Change in vdsm[master]: vdsm-tool: add the sebool configuration module - vdsm-patches - Fedora mailing-lists

20 Nov 2012

Federico Simoncelli has uploaded a new change for review.
Change subject: vdsm-tool: add the sebool configuration module
......................................................................
vdsm-tool: add the sebool configuration module
This patch moves the sebool configuration from a shell scriptlet in the
rpm package to the vdsm-tool command.
Change-Id: I01baf1c17f7cad2a0525b261be6b5ac648576252
Signed-off-by: Federico Simoncelli fsimonce@redhat.com
---
M vdsm-tool/Makefile.am
A vdsm-tool/seboolsetup.py
M vdsm.spec.in
3 files changed, 69 insertions(+), 36 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/62/9362/1

diff --git a/vdsm-tool/Makefile.am b/vdsm-tool/Makefile.am
index 997e339..348940e 100644
--- a/vdsm-tool/Makefile.am
+++ b/vdsm-tool/Makefile.am
@@ -29,5 +29,6 @@
    __init__.py \
    load_needed_modules.py \
    passwd.py \
+	seboolsetup.py \
    validate_ovirt_certs.py \
    $(NULL)
diff --git a/vdsm-tool/seboolsetup.py b/vdsm-tool/seboolsetup.py
new file mode 100644
index 0000000..dee1e58
--- /dev/null
+++ b/vdsm-tool/seboolsetup.py
@@ -0,0 +1,63 @@
+#
+# Copyright 2012 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+#
+# Refer to the README and COPYING files for full details of the license
+#
+
+import seobject
+from vdsm.tool import expose
+
+SEBOOL_ENABLED = "on"
+SEBOOL_DISABLED = "off"
+
+VDSM_SEBOOL_LIST = [
+    "virt_use_fusefs",
+    "virt_use_nfs",
+    "virt_use_samba",
+    "sanlock_use_fusefs",
+    "sanlock_use_nfs",
+    "sanlock_use_samba",
+    "virt_use_sanlock",
+]
+
+
+def setup_booleans(status):
+    sebool_obj = seobject.booleanRecords()
+    sebool_status = sebool_obj.get_all()
+
+    sebool_obj.start()
+
+    for sebool_variable in VDSM_SEBOOL_LIST:
+        if status and not all(sebool_status[sebool_variable]):
+            sebool_obj.modify(sebool_variable, SEBOOL_ENABLED)
+
+        if not status and any(sebool_status[sebool_variable]):
+            sebool_obj.modify(sebool_variable, SEBOOL_DISABLED)
+
+    sebool_obj.finish()
+
+
+@expose("sebool-enable")
+def sebool_enable():
+    """Enable the required selinux booleans"""
+    setup_booleans(True)
+
+
+@expose("sebool-disable")
+def sebool_disable():
+    """Disable the required selinux booleans"""
+    setup_booleans(False)
diff --git a/vdsm.spec.in b/vdsm.spec.in
index 3fa3395..033ce1a 100644
--- a/vdsm.spec.in
+++ b/vdsm.spec.in
@@ -456,30 +456,8 @@
 /usr/sbin/usermod -a -G %{qemu_group},%{snlk_group} %{vdsm_user}
 /usr/sbin/usermod -a -G %{qemu_group},%{vdsm_group} %{snlk_user}
-# vdsm makes extensive use of nfs-exported images
-# The next lines will collect the default selinux behaviour for the booleans
-virtNFS=$(/usr/sbin/semanage boolean -l | /bin/grep virt_use_nfs | cut -d ',' -f 2)
-virtSANLOCK=$(/usr/sbin/semanage boolean -l | /bin/grep virt_use_sanlock | cut -d ',' -f 2)
-snlkNFS=$(/usr/sbin/semanage boolean -l | /bin/grep sanlock_use_nfs | cut -d ',' -f 2)
-
-# Set the booleans and persist it across reboots
-if [[ "${virtNFS}" == *off* || "${virtSANLOCK}" == *off* || \
-      "${snlkNFS}" == *off* ]]; then
-    /usr/sbin/semanage boolean -m -S targeted -F /dev/stdin  << _EOF
-virt_use_nfs=1
-virt_use_sanlock=1
-sanlock_use_nfs=1
-_EOF
-fi
-
-# Set the current state of SELinux booleans
-if /usr/sbin/selinuxenabled; then
-    /usr/sbin/setsebool virt_use_nfs on
-    /usr/sbin/setsebool virt_use_sanlock on
-    /usr/sbin/setsebool sanlock_use_nfs on
-fi
-
 %post
+%{_bindir}/vdsm-tool sebool-enable
 # set the vdsm "secret" password for libvirt
 %{_bindir}/vdsm-tool set-saslpasswd
@@ -521,17 +499,7 @@
     /bin/sed -i '/# VDSM section begin/,/# VDSM section end/d' \
         /etc/sysctl.conf
-    /usr/sbin/semanage boolean -m -S targeted -F /dev/stdin  << _EOF
-virt_use_nfs=0
-virt_use_sanlock=0
-sanlock_use_nfs=0
-_EOF
-
-    if /usr/sbin/selinuxenabled; then
-        /usr/sbin/setsebool virt_use_nfs off
-        /usr/sbin/setsebool virt_use_sanlock off
-        /usr/sbin/setsebool sanlock_use_nfs off
-    fi
+    %{_bindir}/vdsm-tool sebool-disable
/usr/sbin/saslpasswd2 -p -a libvirt -d vdsm@ovirt
@@ -794,9 +762,10 @@
 %{python_sitearch}/%{vdsm_name}/betterPopen/__init__.py*
 %{python_sitearch}/%{vdsm_name}/betterPopen/createprocess.so
 %{python_sitearch}/%{vdsm_name}/tool/__init__.py*
-%{python_sitearch}/%{vdsm_name}/tool/passwd.py*
-%{python_sitearch}/%{vdsm_name}/tool/validate_ovirt_certs.py*
 %{python_sitearch}/%{vdsm_name}/tool/load_needed_modules.py*
+%{python_sitearch}/%{vdsm_name}/tool/passwd.py*
+%{python_sitearch}/%{vdsm_name}/tool/seboolsetup.py*
+%{python_sitearch}/%{vdsm_name}/tool/validate_ovirt_certs.py*
%files tests
 %doc %{_datadir}/%{vdsm_name}/tests/README
--
To view, visit http://gerrit.ovirt.org/9362
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I01baf1c17f7cad2a0525b261be6b5ac648576252
Gerrit-PatchSet: 1
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Federico Simoncelli fsimonce@redhat.com

    