commit
e3f57d6724
@ -0,0 +1 @@
|
||||
b5c87934fa2cd6e620d6f4243c227941d774274c SOURCES/efs-utils-1.35.1.tar.gz
|
@ -0,0 +1 @@
|
||||
SOURCES/efs-utils-1.35.1.tar.gz
|
@ -0,0 +1,5 @@
|
||||
/usr/bin/amazon-efs-mount-watchdog -- gen_context(system_u:object_r:efsutils_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/system/amazon-efs-mount-watchdog.service -- gen_context(system_u:object_r:efsutils_unit_file_t,s0)
|
||||
|
||||
/var/log/amazon/efs(/.*)? gen_context(system_u:object_r:efsutils_log_t,s0)
|
@ -0,0 +1,220 @@
|
||||
|
||||
## <summary>policy for efs-utils</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute efsutils_exec_t in the efsutils domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`efsutils_domtrans',`
|
||||
gen_require(`
|
||||
type efsutils_t, efsutils_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, efsutils_exec_t, efsutils_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute efs-utils in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`efsutils_exec',`
|
||||
gen_require(`
|
||||
type efsutils_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, efsutils_exec_t)
|
||||
')
|
||||
########################################
|
||||
## <summary>
|
||||
## Read efs-utils's log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`efsutils_read_log',`
|
||||
gen_require(`
|
||||
type efsutils_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
read_files_pattern($1, efsutils_log_t, efsutils_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Append to efs-utils log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`efsutils_append_log',`
|
||||
gen_require(`
|
||||
type efsutils_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
append_files_pattern($1, efsutils_log_t, efsutils_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage efs-utils log files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`efsutils_manage_log',`
|
||||
gen_require(`
|
||||
type efsutils_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
manage_dirs_pattern($1, efsutils_log_t, efsutils_log_t)
|
||||
manage_files_pattern($1, efsutils_log_t, efsutils_log_t)
|
||||
manage_lnk_files_pattern($1, efsutils_log_t, efsutils_log_t)
|
||||
')
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute efs-utils server in the efsutils domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`efsutils_systemctl',`
|
||||
gen_require(`
|
||||
type efsutils_t;
|
||||
type efsutils_unit_file_t;
|
||||
')
|
||||
|
||||
systemd_exec_systemctl($1)
|
||||
systemd_read_fifo_file_passwd_run($1)
|
||||
allow $1 efsutils_unit_file_t:file read_file_perms;
|
||||
allow $1 efsutils_unit_file_t:service manage_service_perms;
|
||||
|
||||
ps_process_pattern($1, efsutils_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an efs-utils environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`efsutils_admin',`
|
||||
gen_require(`
|
||||
type efsutils_t;
|
||||
type efsutils_log_t;
|
||||
type efsutils_unit_file_t;
|
||||
')
|
||||
|
||||
allow $1 efsutils_t:process { signal_perms };
|
||||
ps_process_pattern($1, efsutils_t)
|
||||
|
||||
tunable_policy(`deny_ptrace',`',`
|
||||
allow $1 efsutils_t:process ptrace;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
admin_pattern($1, efsutils_log_t)
|
||||
|
||||
efsutils_systemctl($1)
|
||||
admin_pattern($1, efsutils_unit_file_t)
|
||||
allow $1 efsutils_unit_file_t:service all_service_perms;
|
||||
optional_policy(`
|
||||
systemd_passwd_agent_exec($1)
|
||||
systemd_read_fifo_file_passwd_run($1)
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# Interface compatibility blocks
|
||||
#
|
||||
# The following definitions ensure compatibility with distribution policy
|
||||
# versions that do not contain given interfaces (epel, or older Fedora
|
||||
# releases).
|
||||
# Each block tests for existence of given interface and defines it if needed.
|
||||
#
|
||||
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute stunnel in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
ifndef(`stunnel_exec',`
|
||||
interface(`stunnel_exec',`
|
||||
gen_require(`
|
||||
type stunnel_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, stunnel_exec_t)
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read unconfined domain files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
ifndef(`unconfined_read_files',`
|
||||
interface(`unconfined_read_files',`
|
||||
gen_require(`
|
||||
type unconfined_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1, unconfined_t, unconfined_t)
|
||||
')
|
||||
')
|
@ -0,0 +1,75 @@
|
||||
policy_module(efsutils, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type efsutils_t;
|
||||
type efsutils_exec_t;
|
||||
init_daemon_domain(efsutils_t, efsutils_exec_t)
|
||||
|
||||
type efsutils_log_t;
|
||||
logging_log_file(efsutils_log_t)
|
||||
|
||||
type efsutils_unit_file_t;
|
||||
systemd_unit_file(efsutils_unit_file_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# efsutils local policy
|
||||
#
|
||||
allow efsutils_t self:fifo_file rw_fifo_file_perms;
|
||||
allow efsutils_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
manage_dirs_pattern(efsutils_t, efsutils_log_t, efsutils_log_t)
|
||||
manage_files_pattern(efsutils_t, efsutils_log_t, efsutils_log_t)
|
||||
manage_lnk_files_pattern(efsutils_t, efsutils_log_t, efsutils_log_t)
|
||||
logging_log_filetrans(efsutils_t, efsutils_log_t, { dir file lnk_file })
|
||||
|
||||
domain_use_interactive_fds(efsutils_t)
|
||||
|
||||
files_read_etc_files(efsutils_t)
|
||||
|
||||
miscfiles_read_localization(efsutils_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Custom policy
|
||||
#
|
||||
allow efsutils_t self:netlink_route_socket { bind create getattr nlmsg_read };
|
||||
allow efsutils_t self:process getpgid;
|
||||
allow efsutils_t self:tcp_socket { accept bind connect create getattr getopt listen setopt shutdown };
|
||||
allow efsutils_t self:unix_dgram_socket { connect create };
|
||||
|
||||
auth_read_passwd_file(efsutils_t)
|
||||
corecmd_exec_bin(efsutils_t)
|
||||
corecmd_mmap_bin_files(efsutils_t)
|
||||
corenet_tcp_bind_generic_node(efsutils_t)
|
||||
corenet_tcp_bind_generic_port(efsutils_t)
|
||||
corenet_tcp_connect_nfs_port(efsutils_t)
|
||||
dev_read_sysfs(efsutils_t)
|
||||
files_rw_pid_dirs(efsutils_t)
|
||||
fs_getattr_nfs(efsutils_t)
|
||||
fs_list_nfs(efsutils_t)
|
||||
kernel_dgram_send(efsutils_t)
|
||||
logging_create_devlog_dev(efsutils_t)
|
||||
logging_read_syslog_pid(efsutils_t)
|
||||
miscfiles_read_generic_certs(efsutils_t)
|
||||
miscfiles_search_generic_cert_dirs(efsutils_t)
|
||||
sysnet_read_config(efsutils_t)
|
||||
|
||||
# to be replaced by custom type - efsutils_var_run_t and corresponding rules
|
||||
# allow efsutils_t var_run_t:dir rmdir;
|
||||
files_delete_all_pids(efsutils_t)
|
||||
# allow efsutils_t var_run_t:file { create getattr ioctl open read rename setattr unlink write };
|
||||
files_manage_all_pids(efsutils_t)
|
||||
#allow efsutils_t unconfined_t:dir search;
|
||||
#allow efsutils_t unconfined_t:file { getattr open read };
|
||||
optional_policy(`
|
||||
unconfined_read_files(efsutils_t)
|
||||
')
|
||||
#allow efs-utils_t stunnel_exec_t:file { execute execute_no_trans map open read };
|
||||
optional_policy(`
|
||||
stunnel_exec(efsutils_t)
|
||||
')
|
@ -0,0 +1,227 @@
|
||||
.TH "efsutils_selinux" "8" "23-11-09" "efs-utils" "SELinux Policy efs-utils"
|
||||
.SH "NAME"
|
||||
efsutils_selinux \- Security Enhanced Linux Policy for the efs-utils processes
|
||||
.SH "DESCRIPTION"
|
||||
|
||||
Security-Enhanced Linux secures the efs-utils processes via flexible mandatory access control.
|
||||
|
||||
The efs-utils processes execute with the efsutils_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
|
||||
|
||||
For example:
|
||||
|
||||
.B ps -eZ | grep efsutils_t
|
||||
|
||||
|
||||
.SH "ENTRYPOINTS"
|
||||
|
||||
The efsutils_t SELinux type can be entered via the \fBefsutils_exec_t\fP file type.
|
||||
|
||||
The default entrypoint paths for the efsutils_t domain are the following:
|
||||
|
||||
/usr/bin/amazon-efs-mount-watchdog
|
||||
.SH PROCESS TYPES
|
||||
SELinux defines process types (domains) for each process running on the system
|
||||
.PP
|
||||
You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
|
||||
.PP
|
||||
Policy governs the access confined processes have to files.
|
||||
SELinux efs-utils policy is very flexible allowing users to setup their efs-utils processes in as secure a method as possible.
|
||||
.PP
|
||||
The following process types are defined for efs-utils:
|
||||
|
||||
.EX
|
||||
.B efsutils_t
|
||||
.EE
|
||||
.PP
|
||||
Note:
|
||||
.B semanage permissive -a efsutils_t
|
||||
can be used to make the process type efsutils_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated.
|
||||
|
||||
.SH BOOLEANS
|
||||
SELinux policy is customizable based on least access required. efs-utils policy is extremely flexible and has several booleans that allow you to manipulate the policy and run efs-utils with the tightest access possible.
|
||||
|
||||
|
||||
.PP
|
||||
If you want to dontaudit all daemons scheduling requests (setsched, sys_nice), you must turn on the daemons_dontaudit_scheduling boolean. Enabled by default.
|
||||
|
||||
.EX
|
||||
.B setsebool -P daemons_dontaudit_scheduling 1
|
||||
|
||||
.EE
|
||||
|
||||
.PP
|
||||
If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default.
|
||||
|
||||
.EX
|
||||
.B setsebool -P fips_mode 1
|
||||
|
||||
.EE
|
||||
|
||||
.SH "MANAGED FILES"
|
||||
|
||||
The SELinux process type efsutils_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
|
||||
|
||||
.br
|
||||
.B cluster_conf_t
|
||||
|
||||
/etc/cluster(/.*)?
|
||||
.br
|
||||
|
||||
.br
|
||||
.B cluster_var_lib_t
|
||||
|
||||
/var/lib/pcsd(/.*)?
|
||||
.br
|
||||
/var/lib/cluster(/.*)?
|
||||
.br
|
||||
/var/lib/openais(/.*)?
|
||||
.br
|
||||
/var/lib/pengine(/.*)?
|
||||
.br
|
||||
/var/lib/corosync(/.*)?
|
||||
.br
|
||||
/usr/lib/heartbeat(/.*)?
|
||||
.br
|
||||
/var/lib/heartbeat(/.*)?
|
||||
.br
|
||||
/var/lib/pacemaker(/.*)?
|
||||
.br
|
||||
|
||||
.br
|
||||
.B cluster_var_run_t
|
||||
|
||||
/var/run/crm(/.*)?
|
||||
.br
|
||||
/var/run/cman_.*
|
||||
.br
|
||||
/var/run/rsctmp(/.*)?
|
||||
.br
|
||||
/var/run/aisexec.*
|
||||
.br
|
||||
/var/run/heartbeat(/.*)?
|
||||
.br
|
||||
/var/run/pcsd-ruby.socket
|
||||
.br
|
||||
/var/run/corosync-qnetd(/.*)?
|
||||
.br
|
||||
/var/run/corosync-qdevice(/.*)?
|
||||
.br
|
||||
/var/run/corosync\.pid
|
||||
.br
|
||||
/var/run/cpglockd\.pid
|
||||
.br
|
||||
/var/run/rgmanager\.pid
|
||||
.br
|
||||
/var/run/cluster/rgmanager\.sk
|
||||
.br
|
||||
|
||||
.br
|
||||
.B efsutils_log_t
|
||||
|
||||
/var/log/amazon/efs(/.*)?
|
||||
.br
|
||||
|
||||
.br
|
||||
.B root_t
|
||||
|
||||
/sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
|
||||
.br
|
||||
/
|
||||
.br
|
||||
/initrd
|
||||
.br
|
||||
|
||||
.br
|
||||
.B var_run_t
|
||||
|
||||
/run/.*
|
||||
.br
|
||||
/var/run/.*
|
||||
.br
|
||||
/run
|
||||
.br
|
||||
/var/run
|
||||
.br
|
||||
/var/run
|
||||
.br
|
||||
/var/spool/postfix/pid
|
||||
.br
|
||||
|
||||
.SH FILE CONTEXTS
|
||||
SELinux requires files to have an extended attribute to define the file type.
|
||||
.PP
|
||||
You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
|
||||
.PP
|
||||
Policy governs the access confined processes have to these files.
|
||||
SELinux efs-utils policy is very flexible allowing users to setup their efs-utils processes in as secure a method as possible.
|
||||
.PP
|
||||
|
||||
.PP
|
||||
.B STANDARD FILE CONTEXT
|
||||
|
||||
SELinux defines the file context types for the efs-utils, if you wanted to
|
||||
store files with these types in a different paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
|
||||
|
||||
.B semanage fcontext -a -t efsutils_exec_t '/srv/efs-utils/content(/.*)?'
|
||||
.br
|
||||
.B restorecon -R -v /srv/myefs-utils_content
|
||||
|
||||
Note: SELinux often uses regular expressions to specify labels that match multiple files.
|
||||
|
||||
.I The following file types are defined for efs-utils:
|
||||
|
||||
|
||||
.EX
|
||||
.PP
|
||||
.B efsutils_exec_t
|
||||
.EE
|
||||
|
||||
- Set files with the efsutils_exec_t type, if you want to transition an executable to the efsutils_t domain.
|
||||
|
||||
|
||||
.EX
|
||||
.PP
|
||||
.B efsutils_log_t
|
||||
.EE
|
||||
|
||||
- Set files with the efsutils_log_t type, if you want to treat the data as efs-utils log data, usually stored under the /var/log directory.
|
||||
|
||||
|
||||
.EX
|
||||
.PP
|
||||
.B efsutils_unit_file_t
|
||||
.EE
|
||||
|
||||
- Set files with the efsutils_unit_file_t type, if you want to treat the files as efs-utils unit content.
|
||||
|
||||
|
||||
.PP
|
||||
Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
|
||||
.B semanage fcontext
|
||||
command. This will modify the SELinux labeling database. You will need to use
|
||||
.B restorecon
|
||||
to apply the labels.
|
||||
|
||||
.SH "COMMANDS"
|
||||
.B semanage fcontext
|
||||
can also be used to manipulate default file context mappings.
|
||||
.PP
|
||||
.B semanage permissive
|
||||
can also be used to manipulate whether or not a process type is permissive.
|
||||
.PP
|
||||
.B semanage module
|
||||
can also be used to enable/disable/install/remove policy modules.
|
||||
|
||||
.B semanage boolean
|
||||
can also be used to manipulate the booleans
|
||||
|
||||
.PP
|
||||
.B system-config-selinux
|
||||
is a GUI tool available to customize SELinux policy settings.
|
||||
|
||||
.SH AUTHOR
|
||||
This manual page was auto-generated using
|
||||
.B "sepolicy manpage".
|
||||
|
||||
.SH "SEE ALSO"
|
||||
selinux(8), efsutils(8), semanage(8), restorecon(8), chcon(1), sepolicy(8), setsebool(8)
|
@ -0,0 +1,57 @@
|
||||
From 36ab2ad0d4fff5a5c44369a2322b76fd17707621 Mon Sep 17 00:00:00 2001
|
||||
From: Major Hayden <major@redhat.com>
|
||||
Date: Wed, 15 Nov 2023 10:55:57 -0600
|
||||
Subject: [PATCH] Fix utcnow() deprecation warning
|
||||
|
||||
Fixes: #187
|
||||
|
||||
Signed-off-by: Major Hayden <major@redhat.com>
|
||||
---
|
||||
src/mount_efs/__init__.py | 4 ++--
|
||||
src/watchdog/__init__.py | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/mount_efs/__init__.py b/src/mount_efs/__init__.py
|
||||
index 0e9dd20..fec8de5 100755
|
||||
--- a/src/mount_efs/__init__.py
|
||||
+++ b/src/mount_efs/__init__.py
|
||||
@@ -47,7 +47,7 @@
|
||||
import threading
|
||||
import time
|
||||
from contextlib import contextmanager
|
||||
-from datetime import datetime, timedelta
|
||||
+from datetime import datetime, timedelta, timezone
|
||||
from logging.handlers import RotatingFileHandler
|
||||
|
||||
try:
|
||||
@@ -2333,7 +2333,7 @@ def get_utc_now():
|
||||
"""
|
||||
Wrapped for patching purposes in unit tests
|
||||
"""
|
||||
- return datetime.utcnow()
|
||||
+ return datetime.now(timezone.utc)
|
||||
|
||||
|
||||
def assert_root():
|
||||
diff --git a/src/watchdog/__init__.py b/src/watchdog/__init__.py
|
||||
index c3d76e3..28c3bbb 100755
|
||||
--- a/src/watchdog/__init__.py
|
||||
+++ b/src/watchdog/__init__.py
|
||||
@@ -25,7 +25,7 @@
|
||||
import time
|
||||
from collections import namedtuple
|
||||
from contextlib import contextmanager
|
||||
-from datetime import datetime, timedelta
|
||||
+from datetime import datetime, timedelta, timezone
|
||||
from logging.handlers import RotatingFileHandler
|
||||
from signal import SIGHUP, SIGKILL, SIGTERM
|
||||
|
||||
@@ -2229,7 +2229,7 @@ def get_utc_now():
|
||||
"""
|
||||
Wrapped for patching purposes in unit tests
|
||||
"""
|
||||
- return datetime.utcnow()
|
||||
+ return datetime.now(timezone.utc)
|
||||
|
||||
|
||||
def check_process_name(pid):
|
@ -0,0 +1,228 @@
|
||||
# RHEL 9 does not include pytest-mock.
|
||||
%bcond_with tests
|
||||
%global with_selinux 1
|
||||
%global selinuxtype targeted
|
||||
%global modulename efsutils
|
||||
%global watchdog_service_name amazon-efs-mount-watchdog
|
||||
|
||||
Name: efs-utils
|
||||
Version: 1.35.1
|
||||
Release: 7%{?dist}
|
||||
Summary: Utilities for Amazon Elastic File System (EFS)
|
||||
|
||||
License: MIT
|
||||
URL: https://github.com/aws/efs-utils
|
||||
Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||
|
||||
Source1: efsutils.te
|
||||
Source2: efsutils.if
|
||||
Source3: efsutils.fc
|
||||
Source4: efsutils_selinux.8
|
||||
|
||||
# Patch a deprecation warning to avoid having it fill the logs.
|
||||
# https://github.com/aws/efs-utils/pull/189
|
||||
Patch: fix-deprecation-warning.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
Requires: nfs-utils
|
||||
Requires: openssl
|
||||
Requires: stunnel
|
||||
Requires: util-linux
|
||||
Requires: which
|
||||
Requires: python3dist(botocore)
|
||||
|
||||
%if 0%{?with_selinux}
|
||||
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
|
||||
%endif
|
||||
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: systemd-rpm-macros
|
||||
|
||||
%if %{with tests}
|
||||
BuildRequires: python3dist(botocore)
|
||||
BuildRequires: python3dist(pytest)
|
||||
BuildRequires: python3dist(pytest-mock)
|
||||
%endif
|
||||
|
||||
%global _description %{expand:
|
||||
Utilities for Amazon Elastic File System (EFS).}
|
||||
|
||||
%description %{_description}
|
||||
|
||||
%if 0%{?with_selinux}
|
||||
# SELinux subpackage
|
||||
%package selinux
|
||||
Summary: %{name} SELinux policy
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Requires: selinux-policy-%{selinuxtype}
|
||||
Requires(post): selinux-policy-%{selinuxtype}
|
||||
BuildRequires: selinux-policy-devel
|
||||
%{?selinux_requires}
|
||||
|
||||
%description selinux
|
||||
Custom %{name} SELinux policy module
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%autosetup -n %{name}-%{version} -p1
|
||||
|
||||
# Use unittest.mock for testing.
|
||||
sed -i 's/from mock/from unittest.mock/' test/common.py
|
||||
|
||||
%build
|
||||
echo "Nothing to build"
|
||||
|
||||
# Disable the automatic version checking.
|
||||
sed -i 's/enable_version_check = true/enable_version_check = false/' dist/efs-utils.conf
|
||||
|
||||
%if 0%{?with_selinux}
|
||||
mkdir selinux
|
||||
cp -p %{SOURCE1} selinux/
|
||||
cp -p %{SOURCE2} selinux/
|
||||
cp -p %{SOURCE3} selinux/
|
||||
cp -p %{SOURCE4} selinux/
|
||||
|
||||
%make_build -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
|
||||
bzip2 -9 %{modulename}.pp
|
||||
%endif
|
||||
|
||||
|
||||
%install
|
||||
# Watchdog service unit file.
|
||||
install -m 0755 -vd %{buildroot}%{_unitdir}
|
||||
install -vp -m 644 dist/%{watchdog_service_name}.service %{buildroot}%{_unitdir}/
|
||||
|
||||
# Watchdog service itself.
|
||||
install -m 0755 -vd %{buildroot}%{_bindir}
|
||||
install -vp -m 755 src/watchdog/__init__.py %{buildroot}%{_bindir}/amazon-efs-mount-watchdog
|
||||
|
||||
# Configuration files and Amazon root certificates.
|
||||
install -m 0755 -vd %{buildroot}%{_sysconfdir}/amazon/efs/
|
||||
install -vp -m 644 dist/%{name}.conf %{buildroot}%{_sysconfdir}/amazon/efs/
|
||||
install -vp -m 444 dist/%{name}.crt %{buildroot}%{_sysconfdir}/amazon/efs/
|
||||
|
||||
# mount.efs script allows mounting EFS file systems by their short name.
|
||||
install -m 0755 -vd %{buildroot}%{_sbindir}
|
||||
install -vp -m 755 src/mount_efs/__init__.py %{buildroot}%{_sbindir}/mount.efs
|
||||
|
||||
# Man page.
|
||||
install -m 0755 -vd %{buildroot}%{_mandir}/man8/
|
||||
install -vp -m 644 man/mount.efs.8 %{buildroot}%{_mandir}/man8/
|
||||
|
||||
# Log directory.
|
||||
install -m 0755 -vd %{buildroot}%{_localstatedir}/log/amazon/efs
|
||||
|
||||
%if 0%{?with_selinux}
|
||||
install -D -m 0644 -t %{buildroot}%{_mandir}/man8 selinux/%{modulename}_selinux.8
|
||||
install -D -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
|
||||
install -D -p -m 0644 selinux/%{modulename}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{modulename}.if
|
||||
%endif
|
||||
|
||||
|
||||
%if %{with tests}
|
||||
%check
|
||||
# Avoid running tests with coverage enabled.
|
||||
touch pytest.ini
|
||||
|
||||
# Ignore some tests that require networking and get stuck forever.
|
||||
# Also skip a broken version check test: https://github.com/aws/efs-utils/issues/194
|
||||
PYTHONPATH=$(pwd)/src %pytest \
|
||||
--ignore test/mount_efs_test/test_main.py \
|
||||
--ignore test/mount_efs_test/test_bootstrap_tls.py \
|
||||
--ignore test/mount_efs_test/test_create_self_signed_cert.py \
|
||||
--ignore test/watchdog_test/test_refresh_self_signed_certificate.py \
|
||||
-k "not test_version_check_ready"
|
||||
%endif
|
||||
|
||||
|
||||
########################################################################################
|
||||
#
|
||||
# BEGIN SELINUX PRE/POST
|
||||
#
|
||||
# SELinux contexts are saved so that only affected files can be
|
||||
# relabeled after the policy module installation
|
||||
%if 0%{?with_selinux}
|
||||
%pre selinux
|
||||
%selinux_relabel_pre -s %{selinuxtype}
|
||||
|
||||
%post selinux
|
||||
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
|
||||
%selinux_relabel_post -s %{selinuxtype}
|
||||
|
||||
if [ "$1" -le "1" ]; then # First install
|
||||
%systemd_postun_with_restart %{watchdog_service_name}.service
|
||||
fi
|
||||
|
||||
%postun selinux
|
||||
if [ $1 -eq 0 ]; then
|
||||
%selinux_modules_uninstall -s %{selinuxtype} %{modulename}
|
||||
%selinux_relabel_post -s %{selinuxtype}
|
||||
%systemd_postun_with_restart %{watchdog_service_name}.service
|
||||
fi
|
||||
%endif
|
||||
########################################################################################
|
||||
|
||||
|
||||
%files -n %{name}
|
||||
%license LICENSE
|
||||
%doc CONTRIBUTING.md README.md
|
||||
%dir /var/log/amazon/efs
|
||||
%dir %{_sysconfdir}/amazon
|
||||
%dir %{_sysconfdir}/amazon/efs
|
||||
%config(noreplace) %{_sysconfdir}/amazon/efs/efs-utils.conf
|
||||
%{_unitdir}/%{watchdog_service_name}.service
|
||||
%{_sysconfdir}/amazon/efs/efs-utils.crt
|
||||
%{_sbindir}/mount.efs
|
||||
%{_bindir}/amazon-efs-mount-watchdog
|
||||
%{_mandir}/man8/mount.efs.8*
|
||||
|
||||
|
||||
%if 0%{?with_selinux}
|
||||
%files selinux
|
||||
%{_mandir}/man8/%{modulename}_selinux.8.*
|
||||
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
|
||||
%{_datadir}/selinux/devel/include/distributed/%{modulename}.if
|
||||
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
|
||||
%endif
|
||||
|
||||
|
||||
%post
|
||||
%systemd_post %{watchdog_service_name}.service
|
||||
|
||||
%preun
|
||||
%systemd_preun %{watchdog_service_name}.service
|
||||
|
||||
%postun
|
||||
%systemd_postun_with_restart %{watchdog_service_name}.service
|
||||
|
||||
%changelog
|
||||
* Thu Mar 28 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 1.35.1-7
|
||||
- Rebuilt for MSVSphere 9.4 beta
|
||||
|
||||
* Fri Jan 19 2024 Felix Kolwa <fkolwa@redhat.com> - 1.35.1-7
|
||||
- Bump revision number to 7.
|
||||
- Pull in changes from Major Hayden:
|
||||
- Skip version check test
|
||||
Opened upstream bug:
|
||||
https://github.com/aws/efs-utils/issues/194
|
||||
- Disable automatic version check
|
||||
|
||||
* Mon Jan 08 2024 Felix Kolwa <fkolwa@redhat.com> - 1.35.0-6
|
||||
- Bump revision number to 6.
|
||||
|
||||
* Thu Dec 07 2023 Felix Kolwa <fkolwa@redhat.com> - 1.35.0-5
|
||||
- Bump release to 5 to include selinux-policy-targeted-38.1.28-1 release.
|
||||
|
||||
* Fri Nov 17 2023 fkolwa <fkolwa@redhat.com> - 1.35.0-4
|
||||
- Refactor watchdog service name
|
||||
|
||||
* Wed Nov 15 2023 Major Hayden <major@redhat.com> - 1.35.0-3
|
||||
- Added deprecation warning patch.
|
||||
- Added SELinux policies. (RHEL-14154)
|
||||
|
||||
* Tue Oct 10 2023 Major Hayden <major@redhat.com> - 1.35.0-2
|
||||
- Add patch for ignoring the fsap option.
|
||||
|
||||
* Tue Sep 05 2023 Major Hayden <major@redhat.com> - 1.31.38-1
|
||||
- Initial package for version 1.31.38
|
Loading…
Reference in new issue