From f16ba446e30197ff1724a5e257b35fb41330835d Mon Sep 17 00:00:00 2001

From: "Kaleb S. KEITHLEY" <kkeithle@redhat.com>

Date: Wed, 21 Jun 2017 10:01:20 -0400

Subject: [PATCH 65/74] common-ha: enable and disable selinux

 ganesha_use_fusefs

Starting in Fedora 26 and RHEL 7.4 there are new targeted policies

in selinux which include a tuneable to allow ganesha.nfsd to access

the gluster (FUSE) shared_storage volume where ganesha maintains its

state.

N.B. rpm doesn't have a way to distinguish between RHEL 7.3 or 7.4

so it can't be enabled for RHEL at this time. /usr/sbin/semanage is

in policycoreutils-python in RHEL (versus policycoreutils-python-utils

in Fedora.) Once RHEL 7.4 GAs we may also wish to specify the version

for RHEL 7 explicitly, i.e.

  Requires: selinux-policy >= 3.13.1-160.

But beware, the corresponding version in Fedora 26 seems to be

selinux-policy-3.13.1.258 or so. (Maybe earlier versions, but that's

what's currently in the F26 beta.

release-3.10 is the upstream master branch for glusterfs-ganesha. For

release-3.11 and later storhaug needs a similar change, which is

tracked by https://github.com/linux-ha-storage/storhaug/issues/11

Maybe at some point we would want to consider migrating the targeted

policies for glusterfs (and nfs-ganesha) from selinux-policy to a

glusterfs-selinux (and nfs-ganesha-selinux) subpackage?

Change-Id: I04a5443edd00636cbded59a2baddfa98095bf7ac

Signed-off-by: Kaleb S. KEITHLEY <kkeithle@redhat.com>

Reviewed-on: https://review.gluster.org/17597

Smoke: Gluster Build System <jenkins@build.gluster.org>

Reviewed-by: Niels de Vos <ndevos@redhat.com>

Reviewed-by: jiffin tony Thottan <jthottan@redhat.com>

CentOS-regression: Gluster Build System <jenkins@build.gluster.org>

Signed-off-by: Jiffin Tony Thottan <jthottan@redhat.com>

---

 glusterfs.spec.in | 16 ++++++++++++++++

 1 file changed, 16 insertions(+)

diff --git a/glusterfs.spec.in b/glusterfs.spec.in

index 0bad6cf..17f814b 100644

--- a/glusterfs.spec.in

+++ b/glusterfs.spec.in

@@ -410,6 +410,10 @@ Requires:         pcs, dbus

 %if ( 0%{?rhel} && 0%{?rhel} == 6 )

 Requires:         cman, pacemaker, corosync

 %endif

+%if ( 0%{?fedora} && 0%{?fedora} > 25 )

+Requires(post):   policycoreutils-python-utils

+Requires(postun): policycoreutils-python-utils

+%endif

 %if ( 0%{?fedora} ) || ( 0%{?rhel} && 0%{?rhel} > 5 )

 # we need portblock resource-agent in 3.9.5 and later.

 Requires:         resource-agents >= 3.9.5

@@ -876,6 +880,12 @@ modprobe fuse

 exit 0

 %endif

+%if ( 0%{?fedora} && 0%{?fedora} > 25 )

+%post ganesha

+semanage boolean -m ganesha_use_fusefs --on

+exit 0

+%endif

+

 %if ( 0%{?_build_server} )

 %if ( 0%{!?_without_georeplication:1} )

 %post geo-replication

@@ -998,6 +1008,12 @@ fi

 %postun api

 /sbin/ldconfig

+%if ( 0%{?fedora} && 0%{?fedora} > 25 )

+%postun ganesha

+semanage boolean -m ganesha_use_fusefs --off

+exit 0

+%endif

+

 %postun libs

 /sbin/ldconfig

-- 

1.8.3.1