddns -- gen_context(system_u:object_r:nmutils_exec_t,s0)
+/etc/NetworkManager/dispatcher\.d/90-transmission -- gen_context(system_u:object_r:nmutils_exec_t,s0)
+/etc/NetworkManager/dispatcher\.d/95-radvd-gen -- gen_context(system_u:object_r:nmutils_exec_t,s0)
+/usr/lib/NetworkManager/dispatcher\.d/08-ipv6-prefix -- gen_context(system_u:object_r:nmutils_exec_t,s0)
+/usr/lib/NetworkManager/dispatcher\.d/09-ddns -- gen_context(system_u:object_r:nmutils_exec_t,s0)
+/usr/lib/NetworkManager/dispatcher\.d/90-transmission -- gen_context(system_u:object_r:nmutils_exec_t,s0)
+/usr/lib/NetworkManager/dispatcher\.d/95-radvd-gen -- gen_context(system_u:object_r:nmutils_exec_t,s0)

selinux/nmutils.te

@@ -1,28 +1,29 @@
-policy_module(nmutils, 0.1.0)
+policy_module(nmutils, 0.2.0)
 
+#
+# Policy labels nmutils files in dispatcher.d as nmutils_exec_t (see .fc file)
+# and then defines domain transition so scripts are run in the initrc_t domain
+#
 require {
-	class chr_file { read getattr open };
-	class capability2 { block_suspend };
-	type random_device_t;
 	type dhcpc_t;
 	type NetworkManager_etc_t;
 	type NetworkManager_initrc_exec_t;
-};
+}
 
-# Required for 08-ipv6-prefix to spawn dhclient as a child of NetworkManager
-networkmanager_initrc_domtrans(dhcpc_t);
-networkmanager_read_conf(dhcpc_t);
-search_dirs_pattern(dhcpc_t, NetworkManager_etc_t, NetworkManager_initrc_exec_t);
-
-# Required for 08-ipv6-prefix to use ddns-functions and manage radvd
-# is a child of dhclient.
-
-# manage radvd
-radvd_admin(dhcpc_t, system_r);
+# define entry point, useable by NetworkManager and init scripts
+type nmutils_exec_t;
+init_script_file(nmutils_exec_t)
 
-# for nsupdate
-allow dhcpc_t random_device_t:chr_file { read getattr open };
-
-# for dig
-allow dhcpc_t self:capability2 block_suspend;
+# Required for dhclient to execute 08-ipv6-prefix
+search_dirs_pattern(dhcpc_t, NetworkManager_etc_t, NetworkManager_initrc_exec_t);
+domtrans_pattern(dhcpc_t, nmutils_exec_t, initrc_t)
 
+# required for newer NetworkManager
+optional {
+	require {
+		type NetworkManager_dispatcher_t;
+		type NetworkManager_dispatcher_script_t;
+	}
+	domtrans_pattern(NetworkManager_dispatcher_t, nmutils_exec_t, initrc_t)
+	search_dirs_pattern(dhcpc_t, NetworkManager_etc_t, NetworkManager_dispatcher_script_t);
+}