Xen project Mailing List

Re: [Xen-devel] [PATCH 7/7] tools/hotplug: add wrapper to start xenstored

To: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>

From: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>

Date: Wed, 7 Jan 2015 10:42:09 -0500

Cc: Olaf Hering <olaf@xxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Ian Campbell <Ian.Campbell@xxxxxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx, m.a.young@xxxxxxxxxxxx

Delivery-date: Wed, 07 Jan 2015 15:42:43 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Wed, Jan 07, 2015 at 03:27:15PM +0000, Ian Jackson wrote: > Olaf Hering writes ("Re: [PATCH 7/7] tools/hotplug: add wrapper to start > xenstored"): > > If I recall correctly the point of the current 'sh -c "exec ..."' stunt > > was to expand the XENSTORE variable from the sysconfig file. But this > > approach leads to failures with SELinux because the socket passing does > > not work this way. Up to now I have not seen a success report for > > selinux+systemd+xenstored. Maybe its already somewhere in the other > > unread mails. > > The selinux policy should follow the actual code, not vice versa. > > That is, if the approach which we select (based on all the other > criteria) is not compatible with existing selinux policies, this > should be fixed by changing the selinux policies. > > Since the selinux policies are not in xen.git, and are not maintained > as part of the Xen Project, there is no reason to delay introducing > changes in xen.git#master which are known to be incompatible with some > selinux policies. > > My conclusion therefore is that selinux policies are an irrelevant > consideration when deciding what the scripts, systemd integration, > etc. should look like in xen.git#master. > > (And what applies to xen.git#master applies to the as-yet-unreleased > xen.git#staging-4.5 too.) > > > Hopefully someone with access to a SELinux enabled system will report > > which approach actually works. > > I have concluded that the right approach is to disregard selinux. > Developers of selinux-enforcing setups should update the selinux > policies to support what the upstream Xen Project code does. ... which is none. We don't ship any SELinux policies. Anyhow I concur with the sentiment which is why I was aiming at just having an release note about the SELinux part - and having this patch not worry that much about SELinux and instead be satisfactory to you and IanC. Olaf, that hopefully would make it easier for you to come up with a nice patch ? > > Thanks, > Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.