Ryan Barry has uploaded a new change for review. Change subject: Allow ovirt_t to transition to unconfined_t for ovirt-post ......................................................................
Allow ovirt_t to transition to unconfined_t for ovirt-post Allow transitions so hooks run unconfined and can appropriately set the context on services they start (i.e. libvirtd) instead of leaving them as ovirt_t Change-Id: I721f31319e08d6aba9b2a79ad863652f7e76e1d5 Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1207155 Signed-off-by: Ryan Barry <[email protected]> --- M scripts/ovirt-init-functions.sh.in M semodule/ovirt.te.in 2 files changed, 2 insertions(+), 2 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/76/39376/1 diff --git a/scripts/ovirt-init-functions.sh.in b/scripts/ovirt-init-functions.sh.in index 88efd20..ce45049 100644 --- a/scripts/ovirt-init-functions.sh.in +++ b/scripts/ovirt-init-functions.sh.in @@ -1518,7 +1518,7 @@ for handler in "$HOOK_ON_BOOT_DIR"/*; do log "Running handler: $handler" - "$handler" >> $OVIRT_LOGFILE 2>&1 + runcon -t unconfined_t "$handler" >> $OVIRT_LOGFILE 2>&1 done fi diff --git a/semodule/ovirt.te.in b/semodule/ovirt.te.in index 1dd3934..ceb7780 100644 --- a/semodule/ovirt.te.in +++ b/semodule/ovirt.te.in @@ -585,12 +585,12 @@ ') - # # Transitions # type ovirt_t; type ovirt_exec_t; +allow ovirt_t unconfined_t: process transition; init_daemon_domain(ovirt_t, ovirt_exec_t) unconfined_domain(ovirt_t) unconfined_domain(mount_t) -- To view, visit https://gerrit.ovirt.org/39376 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I721f31319e08d6aba9b2a79ad863652f7e76e1d5 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-node Gerrit-Branch: master Gerrit-Owner: Ryan Barry <[email protected]> _______________________________________________ node-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/node-patches
