|
 |
d1681e |
From a25382d5aa9cddde04b1b3355e9d0d1b43e66406 Mon Sep 17 00:00:00 2001
|
|
|
d1681e |
From: Atin Mukherjee <amukherj@redhat.com>
|
|
|
d1681e |
Date: Mon, 16 Apr 2018 22:49:37 +0530
|
|
|
d1681e |
Subject: [PATCH 222/236] hooks: remove selinux hooks
|
|
|
d1681e |
|
|
|
d1681e |
Label: DOWNSTREAM ONLY
|
|
|
d1681e |
|
|
|
d1681e |
Change-Id: I810466a0ca99ab21f5a8eac8cdffbb18333d10ad
|
|
|
d1681e |
BUG: 1565962
|
|
|
d1681e |
Signed-off-by: Atin Mukherjee <amukherj@redhat.com>
|
|
|
d1681e |
Reviewed-on: https://code.engineering.redhat.com/gerrit/135800
|
|
|
d1681e |
Tested-by: RHGS Build Bot <nigelb@redhat.com>
|
|
|
d1681e |
Reviewed-by: Jiffin Thottan <jthottan@redhat.com>
|
|
|
d1681e |
Reviewed-by: Milind Changire <mchangir@redhat.com>
|
|
|
d1681e |
---
|
|
|
d1681e |
configure.ac | 20 -------
|
|
|
d1681e |
extras/hook-scripts/Makefile.am | 2 +-
|
|
|
d1681e |
extras/hook-scripts/create/Makefile.am | 1 -
|
|
|
d1681e |
extras/hook-scripts/create/post/Makefile.am | 6 ---
|
|
|
d1681e |
.../create/post/S10selinux-label-brick.sh | 62 ----------------------
|
|
|
d1681e |
extras/hook-scripts/delete/Makefile.am | 1 -
|
|
|
d1681e |
extras/hook-scripts/delete/pre/Makefile.am | 6 ---
|
|
|
d1681e |
.../delete/pre/S10selinux-del-fcontext.sh | 59 --------------------
|
|
|
d1681e |
glusterfs.spec.in | 5 +-
|
|
|
d1681e |
9 files changed, 4 insertions(+), 158 deletions(-)
|
|
|
d1681e |
delete mode 100644 extras/hook-scripts/create/Makefile.am
|
|
|
d1681e |
delete mode 100644 extras/hook-scripts/create/post/Makefile.am
|
|
|
d1681e |
delete mode 100755 extras/hook-scripts/create/post/S10selinux-label-brick.sh
|
|
|
d1681e |
delete mode 100644 extras/hook-scripts/delete/Makefile.am
|
|
|
d1681e |
delete mode 100644 extras/hook-scripts/delete/pre/Makefile.am
|
|
|
d1681e |
delete mode 100755 extras/hook-scripts/delete/pre/S10selinux-del-fcontext.sh
|
|
|
d1681e |
|
|
|
d1681e |
diff --git a/configure.ac b/configure.ac
|
|
|
d1681e |
index c9a1cde..b388a13 100644
|
|
|
d1681e |
--- a/configure.ac
|
|
|
d1681e |
+++ b/configure.ac
|
|
|
d1681e |
@@ -228,10 +228,6 @@ AC_CONFIG_FILES([Makefile
|
|
|
d1681e |
extras/hook-scripts/add-brick/Makefile
|
|
|
d1681e |
extras/hook-scripts/add-brick/pre/Makefile
|
|
|
d1681e |
extras/hook-scripts/add-brick/post/Makefile
|
|
|
d1681e |
- extras/hook-scripts/create/Makefile
|
|
|
d1681e |
- extras/hook-scripts/create/post/Makefile
|
|
|
d1681e |
- extras/hook-scripts/delete/Makefile
|
|
|
d1681e |
- extras/hook-scripts/delete/pre/Makefile
|
|
|
d1681e |
extras/hook-scripts/start/Makefile
|
|
|
d1681e |
extras/hook-scripts/start/post/Makefile
|
|
|
d1681e |
extras/hook-scripts/set/Makefile
|
|
|
d1681e |
@@ -911,21 +907,6 @@ else
|
|
|
d1681e |
fi
|
|
|
d1681e |
# end of xml-output
|
|
|
d1681e |
|
|
|
d1681e |
-dnl SELinux feature enablement
|
|
|
d1681e |
-case $host_os in
|
|
|
d1681e |
- linux*)
|
|
|
d1681e |
- AC_ARG_ENABLE([selinux],
|
|
|
d1681e |
- AC_HELP_STRING([--disable-selinux],
|
|
|
d1681e |
- [Disable SELinux features]),
|
|
|
d1681e |
- [USE_SELINUX="${enableval}"], [USE_SELINUX="yes"])
|
|
|
d1681e |
- ;;
|
|
|
d1681e |
- *)
|
|
|
d1681e |
- USE_SELINUX=no
|
|
|
d1681e |
- ;;
|
|
|
d1681e |
-esac
|
|
|
d1681e |
-AM_CONDITIONAL(USE_SELINUX, test "x${USE_SELINUX}" = "xyes")
|
|
|
d1681e |
-dnl end of SELinux feature enablement
|
|
|
d1681e |
-
|
|
|
d1681e |
AC_CHECK_HEADERS([execinfo.h], [have_backtrace=yes])
|
|
|
d1681e |
if test "x${have_backtrace}" = "xyes"; then
|
|
|
d1681e |
AC_DEFINE(HAVE_BACKTRACE, 1, [define if found backtrace])
|
|
|
d1681e |
@@ -1577,7 +1558,6 @@ echo "Unit Tests : $BUILD_UNITTEST"
|
|
|
d1681e |
echo "Track priv ports : $TRACK_PRIVPORTS"
|
|
|
d1681e |
echo "POSIX ACLs : $BUILD_POSIX_ACLS"
|
|
|
d1681e |
echo "Data Classification : $BUILD_GFDB"
|
|
|
d1681e |
-echo "SELinux features : $USE_SELINUX"
|
|
|
d1681e |
echo "firewalld-config : $BUILD_FIREWALLD"
|
|
|
d1681e |
echo "Events : $BUILD_EVENTS"
|
|
|
d1681e |
echo "EC dynamic support : $EC_DYNAMIC_SUPPORT"
|
|
|
d1681e |
diff --git a/extras/hook-scripts/Makefile.am b/extras/hook-scripts/Makefile.am
|
|
|
d1681e |
index 26059d7..771b37e 100644
|
|
|
d1681e |
--- a/extras/hook-scripts/Makefile.am
|
|
|
d1681e |
+++ b/extras/hook-scripts/Makefile.am
|
|
|
d1681e |
@@ -1,5 +1,5 @@
|
|
|
d1681e |
EXTRA_DIST = S40ufo-stop.py S56glusterd-geo-rep-create-post.sh
|
|
|
d1681e |
-SUBDIRS = add-brick create delete set start stop reset
|
|
|
d1681e |
+SUBDIRS = add-brick set start stop reset
|
|
|
d1681e |
|
|
|
d1681e |
scriptsdir = $(GLUSTERD_WORKDIR)/hooks/1/gsync-create/post/
|
|
|
d1681e |
if USE_GEOREP
|
|
|
d1681e |
diff --git a/extras/hook-scripts/create/Makefile.am b/extras/hook-scripts/create/Makefile.am
|
|
|
d1681e |
deleted file mode 100644
|
|
|
d1681e |
index b083a91..0000000
|
|
|
d1681e |
--- a/extras/hook-scripts/create/Makefile.am
|
|
|
d1681e |
+++ /dev/null
|
|
|
d1681e |
@@ -1 +0,0 @@
|
|
|
d1681e |
-SUBDIRS = post
|
|
|
d1681e |
diff --git a/extras/hook-scripts/create/post/Makefile.am b/extras/hook-scripts/create/post/Makefile.am
|
|
|
d1681e |
deleted file mode 100644
|
|
|
d1681e |
index adbce78..0000000
|
|
|
d1681e |
--- a/extras/hook-scripts/create/post/Makefile.am
|
|
|
d1681e |
+++ /dev/null
|
|
|
d1681e |
@@ -1,6 +0,0 @@
|
|
|
d1681e |
-EXTRA_DIST = S10selinux-label-brick.sh
|
|
|
d1681e |
-
|
|
|
d1681e |
-scriptsdir = $(GLUSTERD_WORKDIR)/hooks/1/create/post/
|
|
|
d1681e |
-if USE_SELINUX
|
|
|
d1681e |
-scripts_SCRIPTS = S10selinux-label-brick.sh
|
|
|
d1681e |
-endif
|
|
|
d1681e |
diff --git a/extras/hook-scripts/create/post/S10selinux-label-brick.sh b/extras/hook-scripts/create/post/S10selinux-label-brick.sh
|
|
|
d1681e |
deleted file mode 100755
|
|
|
d1681e |
index de242d2..0000000
|
|
|
d1681e |
--- a/extras/hook-scripts/create/post/S10selinux-label-brick.sh
|
|
|
d1681e |
+++ /dev/null
|
|
|
d1681e |
@@ -1,62 +0,0 @@
|
|
|
d1681e |
-#!/bin/bash
|
|
|
d1681e |
-#
|
|
|
d1681e |
-# Install to hooks/<HOOKS_VER>/create/post
|
|
|
d1681e |
-#
|
|
|
d1681e |
-# Add an SELinux file context for each brick using the glusterd_brick_t type.
|
|
|
d1681e |
-# This ensures that the brick is relabeled correctly on an SELinux restart or
|
|
|
d1681e |
-# restore. Subsequently, run a restore on the brick path to set the selinux
|
|
|
d1681e |
-# labels.
|
|
|
d1681e |
-#
|
|
|
d1681e |
-###
|
|
|
d1681e |
-
|
|
|
d1681e |
-PROGNAME="Sselinux"
|
|
|
d1681e |
-OPTSPEC="volname:"
|
|
|
d1681e |
-VOL=
|
|
|
d1681e |
-
|
|
|
d1681e |
-parse_args () {
|
|
|
d1681e |
- ARGS=$(getopt -o '' -l ${OPTSPEC} -n ${PROGNAME} -- "$@")
|
|
|
d1681e |
- eval set -- "${ARGS}"
|
|
|
d1681e |
-
|
|
|
d1681e |
- while true; do
|
|
|
d1681e |
- case ${1} in
|
|
|
d1681e |
- --volname)
|
|
|
d1681e |
- shift
|
|
|
d1681e |
- VOL=${1}
|
|
|
d1681e |
- ;;
|
|
|
d1681e |
- *)
|
|
|
d1681e |
- shift
|
|
|
d1681e |
- break
|
|
|
d1681e |
- ;;
|
|
|
d1681e |
- esac
|
|
|
d1681e |
- shift
|
|
|
d1681e |
- done
|
|
|
d1681e |
-}
|
|
|
d1681e |
-
|
|
|
d1681e |
-set_brick_labels()
|
|
|
d1681e |
-{
|
|
|
d1681e |
- volname=${1}
|
|
|
d1681e |
-
|
|
|
d1681e |
- # grab the path for each local brick
|
|
|
d1681e |
- brickpath="/var/lib/glusterd/vols/${volname}/bricks/*"
|
|
|
d1681e |
- brickdirs=$(grep '^path=' "${brickpath}" | cut -d= -f 2 | sort -u)
|
|
|
d1681e |
-
|
|
|
d1681e |
- for b in ${brickdirs}; do
|
|
|
d1681e |
- # Add a file context for each brick path and associate with the
|
|
|
d1681e |
- # glusterd_brick_t SELinux type.
|
|
|
d1681e |
- pattern="${b}\(/.*\)?"
|
|
|
d1681e |
- semanage fcontext --add -t glusterd_brick_t -r s0 "${pattern}"
|
|
|
d1681e |
-
|
|
|
d1681e |
- # Set the labels on the new brick path.
|
|
|
d1681e |
- restorecon -R "${b}"
|
|
|
d1681e |
- done
|
|
|
d1681e |
-}
|
|
|
d1681e |
-
|
|
|
d1681e |
-SELINUX_STATE=$(which getenforce && getenforce)
|
|
|
d1681e |
-[ "${SELINUX_STATE}" = 'Disabled' ] && exit 0
|
|
|
d1681e |
-
|
|
|
d1681e |
-parse_args "$@"
|
|
|
d1681e |
-[ -z "${VOL}" ] && exit 1
|
|
|
d1681e |
-
|
|
|
d1681e |
-set_brick_labels "${VOL}"
|
|
|
d1681e |
-
|
|
|
d1681e |
-exit 0
|
|
|
d1681e |
diff --git a/extras/hook-scripts/delete/Makefile.am b/extras/hook-scripts/delete/Makefile.am
|
|
|
d1681e |
deleted file mode 100644
|
|
|
d1681e |
index c98a05d..0000000
|
|
|
d1681e |
--- a/extras/hook-scripts/delete/Makefile.am
|
|
|
d1681e |
+++ /dev/null
|
|
|
d1681e |
@@ -1 +0,0 @@
|
|
|
d1681e |
-SUBDIRS = pre
|
|
|
d1681e |
diff --git a/extras/hook-scripts/delete/pre/Makefile.am b/extras/hook-scripts/delete/pre/Makefile.am
|
|
|
d1681e |
deleted file mode 100644
|
|
|
d1681e |
index bf0eabe..0000000
|
|
|
d1681e |
--- a/extras/hook-scripts/delete/pre/Makefile.am
|
|
|
d1681e |
+++ /dev/null
|
|
|
d1681e |
@@ -1,6 +0,0 @@
|
|
|
d1681e |
-EXTRA_DIST = S10selinux-del-fcontext.sh
|
|
|
d1681e |
-
|
|
|
d1681e |
-scriptsdir = $(GLUSTERD_WORKDIR)/hooks/1/delete/pre/
|
|
|
d1681e |
-if USE_SELINUX
|
|
|
d1681e |
-scripts_SCRIPTS = S10selinux-del-fcontext.sh
|
|
|
d1681e |
-endif
|
|
|
d1681e |
diff --git a/extras/hook-scripts/delete/pre/S10selinux-del-fcontext.sh b/extras/hook-scripts/delete/pre/S10selinux-del-fcontext.sh
|
|
|
d1681e |
deleted file mode 100755
|
|
|
d1681e |
index 6eba66f..0000000
|
|
|
d1681e |
--- a/extras/hook-scripts/delete/pre/S10selinux-del-fcontext.sh
|
|
|
d1681e |
+++ /dev/null
|
|
|
d1681e |
@@ -1,59 +0,0 @@
|
|
|
d1681e |
-#!/bin/bash
|
|
|
d1681e |
-#
|
|
|
d1681e |
-# Install to hooks/<HOOKS_VER>/delete/pre
|
|
|
d1681e |
-#
|
|
|
d1681e |
-# Delete the file context associated with the brick path on volume deletion. The
|
|
|
d1681e |
-# associated file context was added during volume creation.
|
|
|
d1681e |
-#
|
|
|
d1681e |
-# We do not explicitly relabel the brick, as this could be time consuming and
|
|
|
d1681e |
-# unnecessary.
|
|
|
d1681e |
-#
|
|
|
d1681e |
-###
|
|
|
d1681e |
-
|
|
|
d1681e |
-PROGNAME="Sselinux"
|
|
|
d1681e |
-OPTSPEC="volname:"
|
|
|
d1681e |
-VOL=
|
|
|
d1681e |
-
|
|
|
d1681e |
-function parse_args () {
|
|
|
d1681e |
- ARGS=$(getopt -o '' -l $OPTSPEC -n $PROGNAME -- "$@")
|
|
|
d1681e |
- eval set -- "$ARGS"
|
|
|
d1681e |
-
|
|
|
d1681e |
- while true; do
|
|
|
d1681e |
- case $1 in
|
|
|
d1681e |
- --volname)
|
|
|
d1681e |
- shift
|
|
|
d1681e |
- VOL=$1
|
|
|
d1681e |
- ;;
|
|
|
d1681e |
- *)
|
|
|
d1681e |
- shift
|
|
|
d1681e |
- break
|
|
|
d1681e |
- ;;
|
|
|
d1681e |
- esac
|
|
|
d1681e |
- shift
|
|
|
d1681e |
- done
|
|
|
d1681e |
-}
|
|
|
d1681e |
-
|
|
|
d1681e |
-function delete_brick_fcontext()
|
|
|
d1681e |
-{
|
|
|
d1681e |
- volname=$1
|
|
|
d1681e |
-
|
|
|
d1681e |
- # grab the path for each local brick
|
|
|
d1681e |
- brickdirs=$(grep '^path=' /var/lib/glusterd/vols/${volname}/bricks/* | cut -d= -f 2)
|
|
|
d1681e |
-
|
|
|
d1681e |
- for b in $brickdirs
|
|
|
d1681e |
- do
|
|
|
d1681e |
- # remove the file context associated with the brick path
|
|
|
d1681e |
- semanage fcontext --delete $b\(/.*\)?
|
|
|
d1681e |
- done
|
|
|
d1681e |
-}
|
|
|
d1681e |
-
|
|
|
d1681e |
-SELINUX_STATE=$(which getenforce && getenforce)
|
|
|
d1681e |
-[ "${SELINUX_STATE}" = 'Disabled' ] && exit 0
|
|
|
d1681e |
-
|
|
|
d1681e |
-parse_args "$@"
|
|
|
d1681e |
-[ -z "$VOL" ] && exit 1
|
|
|
d1681e |
-
|
|
|
d1681e |
-delete_brick_fcontext $VOL
|
|
|
d1681e |
-
|
|
|
d1681e |
-# failure to delete the fcontext is not fatal
|
|
|
d1681e |
-exit 0
|
|
|
d1681e |
diff --git a/glusterfs.spec.in b/glusterfs.spec.in
|
|
|
d1681e |
index 4b5238a..64e7e29 100644
|
|
|
d1681e |
--- a/glusterfs.spec.in
|
|
|
d1681e |
+++ b/glusterfs.spec.in
|
|
|
d1681e |
@@ -1523,7 +1523,6 @@ exit 0
|
|
|
d1681e |
%attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/add-brick/pre/S28Quota-enable-root-xattr-heal.sh
|
|
|
d1681e |
%dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/create
|
|
|
d1681e |
%dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/create/post
|
|
|
d1681e |
- %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/create/post/S10selinux-label-brick.sh
|
|
|
d1681e |
%ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/create/pre
|
|
|
d1681e |
%ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/copy-file
|
|
|
d1681e |
%ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/copy-file/post
|
|
|
d1681e |
@@ -1532,7 +1531,6 @@ exit 0
|
|
|
d1681e |
%dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/delete/post
|
|
|
d1681e |
%{_sharedstatedir}/glusterd/hooks/1/delete/post/S57glusterfind-delete-post
|
|
|
d1681e |
%dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/delete/pre
|
|
|
d1681e |
- %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/delete/pre/S10selinux-del-fcontext.sh
|
|
|
d1681e |
%ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/remove-brick
|
|
|
d1681e |
%ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/remove-brick/post
|
|
|
d1681e |
%ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/remove-brick/pre
|
|
|
d1681e |
@@ -2157,6 +2155,9 @@ fi
|
|
|
d1681e |
%endif
|
|
|
d1681e |
|
|
|
d1681e |
%changelog
|
|
|
d1681e |
+* Wed Apr 18 2018 Atin Mukherjee <amukherj@redhat.com>
|
|
|
d1681e |
+- Revert SELinux hooks (#1565962)
|
|
|
d1681e |
+
|
|
|
d1681e |
* Thu Feb 22 2018 Kotresh HR <khiremat@redhat.com>
|
|
|
d1681e |
- Added util-linux as dependency to georeplication rpm (#1544382)
|
|
|
d1681e |
|
|
|
d1681e |
--
|
|
|
d1681e |
1.8.3.1
|
|
|
d1681e |
|