kaleb@redhat.com has uploaded this change for review.
selinux: add nfs-ganesha-selinux subpackage
Around October 2017 the ganesha developers negotiated with the
selinux team to have ganesha in nfsd_t domain with the (explicit)
understanding or belief that nfsd_t was an unconfined domain.
It turns out that nfsd_t is not actually unconfined. But consider
that samba runs, AIUI, in an unconfined domain. Samba and Ganesha
are very similar in that they are both network file system daemons
that run in user space.
The purpose of this patch is to initiate the migration of ganesha
selinux bits from the monolithic selinux-policy-targeted packages
in Fedora and RHEL to ganesha. This first patch lifts the ganesha
selinux bits (mostly*) unmodified from the RHEL 7.5 selinux package.
These will eventually be modified such that ganesha runs in an
unconfined, or nearly unconfined domain.
For now it is enough to start the process of removing the ganesha
bits from the Fedora and RHEL packages starting with Fedora 30 and
RHEL 8.
* logging attributes are changed from /var/log/ganesha.log and
/var/log/ganesha-gfapi.log to /var/log/ganesha/*.log. RHEL is expected
to catch up in 7.6.
Change-Id: Ibafd259ae4107b28b1d1eca4fa6abf91b2aadd46
Signed-off-by: Kaleb S. KEITHLEY <kkeithle@redhat.com>
---
M src/nfs-ganesha.spec-in.cmake
A src/selinux/ganesha.fc
A src/selinux/ganesha.if
A src/selinux/ganesha.te
4 files changed, 330 insertions(+), 14 deletions(-)
git pull ssh://review.gerrithub.io:29418/ffilz/nfs-ganesha refs/changes/53/429053/1
To view, visit change 429053. To unsubscribe, or for help writing mail filters, visit settings.