Here is the patch that has sped up the installing of selinux policy 10
times for openstack.
If you are making lots of changes to selinux policy, you should always
use a transaction.
On 10/17/2014 03:18 PM, Daniel J Walsh wrote:
> Ryan can you attach the opestack-selinux.spec file we worked on a couple
> of weeks ago. Or give us a link were you can find it.
>
>
> On 10/13/2014 08:33 AM, Lukas Zapletal wrote:
>>> The openstack-selinux rpm package has a bunch of operations being done
>>> within a transaction, including setting network ports, booleans and
>>> default file labeling.
>> Dan, would you mind sharing the URL/git repo link? I was only able to
>> find the policy itself, I'd like to see the SPEC file. I don't see any
>> content in the fedora distgit.
>>
>> We (Satellite 6 / Foreman) team take several approach, which was
>> initially inspired from Satellite 5 / Spacewalk. We also put things into
>> transactions and stuff. I'd like to compare with OpenStack if we can
>> improve.
>>
>> https://github.com/theforeman/foreman-selinux
>>
>> Thanks!
>>
diff --git a/openstack-selinux.spec b/openstack-selinux.spec
index 30bbc24..7ade6b7 100644
--- a/openstack-selinux.spec
+++ b/openstack-selinux.spec
@@ -78,52 +78,27 @@ install -m 0755 tests/check_all %{buildroot}%{_datadir}/%{name}/%{version}/tests
#
# Install all modules in a single transaction
#
-%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
-%{_sbindir}/semodule -n -s %{selinuxtype} -i $MODULES
+
+%{_sbindir}/semanage port -a -t amqp_port_t -p tcp 15672 &> /dev/null
+
+echo "
+port -m -t mysqld_port_t -p tcp 4444
+boolean -m --on virt_use_fusefs
+boolean -m --on glance_use_fusefs
+boolean -m --on haproxy_connect_any
+boolean -m --on nis_enabled
+boolean -m --on haproxy_connect_any
+boolean -m --on rsync_full_access
+boolean -m --on rsync_client
+boolean -m --on virt_use_execmem
+fcontext -a -t neutron_exec_t %{_bindir}/neutron-metadata-agent
+fcontext -a -t neutron_exec_t %{_bindir}/neutron-netns-cleanup
+fcontext -a -t neutron_exec_t %{_bindir}/neutron-ns-metadata-proxy" > /run/openstack_selinux.txt
+for x in %{modulenames}; do echo module -a %{_datadir}/selinux/packages/$x.pp.bz2; done >> /run/openstack_selinux.txt
+%{_sbindir}/semanage -S targeted -i /run/openstack_selinux.txt
if %{_sbindir}/selinuxenabled ; then
%{_sbindir}/load_policy
-
- # bz#1107873
- %{_sbindir}/semanage port -a -t amqp_port_t -p tcp 15672 &> /dev/null
-
- # bz#1118859
- %{_sbindir}/semanage port -m -t mysqld_port_t -p tcp 4444
-
- # bz#1052971 - this should be handled by puppet, though
- %{_sbindir}/setsebool -P virt_use_fusefs on
-
- # bz#1111990 & 1083609
- %{_sbindir}/setsebool -P glance_use_fusefs on
-
- # bz#1108937
- %{_sbindir}/setsebool -P haproxy_connect_any on
-
- # bz#1112631
- %{_sbindir}/setsebool -P nis_enabled on
-
- # bz#1114581
- %{_sbindir}/setsebool -P haproxy_connect_any on
-
- # bz#1119400
- %{_sbindir}/setsebool -P glance_use_execmem on
-
- # bz#1135637
- %{_sbindir}/setsebool -P rsync_full_access on
-
- # bz#1135637
- %{_sbindir}/setsebool -P rsync_client on
-
- # bz#1119845
- %{_sbindir}/setsebool -P virt_use_execmem on
-
- # bz#1130212
- %{_sbindir}/setsebool -P glance_use_execmem on
-
- # bz#1110263
- %{_sbindir}/semanage fcontext -a -t neutron_exec_t %{_bindir}/neutron-metadata-agent
- %{_sbindir}/semanage fcontext -a -t neutron_exec_t %{_bindir}/neutron-netns-cleanup
- %{_sbindir}/semanage fcontext -a -t neutron_exec_t %{_bindir}/neutron-ns-metadata-proxy
%relabel_files
fi
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
