[node-patches] Change in ovirt-node[master]: Alter semodule file to be smart about OS capabilities

mburns at redhat.com mburns at redhat.com
Sat May 18 02:12:17 UTC 2013 

Michael Burns has uploaded a new change for review.

Change subject: Alter semodule file to be smart about OS capabilities
......................................................................

Alter semodule file to be smart about OS capabilities

collectd is not available on RHEL so don't add the rules on RHEL
systemd is only available on certain OS's so be smart

Change-Id: I7bc3339e94723639922c2458214449f14ea1cbee
Signed-off-by: Mike Burns <mburns at redhat.com>
---
M .gitignore
M configure.ac
D semodule/ovirt.te
A semodule/ovirt.te.in
4 files changed, 52 insertions(+), 44 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/44/14844/1

diff --git a/.gitignore b/.gitignore
index 9e46431..bf7b7c3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -29,3 +29,4 @@
 .settings
 tmp
 .checkstyle
+semodule/ovirt.te
diff --git a/configure.ac b/configure.ac
index eeedf67..4fe0a8b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -24,6 +24,12 @@
 AM_CONDITIONAL(TARGET_CENTOS, test x"$CENTOS" != x)
 AM_CONDITIONAL(TARGET_SYSTEMD, test 0$RHEL -ge 7 || test 0$FEDORA -ge 16 || test 0$CENTOS -ge 7)
 
+AM_COND_IF([TARGET_SYSTEMD],
+    [SYSTEMD_COMMENT=""], [SYSTEMD_COMMENT="#"])
+AM_COND_IF([TARGET_RHEL],
+    [COLLECTD_COMMENT="#"], [COLLECTD_COMMENT=""])
+AC_SUBST([SYSTEMD_COMMENT])
+AC_SUBST([COLLECTD_COMMENT])
 
 AC_ARG_WITH([image-minimizer], [AC_HELP_STRING([--with-image-minimizer],
             [enable aggresive reduction of the image size])],
@@ -72,5 +78,6 @@
                 $MAIN_KS
                 recipe/image-minimizer.ks
                 scripts/ovirt-functions
+                semodule/ovirt.te
                 ovirt-node.spec])
 AC_OUTPUT
diff --git a/semodule/ovirt.te b/semodule/ovirt.te
deleted file mode 100644
index 804b9aa..0000000
--- a/semodule/ovirt.te
+++ /dev/null
@@ -1,44 +0,0 @@
-policy_module(ovirt, 1.0)
-
-gen_require(`
-    type initrc_tmp_t;
-    type mount_t;
-    type setfiles_t;
-    type net_conf_t;
-    type collectd_t;
-    type virt_etc_t;
-    type virt_var_run_t;
-    type virtd_exec_t;
-    type loadkeys_t;
-    type etc_t;
-    type init_t;
-    type shadow_t;
-    type passwd_file_t;
-    type systemd_localed_t;
-    type systemd_unit_file_t;
-    type policykit_t;
-')
-
-#============= collectd_t ==============
-allow collectd_t passwd_file_t:file { open read };
-allow collectd_t virtd_exec_t:file getattr;
-allow collectd_t virt_etc_t:file read;
-allow collectd_t virt_var_run_t:sock_file write;
-
-#============= systemd_localed_t ==============
-allow systemd_localed_t etc_t:file { write rename create setattr };
-allow systemd_localed_t init_t:dbus send_msg;
-allow systemd_localed_t systemd_unit_file_t:service start;
-allow systemd_localed_t ovirt_t:dbus send_msg;
-
-#============= misc ==============
-allow mount_t shadow_t:file mounton;
-allow setfiles_t net_conf_t:file read;
-allow loadkeys_t initrc_tmp_t:file read;
-allow policykit_t ovirt_t:dbus send_msg;
-
-type ovirt_t;
-type ovirt_exec_t;
-init_daemon_domain(ovirt_t, ovirt_exec_t)
-unconfined_domain(ovirt_t)
-unconfined_domain(mount_t)
diff --git a/semodule/ovirt.te.in b/semodule/ovirt.te.in
new file mode 100644
index 0000000..879b64d
--- /dev/null
+++ b/semodule/ovirt.te.in
@@ -0,0 +1,44 @@
+policy_module(ovirt, 1.0)
+
+gen_require(`
+    type initrc_tmp_t;
+    type mount_t;
+    type setfiles_t;
+    type net_conf_t;
+    type collectd_t;
+    type virt_etc_t;
+    type virt_var_run_t;
+    type virtd_exec_t;
+    type loadkeys_t;
+    type etc_t;
+    type init_t;
+    type shadow_t;
+    type passwd_file_t;
+    type systemd_localed_t;
+    type systemd_unit_file_t;
+    type policykit_t;
+')
+
+#============= collectd_t ==============
+ at COLLECTD_COMMENT@allow collectd_t passwd_file_t:file { open read };
+ at COLLECTD_COMMENT@allow collectd_t virtd_exec_t:file getattr;
+ at COLLECTD_COMMENT@allow collectd_t virt_etc_t:file read;
+ at COLLECTD_COMMENT@allow collectd_t virt_var_run_t:sock_file write;
+
+#============= systemd_localed_t ==============
+ at SYSTEMD_COMMENT@allow systemd_localed_t etc_t:file { write rename create setattr };
+ at SYSTEMD_COMMENT@allow systemd_localed_t init_t:dbus send_msg;
+ at SYSTEMD_COMMENT@allow systemd_localed_t systemd_unit_file_t:service start;
+ at SYSTEMD_COMMENT@allow systemd_localed_t ovirt_t:dbus send_msg;
+
+#============= misc ==============
+allow mount_t shadow_t:file mounton;
+allow setfiles_t net_conf_t:file read;
+allow loadkeys_t initrc_tmp_t:file read;
+allow policykit_t ovirt_t:dbus send_msg;
+
+type ovirt_t;
+type ovirt_exec_t;
+init_daemon_domain(ovirt_t, ovirt_exec_t)
+unconfined_domain(ovirt_t)
+unconfined_domain(mount_t)


--
To view, visit http://gerrit.ovirt.org/14844
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I7bc3339e94723639922c2458214449f14ea1cbee
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: master
Gerrit-Owner: Michael Burns <mburns at redhat.com>

More information about the node-patches mailing list