From: Boris Ranto <branto@redhat.com>
Date: Mon, 26 Jun 2017 16:24:53 +0000 (+0200)
Subject: rpm: Add SELinux support
X-Git-Tag: v1.0~65^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=ac6ea525fa982215b09cea1a5f10b54469a1d7d6;p=cephmetrics.git

rpm: Add SELinux support

Signed-off-by: Boris Ranto <branto@redhat.com>
---

diff --git a/cephmetrics.spec.in b/cephmetrics.spec.in
index 07848b2..9d6331f 100644
--- a/cephmetrics.spec.in
+++ b/cephmetrics.spec.in
@@ -1,3 +1,7 @@
+%define debug_package %{nil}
+
+%{!?_selinux_policy_version: %global _selinux_policy_version %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp 2>/dev/null)}
+
 Name:		cephmetrics
 Version:	@VERSION@
 Release:	@RELEASE@%{?dist}
@@ -9,6 +13,15 @@ Source0:	cephmetrics-0.1.zip
 Source1:	vonage-status-panel-1.0.4.zip
 Source2:	grafana-piechart-panel-1.1.5.zip
 
+# SELinux deps
+BuildRequires:  checkpolicy
+BuildRequires:  selinux-policy-devel
+BuildRequires:  /usr/share/selinux/devel/policyhelp
+BuildRequires:  hardlink
+Requires:       policycoreutils, libselinux-utils
+Requires(post): selinux-policy >= %{_selinux_policy_version}, policycoreutils
+Requires(postun): policycoreutils
+
 Requires:	graphite-web
 Requires:	python-carbon
 Requires:       cephmetrics-grafana-plugins = %{version}-%{release}
@@ -49,6 +62,10 @@ unzip %SOURCE2
 mv -f grafana-piechart-panel* cephmetrics-piechart
 
 
+%build
+make -f /usr/share/selinux/devel/Makefile cephmetrics.pp
+
+
 %install
 # Install dashUpdater.py
 install -d %{buildroot}%{_libexecdir}/cephmetrics
@@ -70,6 +87,9 @@ install -m 644 collectors/* %{buildroot}%{_libdir}/collectd/cephmetrics/collecto
 install -d %{buildroot}%{_datadir}
 cp -L -r ansible %{buildroot}%{_datadir}/cephmetrics-ansible
 
+# Install SELinux
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 644 cephmetrics.pp %{buildroot}%{_datadir}/selinux/packages/cephmetrics.pp
 exit 0
 
 
@@ -89,6 +109,15 @@ exit 0
 %{_libdir}/collectd/cephmetrics
 %doc etc/collectd.conf
 %doc etc/collectd.d
+%{_datadir}/selinux/packages/cephmetrics.pp
+
+%post collectors
+/usr/sbin/semodule -i %{_datadir}/selinux/packages/cephmetrics.pp &> /dev/null || :
+
+%postun collectors
+if [ $1 == 0 ] ; then
+	/usr/sbin/semodule -r cephmetrics &> /dev/null || :
+fi
 
 %files ansible
 %{_datadir}/cephmetrics-ansible
diff --git a/selinux/cephmetrics.te b/selinux/cephmetrics.te
new file mode 100644
index 0000000..75367b5
--- /dev/null
+++ b/selinux/cephmetrics.te
@@ -0,0 +1,25 @@
+policy_module(cephmetrics, 1.0.0)
+
+require {
+	type collectd_t;
+	type ceph_t;
+	type ceph_var_run_t;
+	class unix_stream_socket connectto;
+	class dir read;
+	class capability2 block_suspend;
+}
+
+#============= collectd_t ==============
+
+#!!!! The file '/run/ceph/ceph-mon.node1.asok' is mislabeled on your system.  
+#!!!! Fix with $ restorecon -R -v /run/ceph/ceph-mon.node1.asok
+#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
+allow collectd_t ceph_t:unix_stream_socket connectto;
+allow collectd_t ceph_var_run_t:dir read;
+allow collectd_t self:capability2 block_suspend;
+corecmd_exec_shell(collectd_t)
+files_list_tmp(collectd_t)
+libs_exec_ldconfig(collectd_t)
+libs_manage_lib_dirs(collectd_t)
+libs_manage_lib_files(collectd_t)
+logging_write_generic_logs(collectd_t)