[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 0/4 v2] tools/hotplug: systemd changes for 4.5
On Thu, Dec 11, 2014 at 01:04:24PM +0100, Olaf Hering wrote: > On Thu, Dec 11, M A Young wrote: > > > Yes, you do need to set explicit selinux permissions when mounting > > /var/lib/xenstored as otherwise it gets a tmpfs selinux context which > > xenstored can't use in enforcing mode. > > Is that "enforcing mode" the default? And would it be too cumbersome to Yes. > have these context settings in fstab? That would be a question for the SELinux maintainer.. > > > The other selinux issue is that it seems you can't run xenstored through a > > shell script wrapper, because it still has startup shell script selinux > > permissions when it is trying to connect to the sockets, so it doesn't work. > > It does work if you run xenstored directly from the systemd file. > > This sounds like xenstored has to parse the possible environment > variables found in sysconfig.xencommons all by itself? Is there perhaps > a way out of the SELinux jail? We do want to be in the SELinux jail as you call it. This is what it looks to be doing: [konrad@laptop SOURCES]$ more var-lib-xenstored.mount [Unit] Description=mount xenstore file system ConditionPathExists=/proc/xen RefuseManualStop=true [Mount] What=xenstore Where=/var/lib/xenstored Type=tmpfs Options=mode=755,context="system_u:object_r:xenstored_var_lib_t:s0" [konrad@laptop SOURCES]$ I wonder if we can detect the context during build-time (an autoconf function that checks whether the build is done for Fedora?) But what if the version of Fedora is different and the object is called something else? > > Olaf _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |