[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 7/7] tools/hotplug: add wrapper to start xenstored

On Wed, Jan 07, 2015 at 03:27:15PM +0000, Ian Jackson wrote:
> Olaf Hering writes ("Re: [PATCH 7/7] tools/hotplug: add wrapper to start 
> xenstored"):
> > If I recall correctly the point of the current 'sh -c "exec ..."' stunt
> > was to expand the XENSTORE variable from the sysconfig file. But this
> > approach leads to failures with SELinux because the socket passing does
> > not work this way. Up to now I have not seen a success report for
> > selinux+systemd+xenstored. Maybe its already somewhere in the other
> > unread mails.
> The selinux policy should follow the actual code, not vice versa.
> That is, if the approach which we select (based on all the other
> criteria) is not compatible with existing selinux policies, this
> should be fixed by changing the selinux policies.
> Since the selinux policies are not in xen.git, and are not maintained
> as part of the Xen Project, there is no reason to delay introducing
> changes in xen.git#master which are known to be incompatible with some
> selinux policies.
> My conclusion therefore is that selinux policies are an irrelevant
> consideration when deciding what the scripts, systemd integration,
> etc. should look like in xen.git#master.
> (And what applies to xen.git#master applies to the as-yet-unreleased
> xen.git#staging-4.5 too.)
> > Hopefully someone with access to a SELinux enabled system will report
> > which approach actually works.
> I have concluded that the right approach is to disregard selinux.
> Developers of selinux-enforcing setups should update the selinux
> policies to support what the upstream Xen Project code does.

... which is none. We don't ship any SELinux policies.

Anyhow I concur with the sentiment which is why I was aiming at just
having an release note about the SELinux part - and having this patch
not worry that much about SELinux and instead be satisfactory
to you and IanC.

Olaf, that hopefully would make it easier for you to come up with
a nice patch ?

> Thanks,
> Ian.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.