[node-patches] Change in ovirt-node[ovirt-3.5]: hooks: Run hooks from neutral context to allow SELinux trans...
fabiand at redhat.com
fabiand at redhat.com
Mon Nov 16 12:07:11 UTC 2015
Fabian Deutsch has submitted this change and it was merged.
Change subject: hooks: Run hooks from neutral context to allow SELinux transitions
......................................................................
hooks: Run hooks from neutral context to allow SELinux transitions
In change I8a6e4533628fc217c8e6b0d9028b51f38895f4d2 the hooks got moved to,
their own service. Prior to that relocation, we ensured that the hooks
were called from the unconfined_t to ensure that all context transitions
were working correctly.
That change however dropped the runcon call which ensured that the hooks
were started from the right context.
This patch now adds back the runcon call to set the unconfined_t context
when launching the hooks, this shall ensure propper transitions.
The symptomps of this bug are for example that a service has the wrong
SELinux context, because the hook was runin the ovirt_t context, which had
no allowed transitions to the required target context of the service.
I.e.: libvirtd was still running in the ovirt_t context, even if it should
be running in the virtd_t context.
Now that runcon -t unconfined_t $HOOK is used, a transition the service
can happily transition from unconfined_t to ovirt_t
Change-Id: I2802d92f1ef86fd6df490fe4196c1cf044626a35
Bur-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1281363
Signed-off-by: Fabian Deutsch <fabiand at fedoraproject.org>
(cherry picked from commit 48b8851e8c5b440ed341c3269407619ee76995df)
(cherry picked from commit 3d9f68c9a41057a5db2360fb6363178002350af3)
---
M scripts/ovirt-node-hooks.sh
1 file changed, 1 insertion(+), 1 deletion(-)
Approvals:
Fabian Deutsch: Verified; Looks good to me, approved; Passed CI tests
--
To view, visit https://gerrit.ovirt.org/48611
To unsubscribe, visit https://gerrit.ovirt.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I2802d92f1ef86fd6df490fe4196c1cf044626a35
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: ovirt-3.5
Gerrit-Owner: Fabian Deutsch <fabiand at redhat.com>
Gerrit-Reviewer: Fabian Deutsch <fabiand at redhat.com>
Gerrit-Reviewer: gerrit-hooks <automation at ovirt.org>
More information about the node-patches
mailing list