[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 0/4 v2] tools/hotplug: systemd changes for 4.5



On Thu, Dec 11, 2014 at 01:04:24PM +0100, Olaf Hering wrote:
> On Thu, Dec 11, M A Young wrote:
> 
> > Yes, you do need to set explicit selinux permissions when mounting
> > /var/lib/xenstored as otherwise it gets a tmpfs selinux context which
> > xenstored can't use in enforcing mode.
> 
> Is that "enforcing mode" the default? And would it be too cumbersome to

Yes.
> have these context settings in fstab?

That would be a question for the SELinux maintainer..
> 
> > The other selinux issue is that it seems you can't run xenstored through a
> > shell script wrapper, because it still has startup shell script selinux
> > permissions when it is trying to connect to the sockets, so it doesn't work.
> > It does work if you run xenstored directly from the systemd file.
> 
> This sounds like xenstored has to parse the possible environment
> variables found in sysconfig.xencommons all by itself? Is there perhaps
> a way out of the SELinux jail?

We do want to be in the SELinux jail as you call it.

This is what it looks to be doing:

[konrad@laptop SOURCES]$ more var-lib-xenstored.mount 
[Unit]
Description=mount xenstore file system
ConditionPathExists=/proc/xen
RefuseManualStop=true

[Mount]
What=xenstore
Where=/var/lib/xenstored
Type=tmpfs
Options=mode=755,context="system_u:object_r:xenstored_var_lib_t:s0"
[konrad@laptop SOURCES]$ 

I wonder if we can detect the context during build-time (an autoconf function
that checks whether the build is done for Fedora?)

But what if the version of Fedora is different and the object is called
something else?
> 
> Olaf

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.