cluster: improve SELinux compatibility

pingcap · Jan 21, 2025 · 9b094d0 · 9b094d0
1 parent 0791a28
commit 9b094d0
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/pkg/cluster/spec/instance.go b/pkg/cluster/spec/instance.go
@@ -224,6 +224,15 @@ func (i *BaseInstance) InitConfig(ctx context.Context, e ctxt.Executor, opt Glob
 		return errors.Annotatef(err, "execute: %s", cmd)
 	}
 
+	// restorecon restores SELinux Contexts
+	// Check with: ls -lZ /path/to/file
+	// If the context is wrong systemctl will complain about a missing unit file
+	// Note that we won't check for errors here because:
+	// - We don't support SELinux in Enforcing mode
+	// - restorecon might not be available (Ubuntu doesn't install SELinux tools by default)
+	cmd = fmt.Sprintf("restorecon %s%s-%d.service", systemdDir, comp, port)
+	e.Execute(ctx, cmd, sudo)
+
 	// doesn't work
 	if _, err := i.setTLSConfig(ctx, false, nil, paths); err != nil {
 		return err

diff --git a/pkg/cluster/spec/tispark.go b/pkg/cluster/spec/tispark.go
@@ -267,6 +267,15 @@ func (i *TiSparkMasterInstance) InitConfig(
 		return errors.Annotatef(err, "execute: %s", cmd)
 	}
 
+	// restorecon restores SELinux Contexts
+	// Check with: ls -lZ /path/to/file
+	// If the context is wrong systemctl will complain about a missing unit file
+	// Note that we won't check for errors here because:
+	// - We don't support SELinux in Enforcing mode
+	// - restorecon might not be available (Ubuntu doesn't install SELinux tools by default)
+	cmd = fmt.Sprintf("restorecon %s%s-%d.service", systemdDir, comp, port)
+	e.Execute(ctx, cmd, sudo)
+
 	// transfer default config
 	pdList := topo.GetPDList()
 	masterList := make([]string, 0)

diff --git a/pkg/cluster/task/monitored_config.go b/pkg/cluster/task/monitored_config.go
@@ -138,6 +138,16 @@ func (m *MonitoredConfig) syncMonitoredSystemConfig(ctx context.Context, exec ct
 		}
 		return err
 	}
+
+	// restorecon restores SELinux Contexts
+	// Check with: ls -lZ /path/to/file
+	// If the context is wrong systemctl will complain about a missing unit file
+	// Note that we won't check for errors here because:
+	// - We don't support SELinux in Enforcing mode
+	// - restorecon might not be available (Ubuntu doesn't install SELinux tools by default)
+	cmd := fmt.Sprintf("restorecon %s%s-%d.service", systemdDir, comp, port)
+	exec.Execute(ctx, cmd, sudo)
+
 	return nil
 }