Skip to content

Commit

Permalink
common-ha: enable and disable selinux ganesha_use_fusefs
Browse files Browse the repository at this point in the history 
Starting in Fedora 26 and RHEL 7.4 there are new targeted policies
in selinux which include a tuneable to allow ganesha.nfsd to access
the gluster (FUSE) shared_storage volume where ganesha maintains its
state.

N.B. rpm doesn't have a way to distinguish between RHEL 7.3 or 7.4
so it can't be enabled for RHEL at this time. /usr/sbin/semanage is
in policycoreutils-python in RHEL (versus policycoreutils-python-utils
in Fedora.) Once RHEL 7.4 GAs we may also wish to specify the version
for RHEL 7 explicitly, i.e.
  Requires: selinux-policy >= 3.13.1-160.
But beware, the corresponding version in Fedora 26 seems to be
selinux-policy-3.13.1.258 or so. (Maybe earlier versions, but that's
what's currently in the F26 beta.

release-3.10 is the upstream master branch for glusterfs-ganesha. For
release-3.11 and later storhaug needs a similar change, which is
tracked by linux-ha-storage/storhaug#11

Maybe at some point we would want to consider migrating the targeted
policies for glusterfs (and nfs-ganesha) from selinux-policy to a
glusterfs-selinux (and nfs-ganesha-selinux) subpackage?

Change-Id: I04a5443edd00636cbded59a2baddfa98095bf7ac
Signed-off-by: Kaleb S. KEITHLEY <[email protected]>
Reviewed-on: https://review.gluster.org/17597
Smoke: Gluster Build System <[email protected]>
Reviewed-by: Niels de Vos <[email protected]>
Reviewed-by: jiffin tony Thottan <[email protected]>
CentOS-regression: Gluster Build System <[email protected]>
Signed-off-by: Jiffin Tony Thottan <[email protected]>
  • Loading branch information
@kalebskeithley
kalebskeithley authored and guihecheng committed Nov 12, 2019
1 parent 2834d27 commit ab70c9d
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions glusterfs.spec.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -410,6 +410,10 @@ Requires: pcs, dbus
%if ( 0%{?rhel} && 0%{?rhel} == 6 )
Requires: cman, pacemaker, corosync
%endif
%if ( 0%{?fedora} && 0%{?fedora} > 25 )
Requires(post): policycoreutils-python-utils
Requires(postun): policycoreutils-python-utils
%endif
%if ( 0%{?fedora} ) || ( 0%{?rhel} && 0%{?rhel} > 5 )
# we need portblock resource-agent in 3.9.5 and later.
Requires: resource-agents >= 3.9.5
Expand Down Expand Up @@ -876,6 +880,12 @@ modprobe fuse
exit 0
%endif

%if ( 0%{?fedora} && 0%{?fedora} > 25 )
%post ganesha
semanage boolean -m ganesha_use_fusefs --on
exit 0
%endif

%if ( 0%{?_build_server} )
%if ( 0%{!?_without_georeplication:1} )
%post geo-replication
Expand Down Expand Up @@ -998,6 +1008,12 @@ fi
%postun api
/sbin/ldconfig

%if ( 0%{?fedora} && 0%{?fedora} > 25 )
%postun ganesha
semanage boolean -m ganesha_use_fusefs --off
exit 0
%endif

%postun libs
/sbin/ldconfig

Expand Down

0 comments on commit ab70c9d

Please sign in to comment.