[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount

On 09/15/2015 04:12 PM, Konrad Rzeszutek Wilk wrote:
> On Tue, Sep 15, 2015 at 03:01:31PM +0100, George Dunlap wrote:
>> On 09/15/2015 02:58 PM, Konrad Rzeszutek Wilk wrote:
>>> On Tue, Sep 15, 2015 at 01:55:15PM +0100, George Dunlap wrote:
>>>> On Tue, Sep 15, 2015 at 1:48 PM, Olaf Hering <olaf@xxxxxxxxx> wrote:
>>>>> On Tue, Sep 15, George Dunlap wrote:
>>>>>
>>>>>> It's very reasonable for you to expect it to be fixed on non-SELinux
>>>>>> systems.  But what you did is fix it for non-SELinux systems by simply
>>>>>> breaking it on SELinux systems -- that's not at all reasonable.
>>>>>
>>>>> Konrad did some testing at that time and said 4.5 was ok.
>>>>> Why is 4.6 broken now?
>>>>
>>>> OK -- I see that he committed it, but I didn't see him say that he had
>>>> tested this particular patch.  It would be interesting to find out why
>>>> it worked for him.
>>>
>>> It just worked out of the box when I installed an source build of the Xen
>>> on a virgin Fedora box.
>>>
>>> I am not sure how it worked if SELinux ended up being disabled!
>>
>> So how did you install Xen?  "make install"?  Or did you do "make rpmball"?
> 
> ./configure --enable-systemd --prefix=/usr 
> 
> make -j31556
> make install
> 
> cat README | grep systemctl
> [paste all of those in the command line]
> 
> grub2-mkconfig -o /boot/grub/grub2.cfg
> 
> reboot

Right -- so you never did "restorecon" or "fixfiles -f relabel" or
"touch /.autorelabel" or anything explicitly to give the installed
binares their selinux labels?

In which case I'm *guessing* that you never actually set up selinux for
the Xen binares, and the reason it worked for you was that you weren't
actualling using the selinux rules.

>> Is it possible that /usr/sbin/xenstored never got the default selinux
>> label, and so never had any issues from the fact that /var/lib/xenstored
>> also didn't have the proper label?
> 
> 
> I think you are asking me to try this once more and seeing if
> I see the error you think I should be seeing :-)
> 
> I can certainly do that - but not today. Would Friday be OK?

Well, I did think about asking you to try again, but I purposely didn't.
:-)

Since you've offered though, yes, it would be good if you could do
exactly what you did before, and then look at

ls -lZ /usr/sbin/xenstored

And then, perhaps, do "touch /.autorelabel" (assuming that works on
Fedora the way it works on CentOS), reboot, and see what happens (and
what ls -lZ /usr/sbin/xenstored comes up with)?

I won't be working Friday, but I'll be back in Monday.

Thanks,
 -George


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.