rpm: add selinux and rpm spec

Signed-off-by: Randy Li <ayaka@soulik.info>
2025-04-03 18:49:29 +08:00 · 2024-11-05 17:35:03 +08:00 · 2024-11-05 17:35:03 +08:00 · 1e494a4011
commit 1e494a4011
parent 028a32d197
4 changed files with 219 additions and 0 deletions
--- a/rpm/phantun.spec
+++ b/rpm/phantun.spec
@ -0,0 +1,128 @@
+Name:         	phantun 
+Version:        0.7.0
+Release:        2%{?dist}
+Summary:        A lightweight and fast UDP to TCP obfuscator
+
+License:        Apache-2.0
+URL:            https://github.com/dndx/phantun/tree/main
+Source0:        %{name}-%{version}.tar.gz
+
+BuildRequires:  rust
+BuildRequires:  cargo
+BuildRequires:  selinux-policy-devel
+
+%description
+Your project with client and server components.
+
+%package client
+Summary:        Client component of phantun
+Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
+
+%description client
+Phantun Client is like a machine with private IP address
+(192.168.200.2/fcc8::2) behind a router. In order for it to reach
+the Internet, you will need to SNAT the private IP address
+before it's traffic leaves the NIC.
+
+%package server
+Summary:        Server component of phantun
+Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
+
+%description server
+Phantun Server is like a server with private IP address
+(192.168.201.2/fcc9::2) behind a router. In order to access it from
+the Internet, you need to DNAT it's listening port on the router
+and change the destination IP address to where the server
+is listening for incoming connections.
+
+%package selinux
+Summary:        SELinux module for phantun
+%{?selinux_requires}
+%global modulename phantun
+%global selinuxtype targeted
+
+%description selinux
+This package provides the SELinux policy module to ensure phantun
+runs properly under an environment with SELinux enabled.
+
+%global debug_package %{nil}
+
+%prep
+%setup -q
+
+%build
+cargo build --release
+make -C selinux
+
+%install
+# Install binaries
+install -D -m 0755 target/release/client %{buildroot}/usr/libexec/phantun/phantun-client
+install -D -m 0755 target/release/server %{buildroot}/usr/libexec/phantun/phantun-server
+
+mkdir -p %{buildroot}/usr/bin
+# Create wrapper scripts
+echo '#!/bin/bash
+PID_FILE=$1
+shift 1
+mkdir -p /var/run/phantun
+/usr/libexec/phantun/phantun-client "$@" &
+echo $! > /var/run/phantun/${PID_FILE}' > %{buildroot}/usr/bin/phantun-client
+
+echo '#!/bin/bash
+PID_FILE=$1
+shift 1
+mkdir -p /var/run/phantun
+/usr/libexec/phantun/phantun-server "$@" &
+echo $! > /var/run/phantun/${PID_FILE}' > %{buildroot}/usr/bin/phantun-server
+
+# Make wrapper scripts executable
+chmod +x %{buildroot}/usr/bin/phantun-client
+chmod +x %{buildroot}/usr/bin/phantun-server
+
+# SELinux
+install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+install -m 0644 selinux/%{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+
+%files client
+/usr/libexec/phantun/phantun-client
+/usr/bin/phantun-client
+
+%files server
+/usr/libexec/phantun/phantun-server
+/usr/bin/phantun-server
+
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+
+%changelog
+* Wed Dec 11 2024 Randy Li <ayaka@soulik.info> - 0.7.0-2
+- chore(deps): update tokio-tun requirement from 0.9 to 0.11
+- chore(deps): update nix requirement from 0.27 to 0.28
+- chore(deps): bump softprops/action-gh-release from 1 to 2
+- chore(docs): update license year to 2024
+- docs(readme): update `README.md` to include incoming interface (`-i tun0`) in client NAT commands example (#163)
+- Revert "docs(readme): update `README.md` to include incoming interface (`-i t…"
+- fix(fake-tcp): when `connect()`-ing, attempt to get ephemeral port using algorithm similar to Linux (#162)
+- chore(deps): bump dependencies to latest
+- chore(cargo): bump `fake-tcp` version to `0.6.0` and `phantun` to `0.7.0`
+- chore(deps): bump docker/build-push-action from 5 to 6
+- chore(release): remove MIPS targets due to being downgraded to Tier 3 support by Rust
+- docs(readme): latest release is now `v0.7.0`
+
+* Sat Oct 14 2023 Randy Li <ayaka@soulik.info> - 0.6.1-1
+- Initial package
+
--- a/selinux/Makefile
+++ b/selinux/Makefile
@ -0,0 +1,26 @@
+TARGET?=phantun
+MODULES?=${TARGET:=.pp.bz2}
+SHAREDIR?=/usr/share
+
+all: ${TARGET:=.pp.bz2}
+
+%.pp.bz2: %.pp
+	@echo Compressing $^ -\> $@
+	bzip2 -9 $^
+
+%.pp: %.te
+	make -f ${SHAREDIR}/selinux/devel/Makefile $@
+
+clean:
+	rm -f *~  *.tc *.pp *.pp.bz2
+	rm -rf tmp *.tar.gz
+
+man: install-policy
+	sepolicy manpage --path . --domain ${TARGET}_t
+
+install-policy: all
+	semodule -i ${TARGET}.pp.bz2
+
+install: man
+	install -D -m 644 ${TARGET}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/${TARGET}.pp.bz2
+	install -D -m 644 ${TARGET}_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/
--- a/selinux/phantun.fc
+++ b/selinux/phantun.fc
@ -0,0 +1,5 @@
+/usr/libexec/phantun/phantun-client -- gen_context(system_u:object_r:phantun_client_exec_t,s0)
+/usr/libexec/phantun/phantun-server -- gen_context(system_u:object_r:phantun_server_exec_t,s0)
+/usr/bin/phantun-client -- gen_context(system_u:object_r:wireguard_exec_t,s0)
+/usr/bin/phantun-server -- gen_context(system_u:object_r:wireguard_exec_t,s0)
+/var/run/phantun(/.*)? gen_context(system_u:object_r:phantun_var_run_t,s0)
--- a/selinux/phantun.te
+++ b/selinux/phantun.te
@ -0,0 +1,60 @@
+policy_module(phantun, 1.0)
+
+gen_require(`
+    type wireguard_t;
+    type wireguard_exec_t;
+    class capability net_admin;
+    class tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write };
+    class tcp_socket { name_bind listen accept connect };
+    class udp_socket { name_bind };
+    class file { getattr open read write create unlink execute };
+    class process { transition };
+')
+
+
+# Define custom types
+type phantun_server_exec_t;
+type phantun_client_exec_t;
+type phantun_server_port_t;
+type phantun_client_port_t;
+type phantun_var_run_t;
+
+# Allow the wrapper scripts to execute the phantun client and server binaries
+allow wireguard_exec_t phantun_client_exec_t:file { getattr open read execute };
+allow wireguard_exec_t phantun_server_exec_t:file { getattr open read execute };
+
+# Allow the wrapper scripts to write to the PID file
+allow wireguard_exec_t phantun_var_run_t:file { getattr open read write create unlink };
+allow wireguard_t self:process transition;
+
+####################################
+# Server
+#
+
+# Allow wireguard_t to execute the server binary
+allow wireguard_t phantun_server_exec_t:file { getattr open read execute };
+
+# Allow the server to create and manage tun devices
+allow phantun_server_exec_t self:tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write };
+
+# Allow the server to bind to the custom TCP port and listen for incoming connections
+allow phantun_server_exec_t phantun_server_port_t:tcp_socket { name_bind listen accept };
+
+# Allow the server to use net_admin capability
+allow phantun_server_exec_t self:capability net_admin;
+
+####################################
+# Client
+#
+
+# Allow wireguard_t to execute the client binary
+allow wireguard_t phantun_client_exec_t:file { getattr open read execute };
+
+# Allow the client to create and manage tun devices
+allow phantun_client_exec_t self:tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write };
+
+# Allow the client to bind to the custom UDP port
+#allow phantun_client_exec_t phantun_client_port_t:udp_socket { name_bind };
+
+# Allow the client to use net_admin capability
+allow phantun_client_exec_t self:capability net_admin;