rpm: Add SELinux support

Signed-off-by: Boris Ranto <branto@redhat.com>

diff --git a/cephmetrics.spec.in b/cephmetrics.spec.in
index 07848b21bb43fb1aea166ecc0ca73e2f574c1301..9d6331fa354fd7223cba3b9b89e84994a802a88f 100644 (file)
--- a/cephmetrics.spec.in
+++ b/cephmetrics.spec.in
@@ -1,3 +1,7 @@
+%define debug_package %{nil}
+
+%{!?_selinux_policy_version: %global _selinux_policy_version %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp 2>/dev/null)}
+
 Name:          cephmetrics
 Version:       @VERSION@
 Release:       @RELEASE@%{?dist}
@@ -9,6 +13,15 @@ Source0:      cephmetrics-0.1.zip
 Source1:       vonage-status-panel-1.0.4.zip
 Source2:       grafana-piechart-panel-1.1.5.zip
 
+# SELinux deps
+BuildRequires:  checkpolicy
+BuildRequires:  selinux-policy-devel
+BuildRequires:  /usr/share/selinux/devel/policyhelp
+BuildRequires:  hardlink
+Requires:       policycoreutils, libselinux-utils
+Requires(post): selinux-policy >= %{_selinux_policy_version}, policycoreutils
+Requires(postun): policycoreutils
+
 Requires:      graphite-web
 Requires:      python-carbon
 Requires:       cephmetrics-grafana-plugins = %{version}-%{release}
@@ -49,6 +62,10 @@ unzip %SOURCE2
 mv -f grafana-piechart-panel* cephmetrics-piechart
 
 
+%build
+make -f /usr/share/selinux/devel/Makefile cephmetrics.pp
+
+
 %install
 # Install dashUpdater.py
 install -d %{buildroot}%{_libexecdir}/cephmetrics
@@ -70,6 +87,9 @@ install -m 644 collectors/* %{buildroot}%{_libdir}/collectd/cephmetrics/collecto
 install -d %{buildroot}%{_datadir}
 cp -L -r ansible %{buildroot}%{_datadir}/cephmetrics-ansible
 
+# Install SELinux
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 644 cephmetrics.pp %{buildroot}%{_datadir}/selinux/packages/cephmetrics.pp
 exit 0
 
 
@@ -89,6 +109,15 @@ exit 0
 %{_libdir}/collectd/cephmetrics
 %doc etc/collectd.conf
 %doc etc/collectd.d
+%{_datadir}/selinux/packages/cephmetrics.pp
+
+%post collectors
+/usr/sbin/semodule -i %{_datadir}/selinux/packages/cephmetrics.pp &> /dev/null || :
+
+%postun collectors
+if [ $1 == 0 ] ; then
+       /usr/sbin/semodule -r cephmetrics &> /dev/null || :
+fi
 
 %files ansible
 %{_datadir}/cephmetrics-ansible

diff --git a/selinux/cephmetrics.te b/selinux/cephmetrics.te
new file mode 100644 (file)
index 0000000..75367b5
--- /dev/null
+++ b/selinux/cephmetrics.te
@@ -0,0 +1,25 @@
+policy_module(cephmetrics, 1.0.0)
+
+require {
+       type collectd_t;
+       type ceph_t;
+       type ceph_var_run_t;
+       class unix_stream_socket connectto;
+       class dir read;
+       class capability2 block_suspend;
+}
+
+#============= collectd_t ==============
+
+#!!!! The file '/run/ceph/ceph-mon.node1.asok' is mislabeled on your system.  
+#!!!! Fix with $ restorecon -R -v /run/ceph/ceph-mon.node1.asok
+#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
+allow collectd_t ceph_t:unix_stream_socket connectto;
+allow collectd_t ceph_var_run_t:dir read;
+allow collectd_t self:capability2 block_suspend;
+corecmd_exec_shell(collectd_t)
+files_list_tmp(collectd_t)
+libs_exec_ldconfig(collectd_t)
+libs_manage_lib_dirs(collectd_t)
+libs_manage_lib_files(collectd_t)
+logging_write_generic_logs(collectd_t)