andy/glusterfs
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

extras/hook-scripts: SELinux brick file context management scripts

Browse Source 
The SELinux policy for gluster defines the glusterd_brick_t type to
support server side SELinux (e.g., server side labels). Add
convenience hook scripts that users/packagers can install to ensure
that new bricks are labeled correctly.

The volume create hook script adds a new SELinux file context for
each brick path and runs a restorecon to label the brick. The
volume delete hook removes the per-brick SELinux file context.

Change-Id: I5f102db5382d813c4d822ff74e873a7a669b41db
BUG: 1047975
Signed-off-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Signed-off-by: Jiffin Tony Thottan <jthottan@redhat.com>
Reviewed-on: https://review.gluster.org/6630
Smoke: Gluster Build System <jenkins@build.gluster.org>
NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org>
CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com>
This commit is contained in:
Brian Foster 2014-01-02 14:03:18 -05:00 committed by Kaleb KEITHLEY
parent c6dd1e68df
commit 859669759f
9 changed files with 166 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
configure.ac
View File

@ -240,6 +240,10 @@ AC_CONFIG_FILES([Makefile
extras/hook-scripts/add-brick/Makefile
extras/hook-scripts/add-brick/pre/Makefile
extras/hook-scripts/add-brick/post/Makefile
extras/hook-scripts/create/Makefile
extras/hook-scripts/create/post/Makefile
extras/hook-scripts/delete/Makefile
extras/hook-scripts/delete/pre/Makefile
extras/hook-scripts/start/Makefile
extras/hook-scripts/start/post/Makefile
extras/hook-scripts/set/Makefile
@ -912,6 +916,21 @@ else
fi
# end of xml-output
dnl SELinux feature enablement
case $host_os in
linux*)
AC_ARG_ENABLE([selinux],
AC_HELP_STRING([--disable-selinux],
[Disable SELinux features]),
[USE_SELINUX="${enableval}"], [USE_SELINUX="yes"])
;;
*)
USE_SELINUX=no
;;
esac
AM_CONDITIONAL(USE_SELINUX, test "x${USE_SELINUX}" = "xyes")
dnl end of SELinux feature enablement
AC_CHECK_HEADERS([execinfo.h], [have_backtrace=yes])
if test "x${have_backtrace}" = "xyes"; then
AC_DEFINE(HAVE_BACKTRACE, 1, [define if found backtrace])
@ -1586,6 +1605,7 @@ echo "Unit Tests : $BUILD_UNITTEST"
echo "Track priv ports : $TRACK_PRIVPORTS"
echo "POSIX ACLs : $BUILD_POSIX_ACLS"
echo "Data Classification : $BUILD_GFDB"
echo "SELinux features : $USE_SELINUX"
echo "firewalld-config : $BUILD_FIREWALLD"
echo "Experimental xlators : $BUILD_EXPERIMENTAL"
echo "Events : $BUILD_EVENTS"

2
extras/hook-scripts/Makefile.am
View File

@ -1,5 +1,5 @@
EXTRA_DIST = S40ufo-stop.py S56glusterd-geo-rep-create-post.sh
SUBDIRS = add-brick set start stop reset
SUBDIRS = add-brick create delete set start stop reset
scriptsdir = $(GLUSTERD_WORKDIR)/hooks/1/gsync-create/post/
if USE_GEOREP

1
extras/hook-scripts/create/Makefile.am Normal file
View File

@ -0,0 +1 @@
SUBDIRS = post

6
extras/hook-scripts/create/post/Makefile.am Normal file
View File

@ -0,0 +1,6 @@
EXTRA_DIST = S10selinux-label-brick.sh
scriptsdir = $(GLUSTERD_WORKDIR)/hooks/1/create/post/
if USE_SELINUX
scripts_SCRIPTS = S10selinux-label-brick.sh
endif

61
extras/hook-scripts/create/post/S10selinux-label-brick.sh Executable file
View File

@ -0,0 +1,61 @@
#!/bin/bash
#
# Install to hooks/<HOOKS_VER>/create/post
#
# Add an SELinux file context for each brick using the glusterd_brick_t type.
# This ensures that the brick is relabeled correctly on an SELinux restart or
# restore. Subsequently, run a restore on the brick path to set the selinux
# labels.
#
###
PROGNAME="Sselinux"
OPTSPEC="volname:"
VOL=
function parse_args () {
ARGS=$(getopt -l $OPTSPEC -name $PROGNAME $@)
eval set -- "$ARGS"
while true; do
case $1 in
--volname)
shift
VOL=$1
;;
*)
shift
break
;;
esac
shift
done
}
function set_brick_labels()
{
volname=$1
# grab the path for each local brick
brickdirs=$(grep '^path=' /var/lib/glusterd/vols/${volname}/bricks/* | cut -d= -f 2)
for b in $brickdirs
do
# Add a file context for each brick path and associate with the
# glusterd_brick_t SELinux type.
semanage fcontext --add -t glusterd_brick_t -r s0 $b(/.*)?
# Set the labels on the new brick path.
restorecon -R $b
done
}
SELINUX_STATE=$(which getenforce && getenforce)
[ "${SELINUX_STATE}" = 'Disabled' ] && exit 0
parse_args $@
[ -z "$VOL" ] && exit 1
set_brick_labels $VOL
exit 0

1
extras/hook-scripts/delete/Makefile.am Normal file
View File

@ -0,0 +1 @@
SUBDIRS = pre

6
extras/hook-scripts/delete/pre/Makefile.am Normal file
View File

@ -0,0 +1,6 @@
EXTRA_DIST = S10selinux-del-fcontext.sh
scriptsdir = $(GLUSTERD_WORKDIR)/hooks/1/delete/pre/
if USE_SELINUX
scripts_SCRIPTS = S10selinux-del-fcontext.sh
endif

62
extras/hook-scripts/delete/pre/S10selinux-del-fcontext.sh Executable file
View File

@ -0,0 +1,62 @@
#!/bin/bash
#
# Install to hooks/<HOOKS_VER>/delete/pre
#
# Delete the file context associated with the brick path on volume deletion. The
# associated file context was added during volume creation.
#
# We do not explicitly relabel the brick, as this could be time consuming and
# unnecessary.
#
###
PROGNAME="Sselinux"
OPTSPEC="volname:"
VOL=
CONFIGFILE=
LOGFILEBASE=
PIDDIR=
function parse_args () {
ARGS=$(getopt -l $OPTSPEC -name $PROGNAME $@)
eval set -- "$ARGS"
while true; do
case $1 in
--volname)
shift
VOL=$1
;;
*)
shift
break
;;
esac
shift
done
}
function delete_brick_fcontext()
{
volname=$1
# grab the path for each local brick
brickdirs=$(grep '^path=' /var/lib/glusterd/vols/${volname}/bricks/* | cut -d= -f 2)
for b in $brickdirs
do
# remove the file context associated with the brick path
semanage fcontext --delete $b\(/.*\)?
done
}
SELINUX_STATE=$(which getenforce && getenforce)
[ "${SELINUX_STATE}" = 'Disabled' ] && exit 0
parse_args $@
[ -z "$VOL" ] && exit 1
delete_brick_fcontext $VOL
# failure to delete the fcontext is not fatal
exit 0

11
glusterfs.spec.in
View File

@ -1234,8 +1234,9 @@ exit 0
%attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/add-brick/post/disabled-quota-root-xattr-heal.sh
%attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/add-brick/pre/S28Quota-enable-root-xattr-heal.sh
%dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/add-brick/pre
%ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/create
%ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/create/post
%dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/create
%dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/create/post
%attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/create/post/S10selinux-label-brick.sh
%ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/create/pre
%ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/copy-file
%ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/copy-file/post
@ -1243,7 +1244,8 @@ exit 0
%dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/delete
%dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/delete/post
%{_sharedstatedir}/glusterd/hooks/1/delete/post/S57glusterfind-delete-post
%ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/delete/pre
%dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/delete/pre
%attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/delete/pre/S10selinux-del-fcontext.sh
%ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/remove-brick
%ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/remove-brick/post
%ghost %dir %attr(0755,-,-) %{_sharedstatedir}/glusterd/hooks/1/remove-brick/pre
@ -1313,6 +1315,9 @@ exit 0
- /var/run/gluster owner gluster:gluster(0775) for qemu(gfapi)
statedumps (#1445569)
* Mon Apr 24 2017 Jiffin Tony Thottan <jhottan@redhat.com>
- Install SELinux hook scripts that manage contexts for bricks (#1047975)
* Thu Apr 20 2017 Kaleb S. KEITHLEY <kkeithle@redhat.com>
- firewalld-filesystem -> firewalld (#1443959)