Add initial SELinux support

This patch modifies the build system and spec file to provide a support for SELinux enforcing in an opt-in matter via ceph-selinux package. Signed-off-by: Boris Ranto <[email protected]>
mleklund · Aug 5, 2015 · c52eb99 · c52eb99
1 parent 21581a4
commit c52eb99
Show file tree

Hide file tree

Showing 10 changed files with 1,121 additions and 11 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -2,7 +2,7 @@ AUTOMAKE_OPTIONS = gnu
 ACLOCAL_AMFLAGS = -I m4
 EXTRA_DIST = autogen.sh ceph.spec.in ceph.spec install-deps.sh
 # the "." here makes sure check-local builds gtest and gmock before they are used
-SUBDIRS = . src man doc systemd
+SUBDIRS = . src man doc systemd selinux
 
 EXTRA_DIST += \
 	src/test/run-cli-tests \

diff --git a/ceph.spec.in b/ceph.spec.in
@@ -1,14 +1,31 @@
+# vim: set noexpandtab ts=8 sw=8 :
 %bcond_with ocf
 %bcond_without cephfs_java
 %bcond_with tests
 %bcond_without tcmalloc
 %bcond_without libs_compat
+%bcond_without selinux
+
 
 %if (0%{?el5} || (0%{?rhel_version} >= 500 && 0%{?rhel_version} <= 600))
 %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
 %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 %endif
 
+%if %{with selinux}
+# get selinux policy version
+%{!?_selinux_policy_version: %global _selinux_policy_version %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp 2>/dev/null || echo 0.0.0)}
+
+%define relabel_files() \
+restorecon -R /usr/bin/ceph-mon > /dev/null 2>&1; \
+restorecon -R /usr/bin/ceph-osd > /dev/null 2>&1; \
+restorecon -R /usr/bin/ceph-mds > /dev/null 2>&1; \
+restorecon -R /etc/rc\.d/init\.d/ceph > /dev/null 2>&1; \
+restorecon -R /var/run/ceph > /dev/null 2>&1; \
+restorecon -R /var/lib/ceph > /dev/null 2>&1; \
+restorecon -R /var/log/ceph > /dev/null 2>&1;
+%endif
+
 %{!?_udevrulesdir: %global _udevrulesdir /lib/udev/rules.d}
 
 # Use systemd files on RHEL 7 and above and in SUSE/openSUSE.
@@ -61,6 +78,11 @@ Requires: systemd
 %if 0%{with cephfs_java}
 BuildRequires: sharutils
 %endif
+%if 0%{with selinux}
+BuildRequires:	checkpolicy
+BuildRequires:	selinux-policy-devel
+BuildRequires:	/usr/share/selinux/devel/policyhelp
+%endif
 BuildRequires:	gcc-c++
 BuildRequires:	boost-devel
 BuildRequires:	cryptsetup
@@ -394,6 +416,22 @@ This package contains the Java libraries for the Ceph File System.
 
 %endif
 
+%if 0%{with selinux}
+
+%package selinux
+Summary:	SELinux support for Ceph MON, OSD and MDS
+Group:		System Environment/Base
+Requires:	%{name}
+Requires:	policycoreutils, libselinux-utils
+Requires(post):	selinux-policy >= %{_selinux_policy_version}, policycoreutils
+Requires(postun): policycoreutils
+%description selinux
+This package contains SELinux support for Ceph MON, OSD and MDS. The package
+also performs file-system relabelling which can take a long time on heavily
+populated file-systems.
+
+%endif
+
 %if 0%{with libs_compat}
 
 %package libs-compat
@@ -493,6 +531,9 @@ export RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/i386/i486/'`
 		--with-debug \
 %if 0%{with cephfs_java}
 		--enable-cephfs-java \
+%endif
+%if 0%{with selinux}
+		--with-selinux \
 %endif
 		--with-librocksdb-static=check \
 %if 0%{?rhel} || 0%{?fedora}
@@ -664,7 +705,6 @@ mkdir -p %{_localstatedir}/run/ceph/
 %insserv_cleanup
 %endif
 
-
 #################################################################################
 # files
 #################################################################################
@@ -1083,6 +1123,35 @@ ln -sf %{_libdir}/librbd.so.1 /usr/lib64/qemu/librbd.so.1
 %{_javadir}/libcephfs-test.jar
 %endif
 
+#################################################################################
+%if 0%{with selinux}
+%files selinux
+%defattr(-,root,root,-)
+%attr(0600,root,root) %{_datadir}/selinux/packages/ceph.pp
+%{_datadir}/selinux/devel/include/contrib/ceph.if
+%{_mandir}/man8/ceph_selinux.8.*
+
+%post selinux
+semodule -n -i %{_datadir}/selinux/packages/ceph.pp
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    %relabel_files
+fi
+exit 0
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    semodule -n -r ceph
+    if /usr/sbin/selinuxenabled ; then
+       /usr/sbin/load_policy
+       %relabel_files
+
+    fi;
+fi;
+exit 0
+
+%endif
+
 #################################################################################
 %if 0%{with libs_compat}
 %files libs-compat

diff --git a/configure.ac b/configure.ac
@@ -97,9 +97,7 @@ AC_PROG_LIBTOOL
 AC_SUBST(AM_CXXFLAGS)
 AM_CXXFLAGS="${AM_CXXFLAGS}"
 
-
-###### PATCH STARTS HERE ######
-# Find out what to build (default is all of these)
+# Find out what to build (default is most of these)
 
 # rados?
 AC_ARG_WITH([rados],
@@ -130,12 +128,22 @@ AM_CONDITIONAL(WITH_CEPHFS, test "$with_cephfs" = "yes")
 # radosgw?
 # radosgw requires rados
 AC_ARG_WITH([radosgw],
-            [AS_HELP_STRING([--with-radosgw], [build RADOS gateway])],
-            [],
-            [with_radosgw=check])
+	[AS_HELP_STRING([--with-radosgw], [build RADOS gateway])],
+	[],
+	[with_radosgw=check])
 # AM_CONDITIONAL is defined later -- we need to check whether we can enable radosgw if no option is present
 #AS_IF([test "$with_radosgw" = "yes"], [AC_DEFINE([WITH_RADOS, WITH_RADOSGW])])
 
+AC_ARG_WITH([selinux],
+	[AS_HELP_STRING([--with-selinux], [build SELinux policy])],
+	[],
+	[with_selinux=no])
+AM_CONDITIONAL(WITH_SELINUX, test "$with_selinux" = "yes")
+if test "x$with_selinux" = x"yes"; then
+	AC_CHECK_FILE([/usr/share/selinux/devel/policyhelp], [true], [AC_MSG_FAILURE([No SELinux found])])
+	AC_CHECK_FILE([/usr/share/selinux/devel/include/Makefile], [true],  [AC_MSG_FAILURE([No SELinux Makefile found])])
+fi
+
 # radosstriper?
 AC_ARG_WITH([radosstriper],
 	[AS_HELP_STRING([--with-radosstriper], [build radosstriper files])],
@@ -191,8 +199,6 @@ AS_IF([test "$enable_server" = "yes" -a \( "$with_osd" = "yes" -o "$with_mon" =
 # cond-check leveldb, necessary if server, osd or mon enabled
 AS_IF([test "$enable_server" = "yes" -a \( "$with_osd" = "yes" -o "$with_mon" = "yes" \)],
 	[AC_CHECK_LIB([leveldb], [leveldb_open], [true], [AC_MSG_FAILURE([libleveldb not found])], [-lsnappy -lpthread])])
-###### PATCH ENDS HERE ######
-
 
 # Check for yasm
 AC_CHECK_PROG(YASM_CHECK, yasm, yes)
@@ -1330,6 +1336,7 @@ AC_CONFIG_FILES([Makefile
 	systemd/Makefile
 	man/Makefile
 	doc/Makefile
+	selinux/Makefile
 	systemd/[email protected]
 	systemd/ceph-rgw.tmpfiles.d
 	ceph.spec])

diff --git a/man/Makefile-server.am b/man/Makefile-server.am
@@ -5,7 +5,8 @@ dist_man_MANS += \
 	mount.ceph.8 \
 	ceph-create-keys.8 \
 	ceph-rest-api.8 \
-	ceph-debugpack.8
+	ceph-debugpack.8 \
+	ceph_selinux.8
 
 if WITH_MON
 dist_man_MANS += \