Add selinux policy to allow cvmfs reading fuse fs

It fixes: cvmfs/collectd-cvmfs#5

collectd_cvmfs.te

@@ -0,0 +1,9 @@
+policy_module(collectd_cvmfs 1.0);
+
+gen_require(`
+    type collectd_t;
+    type fusefs_t;
+    class dir { read };
+')
+
+allow collectd_t fusefs_t:dir { read };

python-collectd_cvmfs.spec

@@ -14,6 +14,8 @@ BuildArch:      noarch
 BuildRequires:  python2-devel
 BuildRequires:  python2-setuptools
 
+BuildRequires:  selinux-policy-devel
+
 %description
 Collectd module for CvmFS clients
 
@@ -23,9 +25,19 @@ Summary:        %{summary}
 Requires:       python2-psutil
 Requires:       pyxattr
 Requires:       collectd
+Requires:       %{name}-selinux = %{version}-%{release}
+
 %description -n python2-%{pypi_name}
 Collectd module for CvmFS clients
 
+%package selinux
+Summary:        selinux policy for collectd cvmfs plugin
+Requires:       selinux-policy
+Requires:       policycoreutils
+
+%description selinux
+This package contains selinux rules to allow the collectd
+cvmfs plugin to read fuse file systems.
 
 %prep
 %autosetup -n collectd-cvmfs-%{version}
@@ -34,17 +46,34 @@ rm -rf %{pypi_name}.egg-info
 
 %build
 %py2_build
+make -f /usr/share/selinux/devel/Makefile collectd_cvmfs.pp
 
 %install
 %py2_install
 
+mkdir -p %{buildroot}%{_datadir}/selinux/packages/%{name}
+install -m 644 -p collectd_cvmfs.pp \
+    %{buildroot}%{_datadir}/selinux/packages/%{name}/collectd_cvmfs.pp
+
+%post selinux
+/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/collectd_cvmfs.pp >/dev/null 2>&1 || :
+
+%postun selinux
+if [ $1 -eq 0 ] ; then
+    /usr/sbin/semodule -r collectd_cvmfs >/dev/null 2>&1 || :
+fi
+
+
 %files -n python2-%{pypi_name}
 %doc README.rst NEWS.txt
 %license LICENSE
 %{python2_sitelib}/%{pypi_name}
 %{python2_sitelib}/%{pypi_name}-%{version}-py?.?.egg-info
 %{_prefix}/share/collectd/%{pypi_name}.db
 
+%files selinux
+%{_datadir}/selinux/packages/%{name}/collectd_cvmfs.pp
+
 %changelog
 * Wed May 30 2018 Steve Traylen <[email protected]> - 1.0.1-1 1
 - Backport to epel7