From 8e91bc133859373acbb1ffdbd99849f160ae1193 Mon Sep 17 00:00:00 2001

From: Avra Sengupta <asengupt@redhat.com>

Date: Wed, 16 Nov 2016 16:19:14 +0530

Subject: [PATCH 338/361] snapshot/scheduler: Set sebool

 cron_system_cronjob_use_shares to on

Rhel 7.1 onwards, the user has to manually set the

selinux boolean 'cron_system_cronjob_use_shares' as

on, if selinux is enabled for snapshot scheduler to

work.

With this fix, we are automating that bit, in init step

of snapshot scheduler

mainline:

> BUG: 1395643

> Reviewed-on: https://review.gluster.org/15857

> Smoke: Gluster Build System <jenkins@build.gluster.org>

> NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org>

> CentOS-regression: Gluster Build System <jenkins@build.gluster.org>

> Reviewed-by: Aravinda VK <avishwan@redhat.com>

(cherry picked from commit d592aee0bba98df44865e75fb0f1fceef14acf05)

BUG: 1247056

Change-Id: I5c1d23c14133c64770e84a77999ce647526f6711

Signed-off-by: Avra Sengupta <asengupt@redhat.com>

Reviewed-on: https://code.engineering.redhat.com/gerrit/101319

Tested-by: Milind Changire <mchangir@redhat.com>

Reviewed-by: Atin Mukherjee <amukherj@redhat.com>

---

 extras/snap_scheduler/snap_scheduler.py | 90 +++++++++++++++++++++++++++++++++

 1 file changed, 90 insertions(+)

diff --git a/extras/snap_scheduler/snap_scheduler.py b/extras/snap_scheduler/snap_scheduler.py

index b426cc7..61d1c51 100755

--- a/extras/snap_scheduler/snap_scheduler.py

+++ b/extras/snap_scheduler/snap_scheduler.py

@@ -545,8 +545,98 @@ def edit_schedules(jobname, schedule, volname):

     return ret

+def get_bool_val():

+    getsebool_cli = ["getsebool",

+                     "-a"]

+    p1 = subprocess.Popen(getsebool_cli, stdout=subprocess.PIPE,

+                          stderr=subprocess.PIPE)

+

+    grep_cmd = ["grep",

+                "cron_system_cronjob_use_shares"]

+    p2 = subprocess.Popen(grep_cmd, stdin=p1.stdout,

+                          stdout=subprocess.PIPE,

+                          stderr=subprocess.PIPE)

+

+    p1.stdout.close()

+    output, err = p2.communicate()

+    rv = p2.returncode

+

+    if rv:

+        log.error("Command output:")

+        log.error(err)

+        return -1

+

+    bool_val = output.split()[2]

+    log.debug("Bool value = '%s'", bool_val)

+

+    return bool_val

+

+def get_selinux_status():

+    getenforce_cli = ["getenforce"]

+    log.debug("Running command '%s'", " ".join(getenforce_cli))

+

+    p1 = subprocess.Popen(getenforce_cli, stdout=subprocess.PIPE,

+                          stderr=subprocess.PIPE)

+

+    output, err = p1.communicate()

+    rv = p1.returncode

+

+    if rv:

+        log.error("Command output:")

+        log.error(err)

+        return -1

+    else:

+        selinux_status=output.rstrip()

+        log.debug("selinux status: %s", selinux_status)

+

+    return selinux_status

+

+def set_cronjob_user_share():

+    selinux_status = get_selinux_status()

+    if (selinux_status == -1):

+        log.error("Failed to get selinux status")

+        return -1

+    elif (selinux_status == "Disabled"):

+        return 0

+

+    bool_val = get_bool_val()

+    # In case of a failure (where the boolean value is not)

+    # present in the system, we should not proceed further

+    # We should only proceed when the value is "off"

+    if (bool_val == -1 or bool_val != "off"):

+        return 0

+

+    setsebool_cli = ["setsebool", "-P",

+                     "cron_system_cronjob_use_shares",

+                     "on"]

+    log.debug("Running command '%s'", " ".join(setsebool_cli))

+

+    p1 = subprocess.Popen(setsebool_cli, stdout=subprocess.PIPE,

+                          stderr=subprocess.PIPE)

+

+    output, err = p1.communicate()

+    rv = p1.returncode

+

+    if rv:

+        log.error("Command output:")

+        log.error(err)

+        return rv

+

+    bool_val = get_bool_val()

+    if (bool_val == "on"):

+        return 0

+    else:

+        # In case of an error or if boolean is not on

+        # we return a failure here

+        return -1

 def initialise_scheduler():

+    ret = set_cronjob_user_share()

+    if ret:

+        log.error("Failed to set selinux boolean "

+                  "cron_system_cronjob_use_shares to 'on'")

+        return ret

+

     try:

         with open(TMP_FILE, "w+", 0644) as f:

             updater = ("* * * * * root PATH=$PATH:/usr/local/sbin:"

-- 

1.8.3.1