122 lines
4.4 KiB
Diff
122 lines
4.4 KiB
Diff
|
From 4b65ff0d1a3d70fcf3cfa8ab769135ae12f529d8 Mon Sep 17 00:00:00 2001
|
||
|
From: nik-redhat <nladha@redhat.com>
|
||
|
Date: Thu, 7 Oct 2021 22:02:32 +0530
|
||
|
Subject: [PATCH 607/610] SELinux: Fix boolean management
|
||
|
|
||
|
Remove %triggerun ganesha
|
||
|
This trigger shouldn't be needed to begin with since removing
|
||
|
selinux-policy-targeted means that the user is switching SELinux off, or
|
||
|
is is switching the policy (to "mls" or "minimum"). In either case the
|
||
|
current boolean setting is not going to be used any more. The last
|
||
|
option, removal of glusterfs-ganesha, is covered by '%postun ganesha'.
|
||
|
But more importantly, the trigger is called every time
|
||
|
selinux-policy-targeted is updated (which can be avoided).
|
||
|
%triggerun is executed after %triggerin -
|
||
|
https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#ordering
|
||
|
So when selinux-policy-targeted is updated, the new version is installed
|
||
|
first triggering `semanage boolean -m ganesha_use_fusefs --on`,
|
||
|
and then the old version is uninstalled triggering
|
||
|
`semanage boolean -m ganesha_use_fusefs --off`.
|
||
|
|
||
|
* use selinux_[un]set_booleans instead of "semanage boolean"
|
||
|
The macro pair properly manages SELinux stores and doesn't disable the
|
||
|
boolean in case it was enabled before ${name}-ganesha was installed.
|
||
|
|
||
|
* Only change booleans when the package is first installed or
|
||
|
uninstalled
|
||
|
Updating ${name}-ganesha would disable the boolean because %postun is
|
||
|
called after %post (same issue as with the triggers).
|
||
|
|
||
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||
|
Signed-off-by: Kaleb S. KEITHLEY <kkeithle@redhat.com>
|
||
|
Change-Id: Ibb926ffbe00c9f000bd740708c0a4b3435ee7871
|
||
|
PR: https://github.com/gluster/glusterfs/pull/2833
|
||
|
Issue: https://github.com/gluster/glusterfs/issues/2522
|
||
|
Resolves: rhbz#1973566
|
||
|
Resolves: rhbz#1975400
|
||
|
|
||
|
BUG: 1973566
|
||
|
Change-Id: Idef6cbd6bce35151518d6f76e5b74774e5756fc9
|
||
|
Signed-off-by: nik-redhat <nladha@redhat.com>
|
||
|
Reviewed-on: https://code.engineering.redhat.com/gerrit/c/rhs-glusterfs/+/280114
|
||
|
Tested-by: RHGS Build Bot <nigelb@redhat.com>
|
||
|
Reviewed-by: Kaleb Keithley <kkeithle@redhat.com>
|
||
|
---
|
||
|
glusterfs.spec.in | 34 +++++++++++++++++++++-------------
|
||
|
1 file changed, 21 insertions(+), 13 deletions(-)
|
||
|
|
||
|
diff --git a/glusterfs.spec.in b/glusterfs.spec.in
|
||
|
index 424f4ab..a9a83b1 100644
|
||
|
--- a/glusterfs.spec.in
|
||
|
+++ b/glusterfs.spec.in
|
||
|
@@ -954,7 +954,10 @@ exit 0
|
||
|
%if ( 0%{!?_without_server:1} )
|
||
|
%if ( 0%{?fedora} && 0%{?fedora} > 25 || ( 0%{?rhel} && 0%{?rhel} > 6 ) )
|
||
|
%post ganesha
|
||
|
-semanage boolean -m ganesha_use_fusefs --on
|
||
|
+# first install
|
||
|
+if [ $1 -eq 1 ]; then
|
||
|
+ %selinux_set_booleans ganesha_use_fusefs=1
|
||
|
+fi
|
||
|
exit 0
|
||
|
%endif
|
||
|
%endif
|
||
|
@@ -962,7 +965,9 @@ exit 0
|
||
|
%if ( 0%{!?_without_georeplication:1} )
|
||
|
%post geo-replication
|
||
|
%if ( 0%{?rhel} && 0%{?rhel} >= 8 )
|
||
|
-%selinux_set_booleans %{selinuxbooleans}
|
||
|
+if [ $1 -eq 1 ]; then
|
||
|
+ %selinux_set_booleans %{selinuxbooleans}
|
||
|
+fi
|
||
|
%endif
|
||
|
if [ $1 -ge 1 ]; then
|
||
|
%systemd_postun_with_restart glusterd
|
||
|
@@ -1089,29 +1094,32 @@ exit 0
|
||
|
%if ( 0%{!?_without_server:1} )
|
||
|
%if ( 0%{?fedora} && 0%{?fedora} > 25 || ( 0%{?rhel} && 0%{?rhel} > 6 ) )
|
||
|
%postun ganesha
|
||
|
-semanage boolean -m ganesha_use_fusefs --off
|
||
|
+if [ $1 -eq 0 ]; then
|
||
|
+ # use the value of ganesha_use_fusefs from before glusterfs-ganesha was installed
|
||
|
+ %selinux_unset_booleans ganesha_use_fusefs=1
|
||
|
+fi
|
||
|
exit 0
|
||
|
%endif
|
||
|
%endif
|
||
|
|
||
|
-##-----------------------------------------------------------------------------
|
||
|
-## All %%trigger should be placed here and keep them sorted
|
||
|
-##
|
||
|
-%if ( 0%{!?_without_server:1} )
|
||
|
-%if ( 0%{?fedora} && 0%{?fedora} > 25 || ( 0%{?rhel} && 0%{?rhel} > 6 ) )
|
||
|
-%trigger ganesha -- selinux-policy-targeted
|
||
|
-semanage boolean -m ganesha_use_fusefs --on
|
||
|
+%if ( 0%{!?_without_georeplication:1} )
|
||
|
+%postun geo-replication
|
||
|
+%if ( 0%{?rhel} && 0%{?rhel} >= 8 )
|
||
|
+if [ $1 -eq 0 ]; then
|
||
|
+ %selinux_unset_booleans %{selinuxbooleans}
|
||
|
+fi
|
||
|
exit 0
|
||
|
%endif
|
||
|
%endif
|
||
|
|
||
|
##-----------------------------------------------------------------------------
|
||
|
-## All %%triggerun should be placed here and keep them sorted
|
||
|
+## All %%trigger should be placed here and keep them sorted
|
||
|
##
|
||
|
%if ( 0%{!?_without_server:1} )
|
||
|
%if ( 0%{?fedora} && 0%{?fedora} > 25 || ( 0%{?rhel} && 0%{?rhel} > 6 ) )
|
||
|
-%triggerun ganesha -- selinux-policy-targeted
|
||
|
-semanage boolean -m ganesha_use_fusefs --off
|
||
|
+# ensure ganesha_use_fusefs is on in case of policy mode switch (eg. mls->targeted)
|
||
|
+%triggerin ganesha -- selinux-policy-targeted
|
||
|
+semanage boolean -m ganesha_use_fusefs --on -S targeted
|
||
|
exit 0
|
||
|
%endif
|
||
|
%endif
|
||
|
--
|
||
|
1.8.3.1
|
||
|
|