[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount

To: Olaf Hering <olaf@xxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>
From: George Dunlap <george.dunlap@xxxxxxxxxx>
Date: Mon, 14 Sep 2015 17:30:33 +0100
Cc: Wei Liu <wei.liu2@xxxxxxxxxx>, Ian Campbell <ian.campbell@xxxxxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>, "Luis R. Rodriguez" <mcgrof@xxxxxxxxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, M A Young <m.a.young@xxxxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>
Delivery-date: Mon, 14 Sep 2015 16:30:41 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 09/11/2015 07:31 AM, Olaf Hering wrote:
> On Thu, Sep 10, George Dunlap wrote:
> 
>> On Fri, Dec 19, 2014 at 11:25 AM, Olaf Hering <olaf@xxxxxxxxx> wrote:
>>> Using SELinux mount options per default breaks several systems.
>>> Either the context= mount option is not known at all to the kernel,
>>> as reported for ArchLinux. Or the default value "none" is unknown to
>>> SELinux, as reported for Fedora. In both cases the unit will fail.
>>>
>>> The proper place to specify mount options is /etc/fstab. Appearently
>>> systemd is kind enough to use values from there even if Options= or
>>> What= is specified in a .mount file.
>>
>> For the benefit of someone moonlighting as a CentOS package
>> maintainer, could you tell me how adding such an entry in a package is
>> normally done?  Or alternately, how you would recommend a package
>> maintainer to add the appropriate context?
> 
> George, I know nothing about SELinux.
> I think its either up to a rpm %post install script to fiddle with fstab
> and pray that the added lines fit the system policies. Or its up to the
> documentation team to describe how SELinux is supposed to be configured
> for the third party app "Xen" on CentOS.

Well if you "know nothing about SELinux", and you don't use it, and
don't have any test systems that use it, then why did you assert
"The proper place to specify [an SELinux mount context] is /etc/fstab"?
 This patchset was accepted because you represented it as the "right"
way of doing things.

So poking around CentOS 7, it looks like in most cases, after a tmpfs is
mounted, "restorecon -R $mountpoint" is also run, which restores the
default selinux tags.  Manually starting var-lib-xenstored, then running
restorecon, then manually starting xenstored.service seems to work.  So
at the moment I'm trying to figure out if there's a "right" way to get
restorecon run at the right time  (or alternately, a "right" way to
mount a tmpfs at /var/lib/xenstored such that it happens automatically).

If that doesn't work, then adding a xenstored configuration file that
can contain mount options is probably the best option.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
  - From: Olaf Hering

References:
- Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
  - From: George Dunlap
- Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
  - From: Olaf Hering

Prev by Date: Re: [Xen-devel] Dom0 crash with apache bench (ab)
Next by Date: Re: [Xen-devel] [PATCH v11 11/11] (lib)xl: soft reset support
Previous by thread: Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
Next by thread: Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.