[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount

To: Olaf Hering <olaf@xxxxxxxxx>
From: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>
Date: Tue, 15 Sep 2015 09:55:13 +0100
Cc: Wei Liu <wei.liu2@xxxxxxxxxx>, Ian Campbell <ian.campbell@xxxxxxxxxx>, "Luis R. Rodriguez" <mcgrof@xxxxxxxxxxxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, M A Young <m.a.young@xxxxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>
Delivery-date: Tue, 15 Sep 2015 08:55:27 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Mon, Sep 14, 2015 at 7:33 PM, Olaf Hering <olaf@xxxxxxxxx> wrote:
> On Mon, Sep 14, George Dunlap wrote:
>
>> Well if you "know nothing about SELinux", and you don't use it, and
>> don't have any test systems that use it, then why did you assert
>> "The proper place to specify [an SELinux mount context] is /etc/fstab"?
>>  This patchset was accepted because you represented it as the "right"
>> way of doing things.
>
> Because at that time the way SELinux was handled failed on systems which
> had SELinux disabled, or which did not recognize the option.
> And I still think that mount options have to go into fstab.

It's very reasonable for you to expect it to be fixed on non-SELinux
systems.  But what you did is fix it for non-SELinux systems by simply
breaking it on SELinux systems -- that's not at all reasonable.

And I'm not really familiar enough with the standards around fstab and
whatever to have a strong opinion on the "right" way to do things; but
"fiddle with fstab and pray that the added lines fit the system
policies" is definitely not my idea of the Right Way to do things.

In any case, it looks like adding manual mount options isn't actually
the Right Way to do fix things for SELinux, no matter where you put
them -- it requires your mount options to be kept in sync with the
global SELinux policy, which is more fragile.  The way most other
tmpfs things get dealt with, as I said, is running "restorecon", which
updates labels from the master SELinux policy.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
  - From: Olaf Hering

References:
- Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
  - From: George Dunlap
- Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
  - From: Olaf Hering
- Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
  - From: George Dunlap
- Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
  - From: Olaf Hering

Prev by Date: [Xen-devel] [distros-debian-squeeze test] 37928: all pass
Next by Date: [Xen-devel] [PATCH OSSTEST RFC 2/2] sg-run-job: support dropping in adhoc test recipes
Previous by thread: Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
Next by thread: Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.