[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 0/4 v2] tools/hotplug: systemd changes for 4.5

On Thu, Dec 11, 2014 at 01:04:24PM +0100, Olaf Hering wrote:
> On Thu, Dec 11, M A Young wrote:
> > Yes, you do need to set explicit selinux permissions when mounting
> > /var/lib/xenstored as otherwise it gets a tmpfs selinux context which
> > xenstored can't use in enforcing mode.
> Is that "enforcing mode" the default? And would it be too cumbersome to

> have these context settings in fstab?

That would be a question for the SELinux maintainer..
> > The other selinux issue is that it seems you can't run xenstored through a
> > shell script wrapper, because it still has startup shell script selinux
> > permissions when it is trying to connect to the sockets, so it doesn't work.
> > It does work if you run xenstored directly from the systemd file.
> This sounds like xenstored has to parse the possible environment
> variables found in sysconfig.xencommons all by itself? Is there perhaps
> a way out of the SELinux jail?

We do want to be in the SELinux jail as you call it.

This is what it looks to be doing:

[konrad@laptop SOURCES]$ more var-lib-xenstored.mount 
Description=mount xenstore file system

[konrad@laptop SOURCES]$ 

I wonder if we can detect the context during build-time (an autoconf function
that checks whether the build is done for Fedora?)

But what if the version of Fedora is different and the object is called
something else?
> Olaf

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.