diff options
| author | Niels de Vos <ndevos@redhat.com> | 2017-05-03 12:02:40 +0200 |
|---|---|---|
| committer | Kaushal M <kaushal@redhat.com> | 2017-05-04 12:25:14 +0000 |
| commit | 3fe8119ed80d82d0a4ae5beba6b0712d0dda691b (patch) | |
| tree | 29b07dd589bb69379aa65ec9c51b4688ecfa1c23 | |
| parent | 845f67fce0aa17b5e10b80a4007d5d5c549084a0 (diff) | |
extras/hook-scripts: SELinux brick file context management scripts
The SELinux policy for gluster defines the glusterd_brick_t type to
support server side SELinux (e.g., server side labels). Add
convenience hook scripts that users/packagers can install to ensure
that new bricks are labeled correctly.
The volume create hook script adds a new SELinux file context for
each brick path and runs a restorecon to label the brick. The
volume delete hook removes the per-brick SELinux file context.
Cherry picked from commit 859669759f7fa0f2114add13660ce3bf16c77f30:
> Change-Id: I5f102db5382d813c4d822ff74e873a7a669b41db
> BUG: 1047975
> Signed-off-by: Brian Foster <bfoster@redhat.com>
> Signed-off-by: Niels de Vos <ndevos@redhat.com>
> Signed-off-by: Jiffin Tony Thottan <jthottan@redhat.com>
> Reviewed-on: https://review.gluster.org/6630
> Smoke: Gluster Build System <jenkins@build.gluster.org>
> NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org>
> CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
> Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com>
Change-Id: I5f102db5382d813c4d822ff74e873a7a669b41db
BUG: 1447597
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Reviewed-on: https://review.gluster.org/17157
Smoke: Gluster Build System <jenkins@build.gluster.org>
NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org>
CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
Reviewed-by: jiffin tony Thottan <jthottan@redhat.com>
| -rw-r--r-- | configure.ac | 20 | ||||
| -rw-r--r-- | extras/hook-scripts/Makefile.am | 2 | ||||
| -rw-r--r-- | extras/hook-scripts/create/Makefile.am | 1 | ||||
| -rw-r--r-- | extras/hook-scripts/create/post/Makefile.am | 6 | ||||
| -rwxr-xr-x | extras/hook-scripts/create/post/S10selinux-label-brick.sh | 61 | ||||
| -rw-r--r-- | extras/hook-scripts/delete/Makefile.am | 1 | ||||
| -rw-r--r-- | extras/hook-scripts/delete/pre/Makefile.am | 6 | ||||
| -rwxr-xr-x | extras/hook-scripts/delete/pre/S10selinux-del-fcontext.sh | 62 | ||||
| -rw-r--r-- | glusterfs.spec.in | 11 |
9 files changed, 166 insertions, 4 deletions
diff --git a/configure.ac b/configure.ac index 9f04bad1df7..fde410326de 100644 --- a/configure.ac +++ b/configure.ac @@ -223,6 +223,10 @@ AC_CONFIG_FILES([Makefile extras/hook-scripts/add-brick/Makefile extras/hook-scripts/add-brick/pre/Makefile extras/hook-scripts/add-brick/post/Makefile + extras/hook-scripts/create/Makefile + extras/hook-scripts/create/post/Makefile + extras/hook-scripts/delete/Makefile + extras/hook-scripts/delete/pre/Makefile extras/hook-scripts/start/Makefile extras/hook-scripts/start/post/Makefile extras/hook-scripts/set/Makefile @@ -895,6 +899,21 @@ else fi # end of xml-output +dnl SELinux feature enablement +case $host_os in + linux*) + AC_ARG_ENABLE([selinux], + AC_HELP_STRING([--disable-selinux], + [Disable SELinux features]), + [USE_SELINUX="${enableval}"], [USE_SELINUX="yes"]) + ;; + *) + USE_SELINUX=no + ;; +esac +AM_CONDITIONAL(USE_SELINUX, test "x${USE_SELINUX}" = "xyes") +dnl end of SELinux feature enablement + AC_CHECK_HEADERS([execinfo.h], [have_backtrace=yes]) if test "x${have_backtrace}" = "xyes"; then AC_DEFINE(HAVE_BACKTRACE, 1, [define if found backtrace]) @@ -1557,6 +1576,7 @@ echo "Unit Tests : $BUILD_UNITTEST" echo "Track priv ports : $TRACK_PRIVPORTS" echo "POSIX ACLs : $BUILD_POSIX_ACLS" echo "Data Classification : $BUILD_GFDB" +echo "SELinux features : $USE_SELINUX" echo "firewalld-config : $BUILD_FIREWALLD" echo "Events : $BUILD_EVENTS" echo "EC dynamic support : $EC_DYNAMIC_SUPPORT" diff --git a/extras/hook-scripts/Makefile.am b/extras/hook-scripts/Makefile.am index 771b37e3fdf..26059d7dbb9 100644 --- a/extras/hook-scripts/Makefile.am +++ b/extras/hook-scripts/Makefile.am @@ -1,5 +1,5 @@ EXTRA_DIST = S40ufo-stop.py S56glusterd-geo-rep-create-post.sh -SUBDIRS = add-brick set start stop reset +SUBDIRS = add-brick create delete set start stop reset scriptsdir = $(GLUSTERD_WORKDIR)/hooks/1/gsync-create/post/ if USE_GEOREP diff --git a/extras/hook-scripts/create/Makefile.am b/extras/hook-scripts/create/Makefile.am new file mode 100644 index 00000000000..b083a9145d6 --- /dev/null +++ b/extras/hook-scripts/create/Makefile.am @@ -0,0 +1 @@ +SUBDIRS = post diff --git a/extras/hook-scripts/create/post/Makefile.am b/extras/hook-scripts/create/post/Makefile.am new file mode 100644 index 00000000000..adbce78d249 --- /dev/null +++ b/extras/hook-scripts/create/post/Makefile.am @@ -0,0 +1,6 @@ +EXTRA_DIST = S10selinux-label-brick.sh + +scriptsdir = $(GLUSTERD_WORKDIR)/hooks/1/create/post/ +if USE_SELINUX +scripts_SCRIPTS = S10selinux-label-brick.sh +endif diff --git a/extras/hook-scripts/create/post/S10selinux-label-brick.sh b/extras/hook-scripts/create/post/S10selinux-label-brick.sh new file mode 100755 index 00000000000..d69a938123e --- /dev/null +++ b/extras/hook-scripts/create/post/S10selinux-label-brick.sh @@ -0,0 +1,61 @@ +#!/bin/bash +# +# Install to hooks/<HOOKS_VER>/create/post +# +# Add an SELinux file context for each brick using the glusterd_brick_t type. +# This ensures that the brick is relabeled correctly on an SELinux restart or +# restore. Subsequently, run a restore on the brick path to set the selinux +# labels. +# +### + +PROGNAME="Sselinux" +OPTSPEC="volname:" +VOL= + +function parse_args () { + ARGS=$(getopt -l $OPTSPEC -name $PROGNAME $@) + eval set -- "$ARGS" + + while true; do + case $1 in + --volname) + shift + VOL=$1 + ;; + *) + shift + break + ;; + esac + shift + done +} + +function set_brick_labels() +{ + volname=$1 + + # grab the path for each local brick + brickdirs=$(grep '^path=' /var/lib/glusterd/vols/${volname}/bricks/* | cut -d= -f 2) + + for b in $brickdirs + do + # Add a file context for each brick path and associate with the + # glusterd_brick_t SELinux type. + semanage fcontext --add -t glusterd_brick_t -r s0 $b(/.*)? + + # Set the labels on the new brick path. + restorecon -R $b + done +} + +SELINUX_STATE=$(which getenforce && getenforce) +[ "${SELINUX_STATE}" = 'Disabled' ] && exit 0 + +parse_args $@ +[ -z "$VOL" ] && exit 1 + +set_brick_labels $VOL + +exit 0 diff --git a/extras/hook-scripts/delete/Makefile.am b/extras/hook-scripts/delete/Makefile.am new file mode 100644 index 00000000000..c98a05d9205 --- /dev/null +++ b/extras/hook-scripts/delete/Makefile.am @@ -0,0 +1 @@ +SUBDIRS = pre diff --git a/extras/hook-scripts/delete/pre/Makefile.am b/extras/hook-scripts/delete/pre/Makefile.am new file mode 100644 index 00000000000..bf0eabe255c --- /dev/null +++ b/extras/hook-scripts/delete/pre/Makefile.am @@ -0,0 +1,6 @@ +EXTRA_DIST = S10selinux-del-fcontext.sh + +scriptsdir = $(GLUSTERD_WORKDIR)/hooks/1/delete/pre/ +if USE_SELINUX +scripts_SCRIPTS = S10selinux-del-fcontext.sh +endif diff --git a/extras/hook-scripts/delete/pre/S10selinux-del-fcontext.sh b/extras/hook-scripts/delete/pre/S10selinux-del-fcontext.sh new file mode 100755 index 00000000000..2c83331d5cd --- /dev/null +++ b/extras/hook-scripts/delete/pre/S10selinux-del-fcontext.sh @@ -0,0 +1,62 @@ +#!/bin/bash +# +# Install to hooks/<HOOKS_VER>/delete/pre +# +# Delete the file context associated with the brick path on volume deletion. The +# associated file context was added during volume creation. +# +# We do not explicitly relabel the brick, as this could be time consuming and +# unnecessary. +# +### + +PROGNAME="Sselinux" +OPTSPEC="volname:" +VOL= +CONFIGFILE= +LOGFILEBASE= +PIDDIR= + +function parse_args () { + ARGS=$(getopt -l $OPTSPEC -name $PROGNAME $@) + eval set -- "$ARGS" + + while true; do + case $1 in + --volname) + shift + VOL=$1 + ;; + *) + shift + break + ;; + esac + shift + done +} + +function delete_brick_fcontext() +{ + volname=$1 + + # grab the path for each local brick + brickdirs=$(grep '^path=' /var/lib/glusterd/vols/${volname}/bricks/* | cut -d= -f 2) + + for b in $brickdirs + do + # remove the file context associated with the brick path + semanage fcontext --delete $b\(/.*\)? + done +} + +SELINUX_STATE=$(which getenforce && getenforce) +[ "${SELINUX_STATE}" = 'Disabled' ] && exit 0 + +parse_args $@ +[ -z "$VOL" ] && exit 1 + +delete_brick_fcontext $VOL + +# failure to delete the fcontext is not fatal +exit 0 diff --git a/glusterfs.spec.in b/glusterfs.spec.in index 6ae3979757a..742c43bf0ce 100644 --- a/glusterfs.spec.in +++ b/glusterfs.spec.in @@ -1227,8 +1227,9 @@ exit 0 %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/add-brick/post/disabled-quota-root-xattr-heal.sh %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/add-brick/pre/S28Quota-enable-root-xattr-heal.sh %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/add-brick/pre -%ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/create -%ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/create/post + %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/create + %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/create/post + %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/create/post/S10selinux-label-brick.sh %ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/create/pre %ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/copy-file %ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/copy-file/post @@ -1236,7 +1237,8 @@ exit 0 %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/delete %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/delete/post %{_sharedstatedir}/glusterd/hooks/1/delete/post/S57glusterfind-delete-post -%ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/delete/pre + %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/delete/pre + %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/delete/pre/S10selinux-del-fcontext.sh %ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/remove-brick %ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/remove-brick/post %ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/remove-brick/pre @@ -1303,6 +1305,9 @@ exit 0 - /var/run/gluster owner gluster:gluster(0775) for qemu(gfapi) statedumps (#1445569) +* Mon Apr 24 2017 Jiffin Tony Thottan <jhottan@redhat.com> +- Install SELinux hook scripts that manage contexts for bricks (#1047975) + * Thu Apr 20 2017 Kaleb S. KEITHLEY <kkeithle@redhat.com> - firewalld-filesystem -> firewalld (#1443959) |