Ensure SELinux file context is applied on data directories

When SELinux is in 'enforcing' mode, we need to label the data directories. Change-Id: Ic2c376999315c89ae05e45a2aab31cacf3369b6a Closes-Bug: 1611893
2016-08-10 20:22:00 +02:00 · 2016-08-10 20:22:00 +02:00 · f13493abc3
commit f13493abc3
parent d823bf6ac9
2 changed files with 28 additions and 10 deletions
--- a/manifests/osd.pp
+++ b/manifests/osd.pp
@ -41,11 +41,16 @@
 # [*exec_timeout*] The default exec resource timeout, in seconds
 #   Optional. Defaults to $::ceph::params::exec_timeout
 #
+# [*selinux_file_context*] The SELinux file context to apply
+#   on the directory backing the OSD service.
+#   Optional. Defaults to 'ceph_var_lib_t'
+#
 define ceph::osd (
  $ensure = present,
  $journal = undef,
  $cluster = undef,
  $exec_timeout = $::ceph::params::exec_timeout,
+  $selinux_file_context = 'ceph_var_lib_t',
  ) {

    $data = $name
@ -106,6 +111,17 @@ ceph-disk list | grep -E ' *${data}1? .*ceph data, (prepared|active)' ||
        timeout   => $exec_timeout,
      }

+      if (str2bool($::selinux) == true) {
+        ensure_packages($::ceph::params::pkg_policycoreutils, {'ensure' => 'present'})
+        exec { "fcontext_${name}":
+          command => "semanage fcontext -a -t ${selinux_file_context} '${data}(/.*)?' && restorecon -R ${data}",
+          path    => ['/usr/sbin', '/sbin', '/usr/bin', '/bin'],
+          require => [Package[$::ceph::params::pkg_policycoreutils],Exec[$ceph_prepare]],
+          before  => Exec[$ceph_activate],
+          unless  => "test ! -b ${data} && (semanage fcontext -l | grep ${data})",
+        }
+      }
+
      Exec[$ceph_prepare] -> Exec[$ceph_activate]
      exec { $ceph_activate:
        command   => "/bin/true # comment to satisfy puppet syntax requirements
--- a/manifests/params.pp
+++ b/manifests/params.pp
@ -50,19 +50,21 @@ class ceph::params (

  case $::osfamily {
    'Debian': {
-      $pkg_radosgw      = 'radosgw'
-      $user_radosgw     = 'www-data'
-      $pkg_fastcgi      = 'libapache2-mod-fastcgi'
-      $pkg_nsstools     = 'libnss3-tools'
-      $service_provider = 'debian'
+      $pkg_radosgw         = 'radosgw'
+      $user_radosgw        = 'www-data'
+      $pkg_fastcgi         = 'libapache2-mod-fastcgi'
+      $pkg_nsstools        = 'libnss3-tools'
+      $service_provider    = 'debian'
+      $pkg_policycoreutils = 'policycoreutils'
    }

    'RedHat': {
-      $pkg_radosgw      = 'ceph-radosgw'
-      $user_radosgw     = 'apache'
-      $pkg_fastcgi      = 'mod_fastcgi'
-      $pkg_nsstools     = 'nss-tools'
-      $service_provider = 'redhat'
+      $pkg_radosgw         = 'ceph-radosgw'
+      $user_radosgw        = 'apache'
+      $pkg_fastcgi         = 'mod_fastcgi'
+      $pkg_nsstools        = 'nss-tools'
+      $service_provider    = 'redhat'
+      $pkg_policycoreutils = 'policycoreutils-python'
    }

    default: {