set SELinux booleans during install #11
Comments
mscherer
pushed a commit
to gluster/glusterfs
that referenced
this issue
Jun 22, 2017
Starting in Fedora 26 and RHEL 7.4 there are new targeted policies in selinux which include a tuneable to allow ganesha.nfsd to access the gluster (FUSE) shared_storage volume where ganesha maintains its state. N.B. rpm doesn't have a way to distinguish between RHEL 7.3 or 7.4 so it can't be enabled for RHEL at this time. /usr/sbin/semanage is in policycoreutils-python in RHEL (versus policycoreutils-python-utils in Fedora.) Once RHEL 7.4 GAs we may also wish to specify the version for RHEL 7 explicitly, i.e. Requires: selinux-policy >= 3.13.1-160. But beware, the corresponding version in Fedora 26 seems to be selinux-policy-3.13.1.258 or so. (Maybe earlier versions, but that's what's currently in the F26 beta. release-3.10 is the upstream master branch for glusterfs-ganesha. For release-3.11 and later storhaug needs a similar change, which is tracked by linux-ha-storage/storhaug#11 Maybe at some point we would want to consider migrating the targeted policies for glusterfs (and nfs-ganesha) from selinux-policy to a glusterfs-selinux (and nfs-ganesha-selinux) subpackage? Change-Id: I04a5443edd00636cbded59a2baddfa98095bf7ac BUG: 1463641 Signed-off-by: Kaleb S. KEITHLEY <kkeithle@redhat.com> Reviewed-on: https://review.gluster.org/17597 Smoke: Gluster Build System <jenkins@build.gluster.org> Reviewed-by: Niels de Vos <ndevos@redhat.com> Reviewed-by: jiffin tony Thottan <jthottan@redhat.com> CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
guihecheng
pushed a commit
to guihecheng/glusterfs
that referenced
this issue
Nov 13, 2019
Starting in Fedora 26 and RHEL 7.4 there are new targeted policies in selinux which include a tuneable to allow ganesha.nfsd to access the gluster (FUSE) shared_storage volume where ganesha maintains its state. N.B. rpm doesn't have a way to distinguish between RHEL 7.3 or 7.4 so it can't be enabled for RHEL at this time. /usr/sbin/semanage is in policycoreutils-python in RHEL (versus policycoreutils-python-utils in Fedora.) Once RHEL 7.4 GAs we may also wish to specify the version for RHEL 7 explicitly, i.e. Requires: selinux-policy >= 3.13.1-160. But beware, the corresponding version in Fedora 26 seems to be selinux-policy-3.13.1.258 or so. (Maybe earlier versions, but that's what's currently in the F26 beta. release-3.10 is the upstream master branch for glusterfs-ganesha. For release-3.11 and later storhaug needs a similar change, which is tracked by linux-ha-storage/storhaug#11 Maybe at some point we would want to consider migrating the targeted policies for glusterfs (and nfs-ganesha) from selinux-policy to a glusterfs-selinux (and nfs-ganesha-selinux) subpackage? Change-Id: I04a5443edd00636cbded59a2baddfa98095bf7ac Signed-off-by: Kaleb S. KEITHLEY <kkeithle@redhat.com> Reviewed-on: https://review.gluster.org/17597 Smoke: Gluster Build System <jenkins@build.gluster.org> Reviewed-by: Niels de Vos <ndevos@redhat.com> Reviewed-by: jiffin tony Thottan <jthottan@redhat.com> CentOS-regression: Gluster Build System <jenkins@build.gluster.org> Signed-off-by: Jiffin Tony Thottan <jthottan@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://bugzilla.redhat.com/show_bug.cgi?id=1461098
Issue was fixed by adding new SELinux boolean. (using this boolean you can allow some actions, in this case allow ganesha to acces fusefs_t labels.)
If you would like to switch this boolean on during installation ganesha you can follow this tutorial:
https://mojo.redhat.com/docs/DOC-1131234-creating-own-product-policies#jive_content_id_61_Setting_Booleans_During_a_Product_Policy_Installation
The text was updated successfully, but these errors were encountered: