[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount



On Fri, 2014-12-19 at 12:25 +0100, Olaf Hering wrote:
> Using SELinux mount options per default breaks several systems.
> Either the context= mount option is not known at all to the kernel,
> as reported for ArchLinux. Or the default value "none" is unknown to
> SELinux, as reported for Fedora. In both cases the unit will fail.
> 
> The proper place to specify mount options is /etc/fstab. Appearently
> systemd is kind enough to use values from there even if Options= or
> What= is specified in a .mount file.
> 
> Remove XENSTORED_MOUNT_CTX, the reference to a non-existant
> EnvironmentFile and trim default Options= for the mount point.
> 
> The removed code was first mentioned in the patch referenced below,
> with the following description:
> ...
>  * Some systems define the selinux context in the systemd Option for
>    the /var/lib/xenstored tmpfs:
>      Options=mode=755,context="system_u:object_r:xenstored_var_lib_t:s0"
>    For the upstream version we remove that and let systems specify
>    the context on their system /etc/default/xenstored or
>    /etc/sysconfig/xenstored $XENSTORED_MOUNT_CTX variable
> ...
> It is nowhere stated (on xen-devel) what "Some systems" means, which
> is unfortunately common practice in nearly all opensource projects.
> http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg02462.html
> 
> Signed-off-by: Olaf Hering <olaf@xxxxxxxxx>
> Cc: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
> Cc: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>

(on commit s/Appearently/Apparently/; s/non-existant/non-existent/ in
the commit log)

> -Options=mode=755,context="$XENSTORED_MOUNT_CTX"
> +Options=mode=755

FWIW an alternative might have been:
  Options=mode=755,$XENSTORED_MOUNT_OPTIONS
where the variable from the EnvironmentFile could contain context= as
necessary (and maybe even mode=... by default).

But if /etc/fstab is the Right Place(tm) then lets go with that for 4.5.

Ian.



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.