+++ This bug was initially created as a clone of Bug #1190201 +++

Description of problem:
Calamari currently does not support SELinux and we advise people to turn it off in order to get Calamari to run.

Version-Release number of selected component (if applicable):
calamari-server-1.2.3-5.el7cp
calamari-server-1.2.3-5.el6cp

How reproducible:
Always

Steps to Reproduce:
1. Install calamari with SELinux in Permissive mode
2. Try to connect to the web server
3.

Actual results:
500: Internal Server Error

Expected results:
Everything works fine.

Additional info:
I have already been able to make calamari support SELinux in rhel 7 and the code is in a private branch private-branto-wip-rhel-7-selinux of calamari-server dist-git repo.

The solution is to load a custom SELinux policy module for calamari-server and enable it in post script together with two SELinux booleans -- the patch does not touch any actual calamari-server source code.

--- Additional comment from Boris Ranto on 2015-02-06 11:19:06 EST ---

I really think that we should make this happen for 1.2.3 release. Telling customers to turn SELinux off to run a service/app is rather hypocritical from Red Hat...

btw: Test el7 scratch build with fixed SELinux issues:
https://brewweb.devel.redhat.com/taskinfo?taskID=8702541

--- Additional comment from Boris Ranto on 2015-02-06 11:26:36 EST ---

CC'ing Dan Mick

@Dan: Was there a reason why you didn't run calamari-ctl initialize in post script? Based on my testing it worked just fine.

The url to private branch with the changes:

http://pkgs.devel.redhat.com/cgit/rpms/calamari-server/tree/?h=private-branto-wip-rhel-7-selinux

--- Additional comment from Dan Mick on 2015-02-06 13:56:30 EST ---

It requires user interaction, and enables services, both of which are inappropriate automatic package behavior.  But what has that got to do with SELinux?

--- Additional comment from Boris Ranto on 2015-02-06 16:39:13 EST ---

I had to restart httpd and probably also salt-master after I ran calamari-ctl to make this work. Otherwise I got errors from httpd about missing private key.

Hmm, right, I almost forgot that it queries for a username, e-mail and a password. Maybe, we could setup a default username and password and then tell the users to change it?

--- Additional comment from Dan Mick on 2015-02-06 17:11:21 EST ---

Fedora policy absolutely prohibits starting services as a result of package install, and in general I think it's a good idea to avoid.  It's a separate step on purpose.

--- Additional comment from Boris Ranto on 2015-02-06 17:17:25 EST ---

Hmm, I was looking at the code and it looks like the calamari-ctl should probably restart the services on its own but the problem is probably related to this line in /opt/calamari/salt-local/services.sls:

{% if grains['os'] == 'RedHat' and grains['osrelease'] == '7.0' %}

I was running this on 7.1 pre-release so it probably fallbacked to upstart and did not actually restart the services. If that is indeed the case then there is no need to run calamari-ctl in post script.

I'm not sure what syntax do the sls files support in {% %} but it looks like python. Can we use  grains['osrelease'].startswith('7.') there instead?

btw: The same goes for postgres.sls.

--- Additional comment from Dan Mick on 2015-02-06 17:19:16 EST ---

Good point.  I suspect there are a number of places to check that we're not testing for 7.0 exactly.

--- Additional comment from Neil Levine on 2015-02-06 17:28:00 EST ---

Absolutely not a blocker for 1.2.3.

We don't have SELinux support for Ceph so not having it for Calamari is fine.

--- Additional comment from Boris Ranto on 2015-02-06 17:45:59 EST ---

Yeah, I'm not saying it is supposed to be a blocker but I think that if we can get this to work in time then we should include the fix into the release.

btw: What issues does Ceph have with SELinux? AFAIK, Dan already fixed the execstack issue although I'm not sure if it made it into 0.80.8 release.

--- Additional comment from Ken Dreyer (Red Hat) on 2015-02-09 10:25:54 EST ---

(In reply to Boris Ranto from comment #9)
> btw: What issues does Ceph have with SELinux? AFAIK, Dan already fixed the
> execstack issue although I'm not sure if it made it into 0.80.8 release.

I verified that it did get merged in time for 0.80.8. It's this commit on upstream's firefly branch: 01faf1356f648ded9acda02e7cc67c1adb9e9ee3

I don't know if this is the only SELinux issue with Ceph itself. Upstream has never run tests with SELinux enabled as far as I know. It sounds like something we'll want to fix in 1.3.

--- Additional comment from Boris Ranto on 2015-02-09 10:34:45 EST ---

I've played with this a bit more and my issues were not caused by SELinux. The issue was that calamari-ctl did not try to restart the services but only issued systemctl start <service> which (if the process is already running) does precisely nothing. After I patched the .sls files to call systemctl restart everything went as expected so rhel 7 Calamari SELinux support is ready.

btw: The syntax for conditions in sls files is indeed pythonic and .startswith() works just fine there. We can track that issue in a separate bz.

btw2: Yeah, I checked the git logs as well and the execstack patch is in fact in 0.80.8 release so Ceph should play nicely with SELinux in Red Velvet. I am not aware of any other problems with SELinux regarding Ceph. It would be nice if this got properly tested though at least for 1.3 release.