Merge pull request #2 from jhawkwind/glibc-integration

jhawkwind · web-flow · commit 1aac3231f6b2 · 2018-12-23T09:43:27.000-08:00
Glibc integration and clean-up
diff --git a/.gitmodules b/.gitmodules
@@ -0,0 +1,7 @@
+[submodule "glibc"]
+	path = glibc
+	url = git://sourceware.org/git/glibc.git
+	branch = release/2.18/master
+[submodule "factorio-updater"]
+	path = factorio-updater
+	url = https://github.com/narc0tiq/factorio-updater.git
diff --git a/README.md b/README.md
@@ -13,17 +13,24 @@ This is a fork of https://github.com/Bisa/factorio-init
 # Dependencies
  Among others:
  - cURL
-
-## SELINUX Dependencies
+ - git
+ - glibc-devel
+ - glibc
+ - make
+ - gcc-c++ - C++ component for glibc (optional)
+ - texinfo - documentation output for glibc
+ - libselinux-devel - SELINUX aware glibc
+ - audit-libs-devel - SELINUX auditing aware
+ - libcap-devel - root privileges partitioning for glibc
+
+## SELINUX specific dependencies
    - **REQUIRED**
      - SELINUX installed and enabled.
      - `setenforce 1` - If you do not know what this command does, **STOP!** DO NOT PROCEED! Please read up on SELINUX Administration.
      - _coreutils_ package - Required in all cases.
      - _policycoreutils_ package - Required in all cases.
-   - **REQUIRED if small changes or recompiling only**
+   - **REQUIRED if small changes or recompiling only** - You will not need this if you use the RPM.
      - _policycoreutils-python_ package - Optional if using RPM. Required if compiling yourself.
-     - gcc - Required to recompile. 
-     - make - Required to recompile.
      - _policycoreutils-devel_ package - Optional if using RPM or just making small adjustments. Required if debugging.
      - _setools-console_ package - Required if debugging, optional in other cases.
 
@@ -32,128 +39,149 @@ This is a fork of https://github.com/Bisa/factorio-init
  If you find yourself wondering why stuff is not working the way you expect:
  - Check the logs, I suggest you `tail -f /opt/factorio/factorio-current.log` in a separate session
  - Enable debugging in the config and/or:
- - Try running the same commands as the factorio user (`/opt/factorio-init/factorio invocation` will tell you what the factorio user tries to run at start)
+ - Try running the same commands as the factorio user (`/opt/factorio-SEinit/factorio invocation` will tell you what the factorio user tries to run at start)
 
  ```bash
- $ /opt/factorio-init/factorio invocation
+ /opt/factorio-SEinit/factorio invocation
  #  Run this as the factorio user, example:
- $ sudo -u factorio 'whatever invocation gave you'
+ sudo -u factorio 'whatever invocation gave you'
  # You should see some output in your terminal here, hopefully giving
  # you a hint of what is going wrong
  ```
 
+- You may need to study the audit logs at `/var/log/audit/audit.log` and see what is being blocked.
+- You may need to disable the `dontaudit` flag and force auditing to get the output to the audit log with more answers: `semodule --disable_dontaudit --build`
+- If you followed hardening guides, you may need to adjust the *umask* temporarily back to `umask 022` which was the default, or run:
+ ```bash
+ find /opt/glibc-2.18 -type d -exec chmod 755 {} \;
+ find /opt/factorio-SEinit -type d -exec chmod 755 {} \;
+ find /opt/factorio -type d -exec chmod 755 {} \;
+ ```
+
 # Install
-- Create a directory where you want to store this script along with configuration. (either copy-paste the files or clone from github):
+- Create a directory where you want to store this script along with configuration. Cloning from github assuming **/opt/factorio-SEinit** as the directory:
 
  ```bash
- $ cd '/opt'
- $ git clone https://github.com/jhawkwind/factorio-SEinit
+ yum install git
+ cd '/opt'
+ git clone --recurse-submodules https://github.com/jhawkwind/factorio-SEinit
  ```
-- Rename config.example to config and modify the values within according to your setup.
+ 
+- Rename **/opt/factorio-SEinit/config.example** to **/opt/factorio-SEinit/config** and modify the values within according to your setup.
+
+## Install appropriate glibc version as required for CentOS 7
+
+- The config has options for declaring an alternate glibc root, don't forget to configure it.
+- Compile the required GLIBC 2.18 and install it side-by-side with the OS version.
+```bash
+yum install glibc-devel glibc gcc make gcc-c++ autoconf texinfo libselinux-devel audit-libs-devel libcap-devel
+cd /opt/factorio-SEinit/glibc
+git apply ../patches/test-installation.pl.patch
+mkdir glibc-build
+cd glibc-build
+../configure --prefix='/opt/glibc-2.18' --with-selinux
+make
+make install
+```
 
 ## SELINUX Enablement
 - You must set `SELINUX=1` in the **config** file to have the init script change context into the **factorio_t** domain.
 - The policy expects you to have the INIT script, Factorio, and GLIBC-2.18 in either **/opt** or **/data**. If you put them
   anywhere else, you will need to modify **selinux/factorio.fc** and (of course) the **config** to tell it the new locations,
-  and manually compilie and install the SELINUX policy modules.
+  and manually compile and install the SELINUX policy modules.
 - File location format:
   * /opt (or /data)
     * /factorio/
-    * /factorio-init/
+    * /factorio-SEinit/
     * /glibc-2.18/
       * lib/
         * ld-2.18.so
-- Via the RPM, just run `rpm -Uvh Factorio-SEinit-1.1-0.el7.src.rpm`
-- Compiling the module by hand:
+- Via the RPM, just run:
   ```bash
-  [root@localhost]$ checkmodule -M -m -o factorio.mod factorio.te
-  [root@localhost]$ semodule_package -o factorio.pp -m factorio.mod -f factorio.fc
-  [root@localhost]$ semodule -i factorio.pp
-  [root@localhost]$ restorecon -R -v /opt/factorio
-  [root@localhost]$ restorecon -R -v /opt/factorio-init
-  [root@localhost]$ restorecon -R -v /opt/glibc-2.18
+  rpm -Uvh /opt/factorio-SEinit/selinux/Factorio-SEinit-1.1-0.el7.src.rpm
+  restorecon -R -v /opt/factorio-SEinit
+  restorecon -R -v /opt/glibc-2.18
+  ```
+- Compiling the module manually:
+  ```bash
+  yum install policycoreutils-python policycoreutils-devel setools-console
+  cd /opt/factorio-SEinit/selinux
+  make -f /usr/share/selinux/devel/Makefile factorio.pp
+  semodule -i factorio.pp
+  restorecon -R -v /opt/factorio-SEinit
+  restorecon -R -v /opt/glibc-2.18
   ```
-
-## Notes for users with CentOS 7 that has a older glibc version:
-
-- The config has options for declaring a alternate glibc root. The user millisa over on the factorio forums has created a wonderful guide to follow on creating this alternate glibc root ( side by side ) here:
-https://forums.factorio.com/viewtopic.php?t=54654#p324493
-
-```bash
-yum install glibc-devel glibc
-cd /tmp
-git clone git://sourceware.org/git/glibc.git
-cd glibc
-git checkout release/2.18/master
-mkdir glibc-build
-cd glibc-build
-../configure --prefix='/opt/glibc-2.18'
-```
-Fix the test script
-fix line 179 of the test install script:
-```
-vi ../scripts/test-installation.pl
-```
-change from
-```perl
-if (/$ld_so_name/) {
-```
-change to
-```
-if (/\Q$ld_so_name\E/) { 
-```
-save the changes, then run the command to build and install
-```
-make
-make install
-```
-
 
 ## First-run
 - If you don't have Factorio installed already, use the `install` command:
 
  ```bash
- $ /opt/factorio-init/factorio install  # see help for options
+ useradd -c "Factorio Server account" -d /opt/factorio -M -s /usr/sbin/nologin -r factorio
+ /opt/factorio-SEinit/factorio install  # see help for options
  ```
 
 - The installation routine creates Factorio's `config.ini` automatically.
 
-- If you previously ran Factorio without this script, the existing `config.ini` should work fine.
+- If you previously ran Factorio without this script, the existing `config.ini` should work fine, just apply the security contexts:
+  ```bash
+  restorecon -R -v /opt/factorio
+  ```
 
 ## Autocompletion
 - Copy/Symlink or source the bash_autocompletion file
 
  ```bash
- $ ln -s /opt/factorio-init/bash_autocomplete /etc/bash_completion.d/factorio
- # OR:
- $ echo "source /opt/factorio-init/bash_autocomplete" >> ~/.bashrc
+ ln -s /opt/factorio-SEinit/bash_autocomplete /etc/bash_completion.d/factorio
+ ```
+ OR:
+ ```bash
+ echo "source /opt/factorio-SEinit/bash_autocomplete" >> ~/.bashrc
  # restart your shell to verify that it worked
  ```
 
 ## Systemd
 - Copy the example service, adjust & reload
 
  ```bash
- $ cp /opt/factorio-init/factorio.service.example /etc/systemd/system/factorio.service
+ cp /opt/factorio-SEinit/factorio.service.example /etc/systemd/system/factorio.service
  # Edit the service file to suit your environment then reload systemd
- $ systemctl daemon-reload
+ systemctl daemon-reload
  ```
 
 - Verify that the server starts
 
  ```bash
- $ systemctl start factorio
- $ systemctl status -l factorio
+ systemctl start factorio
+ systemctl status -l factorio
  # Remember to enable the service at startup if you want that:
- $ systemctl enable factorio
+ systemctl enable factorio
+ ```
+ 
+ ## Clean up
+ - You know we just installed a bunch of stuff earlier? This yum command should remove everything we no longer need:
+ ```bash
+ yum remove glibc-devel gcc gcc-c++ autoconf texinfo libselinux-devel audit-libs-devel libcap-devel libsepol-devel pcre-devel libstdc++-devel git setools-console policycoreutils-devel perl-Git mpfr libmpc kernel-headers glibc-headers cpp m4 selinux-policy-devel
+ ```
+ - You can resecure the _umask_ with `umask 0077`
+ 
+ ## Firewall
+ - The following firewalld rules will come in handy. As a "TODO" is to automate this as part of the installation process.
+ ```bash
+ firewall-cmd --new-service=factorio-multiplayer --permanent
+ firewall-cmd --service=factorio-multiplayer --description="Factorio multi-player lock step sychronization replication protocol" --permanent
+ firewall-cmd --service=factorio-multiplayer --add-port=34197/udp --permanent
+ firewall-cmd --add-service=factorio-multiplayer --permanent
+ firewall-cmd --reload
  ```
 
 # Thank You
 - To all who find this script useful in one way or the other
 - A big thank you to [Wube](https://www.factorio.com/team) for making [Factorio](https://www.factorio.com/)
-- A special thanks to NoPantsMcDance, Oxyd, HanziQ, TheFactorioCube and all other frequent users of the [#factorio](irc://irc.esper.net/#factorio) channel @ esper.net
-- Thank you to Salzig for pointing me in the right direction when it comes to input redirection
-- At last, but not least; Thank you to all [contributors](https://github.com/Bisa/factorio-init/graphs/contributors) and users posting [issues](https://github.com/Bisa/factorio-init/issues) in my [github](https://github.com/Bisa/factorio-init/) project or on the [factorio forums](https://forums.factorio.com/viewtopic.php?f=133&t=13874)
+- A special thanks to NoPantsMcDance, Oxyd, HanziQ, TheFactorioCube and all other frequent users of the [**#factorio**](irc://irc.esper.net/#factorio) channel @ esper.net
+- Thank you to Salzig for pointing Bisa in the right direction when it comes to input redirection
+- The user _millisa_ over on the [factorio forums](https://forums.factorio.com/viewtopic.php?t=54654#p324493) for creating a wonderful guide to follow on making an alternate glibc root.
+- Please report any [(SE)init issues](https://github.com/jhawkwind/factorio-SEinit/issues) you find.
+- At last, but not least; Thank you to all [(SE)init contributors](https://github.com/jhawkwind/factorio-SEinit/graphs/contributors) and users posting [mainline issues](https://github.com/Bisa/factorio-init/issues) in Bisa's original [github](https://github.com/Bisa/factorio-init/) project or on the [factorio forums](https://forums.factorio.com/viewtopic.php?f=133&t=13874)
 
 You are all a great source of motivation, thank you.
 
diff --git a/config.example b/config.example
@@ -5,7 +5,7 @@
 DEBUG=0
 
 # Enable alternative glibc directory for systems using older glibc versions ( ie RHEL CentOS and others )
-ALT_GLIBC=0
+ALT_GLIBC=1
 # Put the Absolute path to the side by side glibc root here
 ALT_GLIBC_DIR="/opt/glibc-2.18"
 #Version of alt glibc goes here (i.e 2.18)
@@ -54,8 +54,8 @@ PACKAGE_DIR_NAME=factorio
 # git clone https://github.com/narc0tiq/factorio-updater
 #
 
-# absolute path to the factorio-updater script
-UPDATE_SCRIPT=/path/to/update_factorio.py
+# absolute path to the factorio-updater script. Change as necessary.
+UPDATE_SCRIPT=/opt/factorio-SEinit/factorio-updater/update_factorio.py
 # Note that if you set HEADLESS=1 the username/token will not be used as the headless
 # download is provided free of charge
 HEADLESS=1
diff --git a/factorio b/factorio
@@ -363,6 +363,31 @@ test_deps(){
   return 0 # TODO: Implement ldd check on $BINARY
 }
 
+set_perms(){
+  echo "Applying file ownership ..."
+  result=$(chown -R ${USERNAME}:${USERGROUP} ${FACTORIO_PATH})
+  if [[ ${result} -ne 0 ]]; then
+    echo "Failed to apply ownership ${USERNAME}:${USERGROUP} for ${FACTORIO_PATH}"
+    exit 1
+  fi
+ 
+  echo "Applying file permission ..."
+  result=$(find ${FACTORIO_PATH} -type d -exec chmod 755 {} \;)
+  if [[ ${result} -ne 0 ]]; then
+    echo "Failed to apply permission for ${FACTORIO_PATH}"
+    exit 1
+  fi
+ 
+  if [[ ${SELINUX} -eq 1 ]]; then
+  	echo "Applying SELINUX security contexts ..."
+  	result=$(restorecon -R -v ${FACTORIO_PATH})
+  	if [[ ${result} -ne 0 ]]; then
+  		echo "Failed to apply SELINUX security contexts for ${FACTORIO_PATH}"
+  		exit 1
+  	fi
+  fi
+}
+
 install(){
   # Factorio comes packaged in a directory named "factorio"
   # Unless overriden in the config we will presume this is also the
@@ -420,12 +445,8 @@ install(){
       exit 1
     fi
   fi
-
-  echo "Applying file ownership ..."
-  if ! chown -R ${USERNAME}:${USERGROUP} ${FACTORIO_PATH}; then
-    echo "Failed to apply ownership ${USERNAME}:${USERGROUP} for ${FACTORIO_PATH}"
-    exit 1
-  fi
+  
+  set_perms; # Set file permissions
 
   # Generate default config.ini by creating a save
   as_user "${BINARY} --create ${FACTORIO_PATH}/saves/server-save ${EXE_ARGS_GLIBC}"
diff --git a/factorio-updater b/factorio-updater
@@ -0,0 +1 @@
+Subproject commit 08797d07cbc00cd75d1a8949899c760c29b8b4ed
diff --git a/factorio.service.example b/factorio.service.example
@@ -13,9 +13,9 @@ PIDFile=/opt/factorio/server.pid
 
 Type=forking
 TimeoutStartSec=20
-ExecStart=/opt/factorio-init/factorio start
+ExecStart=/opt/factorio-SEinit/factorio start
 TimeoutStopSec=20
-ExecStop=/opt/factorio-init/factorio stop
+ExecStop=/opt/factorio-SEinit/factorio stop
 RestartSec=20
 Restart=on-failure
 
diff --git a/glibc b/glibc
@@ -0,0 +1 @@
+Subproject commit 715e7fe0322004fd2e3fed853e9be3c279f5015d
diff --git a/patches/test-installation.pl.patch b/patches/test-installation.pl.patch
@@ -0,0 +1,13 @@
+diff --git a/test-installation.pl b/test-installation.pl
+index e01d60bd2b..b0c7eed225 100755
+--- a/scripts/test-installation.pl
++++ b/scripts/test-installation.pl
+@@ -176,7 +176,7 @@ while (<LDD>) {
+       $ok = 0;
+     }
+   }
+-  if (/$ld_so_name/) {
++  if (/\Q$ld_so_name\E/) {
+     ($version1) = /$ld_so_name\.so\.([0-9\.]*)/;
+     if ($version1 ne $ld_so_version) {
+       print "The dynamic linker $ld_so_name.so is not correctly installed.\n";
diff --git a/selinux/Factorio-SEinit-1.1-2.el7.src.rpm b/selinux/Factorio-SEinit-1.1-2.el7.src.rpm
diff --git a/selinux/Factorio-SEinit-1.1-3.el7.src.rpm b/selinux/Factorio-SEinit-1.1-3.el7.src.rpm
diff --git a/selinux/factorio.fc b/selinux/factorio.fc
@@ -1,6 +1,10 @@
-/(opt|data)/factorio/bin/(x64|x86)/factorio	--	gen_context(system_u:object_r:factorio_exec_t,s0)
-/(opt|data)/factorio(/.*)?				system_u:object_r:factorio_t:s0
-/(opt|data)/factorio-init(/.*)?				system_u:object_r:factorio_t:s0
-/data/glibc-[^/]*/lib/ld-[^/]*\.so(\.[^/]*)*	--	system_u:object_r:ld_so_t:s0
-/(opt|data)/factorio-init/factorio		--	system_u:object_r:factorio_t:s0
+/opt/factorio/bin/x64/factorio	--	gen_context(system_u:object_r:factorio_exec_t,s0)
+/opt/factorio(/.*)?				system_u:object_r:factorio_t:s0
+/opt/factorio-init(/.*)?				system_u:object_r:factorio_t:s0
+/opt/factorio-init/factorio		--	system_u:object_r:factorio_t:s0
 /opt/glibc-[^/]*/lib/ld-[^/]*\.so(\.[^/]*)*	--	system_u:object_r:ld_so_t:s0
+/data/factorio/bin/x64/factorio	--	gen_context(system_u:object_r:factorio_exec_t,s0)
+/data/factorio(/.*)?				system_u:object_r:factorio_t:s0
+/data/factorio-init(/.*)?				system_u:object_r:factorio_t:s0
+/data/factorio-init/factorio		--	system_u:object_r:factorio_t:s0
+/data/glibc-[^/]*/lib/ld-[^/]*\.so(\.[^/]*)*	--	system_u:object_r:ld_so_t:s0
diff --git a/selinux/factorio.te b/selinux/factorio.te
@@ -72,18 +72,13 @@ allow factorio_t unconfined_t:fifo_file { write getattr }; # Allow the factorio
 allow factorio_t unconfined_service_t:process { signal sigchld }; # Allow the factorio process to talk back to the init script.
 allow factorio_t unconfined_service_t:fifo_file { write getattr }; # Allow the factorio process to write output results back to the init script to pass up. In this case, tail.
 
-allow factorio_t self:fifo_file rw_fifo_file_perms;
 allow factorio_t self:unix_stream_socket create_stream_socket_perms;
-allow factorio_t default_t:fifo_file { getattr open read write };
-allow factorio_t self:fifo_file rw_fifo_file_perms;
-allow factorio_t self:unix_stream_socket create_stream_socket_perms;
-allow factorio_t self:file rw_file_perms;
-allow factorio_t self:dir rw_dir_perms;
-allow factorio_t self:file { getattr unlink append read setattr write lock create rename link open }; # Redundant plus some additional
-allow factorio_t self:dir { getattr unlink append read setattr write lock create rename link search rmdir remove_name add_name open }; # Redundant plus some additional
+allow factorio_t self:fifo_file manage_fifo_file_perms;
+allow factorio_t self:file manage_file_perms;
+allow factorio_t self:dir manage_dir_perms;
 allow factorio_t self:capability net_raw;
 allow factorio_t self:netlink_route_socket { bind create getattr nlmsg_read write read };
-allow factorio_t self:process setcap;
+allow factorio_t self:process { setcap };
 allow factorio_t self:rawip_socket { create getopt setopt };
 allow factorio_t self:tcp_socket { connect create getattr getopt setopt read write };
 allow factorio_t self:udp_socket { bind connect create getattr setopt read write };
diff --git a/selinux/factorio_selinux.spec b/selinux/factorio_selinux.spec
