From e5995647f8bd787cf29a0e6ad84584ba7a327d06 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20Fern=C3=A1ndez=20=C3=81lvarez?=
 <luis.fernandez.alvarez@cern.ch>
Date: Wed, 3 Oct 2018 11:12:47 +0200
Subject: [PATCH] Add selinux policy to allow cvmfs reading fuse fs

It fixes: https://github.com/cvmfs/collectd-cvmfs/issues/5
---
 collectd_cvmfs.te          |  9 +++++++++
 python-collectd_cvmfs.spec | 29 +++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100644 collectd_cvmfs.te

diff --git a/collectd_cvmfs.te b/collectd_cvmfs.te
new file mode 100644
index 0000000..7a5a323
--- /dev/null
+++ b/collectd_cvmfs.te
@@ -0,0 +1,9 @@
+policy_module(collectd_cvmfs 1.0);
+
+gen_require(`
+    type collectd_t;
+    type fusefs_t;
+    class dir { read };
+')
+
+allow collectd_t fusefs_t:dir { read };
diff --git a/python-collectd_cvmfs.spec b/python-collectd_cvmfs.spec
index a717edf..f09c98c 100644
--- a/python-collectd_cvmfs.spec
+++ b/python-collectd_cvmfs.spec
@@ -14,6 +14,8 @@ BuildArch:      noarch
 BuildRequires:  python2-devel
 BuildRequires:  python2-setuptools
 
+BuildRequires:  selinux-policy-devel
+
 %description
 Collectd module for CvmFS clients
 
@@ -23,9 +25,19 @@ Summary:        %{summary}
 Requires:       python2-psutil
 Requires:       pyxattr
 Requires:       collectd
+Requires:       %{name}-selinux = %{version}-%{release}
+
 %description -n python2-%{pypi_name}
 Collectd module for CvmFS clients
 
+%package selinux
+Summary:        selinux policy for collectd cvmfs plugin
+Requires:       selinux-policy
+Requires:       policycoreutils
+
+%description selinux
+This package contains selinux rules to allow the collectd
+cvmfs plugin to read fuse file systems.
 
 %prep
 %autosetup -n collectd-cvmfs-%{version}
@@ -34,10 +46,24 @@ rm -rf %{pypi_name}.egg-info
 
 %build
 %py2_build
+make -f /usr/share/selinux/devel/Makefile collectd_cvmfs.pp
 
 %install
 %py2_install
 
+mkdir -p %{buildroot}%{_datadir}/selinux/packages/%{name}
+install -m 644 -p collectd_cvmfs.pp \
+    %{buildroot}%{_datadir}/selinux/packages/%{name}/collectd_cvmfs.pp
+
+%post selinux
+/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/collectd_cvmfs.pp >/dev/null 2>&1 || :
+
+%postun selinux
+if [ $1 -eq 0 ] ; then
+    /usr/sbin/semodule -r collectd_cvmfs >/dev/null 2>&1 || :
+fi
+
+
 %files -n python2-%{pypi_name}
 %doc README.rst NEWS.txt
 %license LICENSE
@@ -45,6 +71,9 @@ rm -rf %{pypi_name}.egg-info
 %{python2_sitelib}/%{pypi_name}-%{version}-py?.?.egg-info
 %{_prefix}/share/collectd/%{pypi_name}.db
 
+%files selinux
+%{_datadir}/selinux/packages/%{name}/collectd_cvmfs.pp
+
 %changelog
 * Wed May 30 2018 Steve Traylen <steve.traylen@cern.ch> - 1.0.1-1 1
 - Backport to epel7