[node-patches] Change in ovirt-node[master]: hooks: Run hooks from neutral context to allow SELinux trans...
fabiand at redhat.com
fabiand at redhat.com
Fri Nov 13 11:43:26 UTC 2015
Fabian Deutsch has uploaded a new change for review.
Change subject: hooks: Run hooks from neutral context to allow SELinux transitions
......................................................................
hooks: Run hooks from neutral context to allow SELinux transitions
In change I8a6e4533628fc217c8e6b0d9028b51f38895f4d2 the hooks got moved to,
their own service. Prior to that relocation, we ensured that the hooks
were called from the unconfined_t to ensure that all context transitions
were working correctly.
That change however dropped the runcon call which ensured that the hooks
were started from the right context.
This patch now adds back the runcon call to set the unconfined_t context
when launching the hooks, this shall ensure propper transitions.
The symptomps of this bug are for example that a service has the wrong
SELinux context, because the hook was runin the ovirt_t context, which had
no allowed transitions to the required target context of the service.
I.e.: libvirtd was still running in the ovirt_t context, even if it should
be running in the virtd_t context.
Now that runcon -t unconfined_t $HOOK is used, a transition the service
can happily transition from unconfined_t to ovirt_t
Change-Id: I2802d92f1ef86fd6df490fe4196c1cf044626a35
Bur-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1281363
Signed-off-by: Fabian Deutsch <fabiand at fedoraproject.org>
---
M scripts/ovirt-node-hooks.sh
1 file changed, 1 insertion(+), 1 deletion(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/32/48532/1
diff --git a/scripts/ovirt-node-hooks.sh b/scripts/ovirt-node-hooks.sh
index 4d0c0c6..21c7f01 100644
--- a/scripts/ovirt-node-hooks.sh
+++ b/scripts/ovirt-node-hooks.sh
@@ -36,7 +36,7 @@
for handler in "$HOOK_DIR/$1"/*;
do
echo "Running handler: $handler"
- "$handler" >> $OVIRT_HOOKLOG 2>&1
+ runcon -t unconfined_t "$handler" >> $OVIRT_HOOKLOG 2>&1
done
fi
--
To view, visit https://gerrit.ovirt.org/48532
To unsubscribe, visit https://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I2802d92f1ef86fd6df490fe4196c1cf044626a35
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: master
Gerrit-Owner: Fabian Deutsch <fabiand at redhat.com>
More information about the node-patches
mailing list