From 1eab2c027ad342fc346b35e60c625301e1c247f5 Mon Sep 17 00:00:00 2001 From: "Kaleb S. KEITHLEY" Date: Thu, 22 Jun 2017 11:52:04 -0400 Subject: [PATCH 528/529] common-ha: enable and disable selinux ganesha_use_fusefs Starting in Fedora 26 and RHEL 7.4 there are new targeted policies in selinux which include a tuneable to allow ganesha.nfsd to access the gluster (FUSE) shared_storage volume where ganesha maintains its state. N.B. rpm doesn't have a way to distinguish between RHEL 7.3 or 7.4 so it can't be enabled for RHEL at this time. /usr/sbin/semanage is in policycoreutils-python in RHEL (versus policycoreutils-python-utils in Fedora.) Once RHEL 7.4 GAs we may also wish to specify the version for RHEL 7 explicitly, i.e. Requires: selinux-policy >= 3.13.1-160. But beware, the corresponding version in Fedora 26 seems to be selinux-policy-3.13.1.258 or so. (Maybe earlier versions, but that's what's currently in the F26 beta. release-3.10 is the upstream master branch for glusterfs-ganesha. For release-3.11 and later storhaug needs a similar change, which is tracked by https://github.com/linux-ha-storage/storhaug/issues/11 Upstream https://review.gluster.org/17597 Upstream Change-Id: I04a5443edd00636cbded59a2baddfa98095bf7ac Upstream BUG: 1463641 BUG: 1461098 Signed-off-by: Kaleb S. KEITHLEY Change-Id: I8f884b6329f0c2f6740fe0a6ce0a2965b0d3559f Reviewed-on: https://code.engineering.redhat.com/gerrit/109845 Tested-by: Kaleb Keithley Reviewed-by: Soumya Koduri Reviewed-by: Milind Changire Reviewed-by: Atin Mukherjee --- glusterfs.spec.in | 35 ++++++++++++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/glusterfs.spec.in b/glusterfs.spec.in index d546b38..f22c9e9 100644 --- a/glusterfs.spec.in +++ b/glusterfs.spec.in @@ -403,7 +403,17 @@ Requires: pcs, dbus %if ( 0%{?rhel} && 0%{?rhel} == 6 ) Requires: cman, pacemaker, corosync %endif -%if ( 0%{?fedora} ) || ( 0%{?rhel} && 0%{?rhel} > 5 ) +%if ( ( 0%{?fedora} && 0%{?fedora} > 25 ) || ( 0%{?rhel} && 0%{?rhel} > 6 ) ) +%if ( 0%{?rhel} ) +Requires: selinux-policy >= 3.13.1-160 +Requires(post): policycoreutils-python +Requires(postun): policycoreutils-python +%else +Requires(post): policycoreutils-python-utils +Requires(postun): policycoreutils-python-utils +%endif +%endif +%if ( ( 0%{?fedora} ) || ( 0%{?rhel} && 0%{?rhel} > 5 ) ) # we need portblock resource-agent in 3.9.5 and later. Requires: resource-agents >= 3.9.5 Requires: net-tools @@ -836,6 +846,14 @@ exit 0 %endif %if ( 0%{?_build_server} ) +%if ( ( 0%{?fedora} && 0%{?fedora} > 25 ) || ( 0%{?rhel} && 0%{?rhel} > 6 ) ) +%post ganesha +semanage boolean -m ganesha_use_fusefs --on +exit 0 +%endif +%endif + +%if ( 0%{?_build_server} ) %if ( 0%{!?_without_georeplication:1} ) %post geo-replication if [ $1 -ge 1 ]; then @@ -984,6 +1002,14 @@ fi %postun api /sbin/ldconfig +%if ( 0%{?_build_server} ) +%if ( ( 0%{?fedora} && 0%{?fedora} > 25 ) || ( 0%{?rhel} && 0%{?rhel} > 6 ) ) +%postun ganesha +semanage boolean -m ganesha_use_fusefs --off +exit 0 +%endif +%endif + %postun libs /sbin/ldconfig @@ -2076,10 +2102,13 @@ end %endif %changelog +* Thu Jun 22 2017 Kaleb S. KEITHLEY +- selinux enable, disable ganesha_access_fuse on install, remove + * Wed Jun 21 2017 Jiffin Tony Thottan - Exclude glusterfssharedstorage.service and mount-shared-storage.sh from client builds -* Fri Jun 20 2017 Jiffin Tony Thottan +* Tue Jun 20 2017 Jiffin Tony Thottan - Add glusterfssharedstorage.service systemd file * Tue Jun 13 2017 Poornima G @@ -2094,7 +2123,7 @@ end * Wed Feb 1 2017 Poornima G - Install /var/lib/glusterd/groups/metadata-cache by default -* Thu Dec 7 2016 Jiffin Tony Thottan +* Wed Dec 7 2016 Jiffin Tony Thottan - remove S31ganesha-reset.sh from hooks (#1397450) * Fri Nov 18 2016 Soumya Koduri -- 1.8.3.1