Federico Simoncelli has uploaded a new change for review. Change subject: vdsm-tool: add the sebool configuration module ...................................................................... vdsm-tool: add the sebool configuration module This patch moves the sebool configuration from a shell scriptlet in the rpm package to the vdsm-tool command. Change-Id: I01baf1c17f7cad2a0525b261be6b5ac648576252 Signed-off-by: Federico Simoncelli <fsimonce(a)redhat.com&gt; --- M vdsm-tool/Makefile.am A vdsm-tool/seboolsetup.py M vdsm.spec.in 3 files changed, 69 insertions(+), 36 deletions(-) git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/62/9362/1 diff --git a/vdsm-tool/Makefile.am b/vdsm-tool/Makefile.am index 997e339..348940e 100644 --- a/vdsm-tool/Makefile.am +++ b/vdsm-tool/Makefile.am @@ -29,5 +29,6 @@ __init__.py \ load_needed_modules.py \ passwd.py \ + seboolsetup.py \ validate_ovirt_certs.py \ $(NULL) diff --git a/vdsm-tool/seboolsetup.py b/vdsm-tool/seboolsetup.py new file mode 100644 index 0000000..dee1e58 --- /dev/null +++ b/vdsm-tool/seboolsetup.py @@ -0,0 +1,63 @@ +# +# Copyright 2012 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +# +# Refer to the README and COPYING files for full details of the license +# + +import seobject +from vdsm.tool import expose + +SEBOOL_ENABLED = "on" +SEBOOL_DISABLED = "off" + +VDSM_SEBOOL_LIST = [ + "virt_use_fusefs", + "virt_use_nfs", + "virt_use_samba", + "sanlock_use_fusefs", + "sanlock_use_nfs", + "sanlock_use_samba", + "virt_use_sanlock", +] + + +def setup_booleans(status): + sebool_obj = seobject.booleanRecords() + sebool_status = sebool_obj.get_all() + + sebool_obj.start() + + for sebool_variable in VDSM_SEBOOL_LIST: + if status and not all(sebool_status[sebool_variable]): + sebool_obj.modify(sebool_variable, SEBOOL_ENABLED) + + if not status and any(sebool_status[sebool_variable]): + sebool_obj.modify(sebool_variable, SEBOOL_DISABLED) + + sebool_obj.finish() + + +@expose("sebool-enable") +def sebool_enable(): + """Enable the required selinux booleans""" + setup_booleans(True) + + +@expose("sebool-disable") +def sebool_disable(): + """Disable the required selinux booleans""" + setup_booleans(False) diff --git a/vdsm.spec.in b/vdsm.spec.in index 3fa3395..033ce1a 100644 --- a/vdsm.spec.in +++ b/vdsm.spec.in @@ -456,30 +456,8 @@ /usr/sbin/usermod -a -G %{qemu_group},%{snlk_group} %{vdsm_user} /usr/sbin/usermod -a -G %{qemu_group},%{vdsm_group} %{snlk_user} -# vdsm makes extensive use of nfs-exported images -# The next lines will collect the default selinux behaviour for the booleans -virtNFS=$(/usr/sbin/semanage boolean -l | /bin/grep virt_use_nfs | cut -d ',' -f 2) -virtSANLOCK=$(/usr/sbin/semanage boolean -l | /bin/grep virt_use_sanlock | cut -d ',' -f 2) -snlkNFS=$(/usr/sbin/semanage boolean -l | /bin/grep sanlock_use_nfs | cut -d ',' -f 2) - -# Set the booleans and persist it across reboots -if [[ "${virtNFS}" == *off* || "${virtSANLOCK}" == *off* || \ - "${snlkNFS}" == *off* ]]; then - /usr/sbin/semanage boolean -m -S targeted -F /dev/stdin << _EOF -virt_use_nfs=1 -virt_use_sanlock=1 -sanlock_use_nfs=1 -_EOF -fi - -# Set the current state of SELinux booleans -if /usr/sbin/selinuxenabled; then - /usr/sbin/setsebool virt_use_nfs on - /usr/sbin/setsebool virt_use_sanlock on - /usr/sbin/setsebool sanlock_use_nfs on -fi - %post +%{_bindir}/vdsm-tool sebool-enable # set the vdsm "secret" password for libvirt %{_bindir}/vdsm-tool set-saslpasswd @@ -521,17 +499,7 @@ /bin/sed -i '/# VDSM section begin/,/# VDSM section end/d' \ /etc/sysctl.conf - /usr/sbin/semanage boolean -m -S targeted -F /dev/stdin << _EOF -virt_use_nfs=0 -virt_use_sanlock=0 -sanlock_use_nfs=0 -_EOF - - if /usr/sbin/selinuxenabled; then - /usr/sbin/setsebool virt_use_nfs off - /usr/sbin/setsebool virt_use_sanlock off - /usr/sbin/setsebool sanlock_use_nfs off - fi + %{_bindir}/vdsm-tool sebool-disable /usr/sbin/saslpasswd2 -p -a libvirt -d vdsm@ovirt @@ -794,9 +762,10 @@ %{python_sitearch}/%{vdsm_name}/betterPopen/__init__.py* %{python_sitearch}/%{vdsm_name}/betterPopen/createprocess.so %{python_sitearch}/%{vdsm_name}/tool/__init__.py* -%{python_sitearch}/%{vdsm_name}/tool/passwd.py* -%{python_sitearch}/%{vdsm_name}/tool/validate_ovirt_certs.py* %{python_sitearch}/%{vdsm_name}/tool/load_needed_modules.py* +%{python_sitearch}/%{vdsm_name}/tool/passwd.py* +%{python_sitearch}/%{vdsm_name}/tool/seboolsetup.py* +%{python_sitearch}/%{vdsm_name}/tool/validate_ovirt_certs.py* %files tests %doc %{_datadir}/%{vdsm_name}/tests/README -- To view, visit http://gerrit.ovirt.org/9362 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I01baf1c17f7cad2a0525b261be6b5ac648576252 Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Federico Simoncelli <fsimonce(a)redhat.com&gt;