From 1eab2c027ad342fc346b35e60c625301e1c247f5 Mon Sep 17 00:00:00 2001
From: "Kaleb S. KEITHLEY" <kkeithle@redhat.com>
Date: Thu, 22 Jun 2017 11:52:04 -0400
Subject: [PATCH 528/529] common-ha: enable and disable selinux
ganesha_use_fusefs
Starting in Fedora 26 and RHEL 7.4 there are new targeted policies
in selinux which include a tuneable to allow ganesha.nfsd to access
the gluster (FUSE) shared_storage volume where ganesha maintains its
state.
N.B. rpm doesn't have a way to distinguish between RHEL 7.3 or 7.4
so it can't be enabled for RHEL at this time. /usr/sbin/semanage is
in policycoreutils-python in RHEL (versus policycoreutils-python-utils
in Fedora.) Once RHEL 7.4 GAs we may also wish to specify the version
for RHEL 7 explicitly, i.e.
Requires: selinux-policy >= 3.13.1-160.
But beware, the corresponding version in Fedora 26 seems to be
selinux-policy-3.13.1.258 or so. (Maybe earlier versions, but that's
what's currently in the F26 beta.
release-3.10 is the upstream master branch for glusterfs-ganesha. For
release-3.11 and later storhaug needs a similar change, which is
tracked by https://github.com/linux-ha-storage/storhaug/issues/11
Upstream https://review.gluster.org/17597
Upstream Change-Id: I04a5443edd00636cbded59a2baddfa98095bf7ac
Upstream BUG: 1463641
BUG: 1461098
Signed-off-by: Kaleb S. KEITHLEY <kkeithle@redhat.com>
Change-Id: I8f884b6329f0c2f6740fe0a6ce0a2965b0d3559f
Reviewed-on: https://code.engineering.redhat.com/gerrit/109845
Tested-by: Kaleb Keithley <kkeithle@redhat.com>
Reviewed-by: Soumya Koduri <skoduri@redhat.com>
Reviewed-by: Milind Changire <mchangir@redhat.com>
Reviewed-by: Atin Mukherjee <amukherj@redhat.com>
---
glusterfs.spec.in | 35 ++++++++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
diff --git a/glusterfs.spec.in b/glusterfs.spec.in
index d546b38..f22c9e9 100644
--- a/glusterfs.spec.in
+++ b/glusterfs.spec.in
@@ -403,7 +403,17 @@ Requires: pcs, dbus
%if ( 0%{?rhel} && 0%{?rhel} == 6 )
Requires: cman, pacemaker, corosync
%endif
-%if ( 0%{?fedora} ) || ( 0%{?rhel} && 0%{?rhel} > 5 )
+%if ( ( 0%{?fedora} && 0%{?fedora} > 25 ) || ( 0%{?rhel} && 0%{?rhel} > 6 ) )
+%if ( 0%{?rhel} )
+Requires: selinux-policy >= 3.13.1-160
+Requires(post): policycoreutils-python
+Requires(postun): policycoreutils-python
+%else
+Requires(post): policycoreutils-python-utils
+Requires(postun): policycoreutils-python-utils
+%endif
+%endif
+%if ( ( 0%{?fedora} ) || ( 0%{?rhel} && 0%{?rhel} > 5 ) )
# we need portblock resource-agent in 3.9.5 and later.
Requires: resource-agents >= 3.9.5
Requires: net-tools
@@ -836,6 +846,14 @@ exit 0
%endif
%if ( 0%{?_build_server} )
+%if ( ( 0%{?fedora} && 0%{?fedora} > 25 ) || ( 0%{?rhel} && 0%{?rhel} > 6 ) )
+%post ganesha
+semanage boolean -m ganesha_use_fusefs --on
+exit 0
+%endif
+%endif
+
+%if ( 0%{?_build_server} )
%if ( 0%{!?_without_georeplication:1} )
%post geo-replication
if [ $1 -ge 1 ]; then
@@ -984,6 +1002,14 @@ fi
%postun api
/sbin/ldconfig
+%if ( 0%{?_build_server} )
+%if ( ( 0%{?fedora} && 0%{?fedora} > 25 ) || ( 0%{?rhel} && 0%{?rhel} > 6 ) )
+%postun ganesha
+semanage boolean -m ganesha_use_fusefs --off
+exit 0
+%endif
+%endif
+
%postun libs
/sbin/ldconfig
@@ -2076,10 +2102,13 @@ end
%endif
%changelog
+* Thu Jun 22 2017 Kaleb S. KEITHLEY <kkeithle@redhat.com>
+- selinux enable, disable ganesha_access_fuse on install, remove
+
* Wed Jun 21 2017 Jiffin Tony Thottan <jthottan@redhat.com>
- Exclude glusterfssharedstorage.service and mount-shared-storage.sh from client builds
-* Fri Jun 20 2017 Jiffin Tony Thottan <jthottan@redhat.com>
+* Tue Jun 20 2017 Jiffin Tony Thottan <jthottan@redhat.com>
- Add glusterfssharedstorage.service systemd file
* Tue Jun 13 2017 Poornima G <pgurusid@redhat.com>
@@ -2094,7 +2123,7 @@ end
* Wed Feb 1 2017 Poornima G <pgurusid@redhat.com>
- Install /var/lib/glusterd/groups/metadata-cache by default
-* Thu Dec 7 2016 Jiffin Tony Thottan <jhottan@redhat.com>
+* Wed Dec 7 2016 Jiffin Tony Thottan <jhottan@redhat.com>
- remove S31ganesha-reset.sh from hooks (#1397450)
* Fri Nov 18 2016 Soumya Koduri <skoduri@redhat.com>
--
1.8.3.1