Fabian Deutsch has submitted this change and it was merged. Change subject: hooks: Run hooks from neutral context to allow SELinux transitions ......................................................................
hooks: Run hooks from neutral context to allow SELinux transitions In change I8a6e4533628fc217c8e6b0d9028b51f38895f4d2 the hooks got moved to, their own service. Prior to that relocation, we ensured that the hooks were called from the unconfined_t to ensure that all context transitions were working correctly. That change however dropped the runcon call which ensured that the hooks were started from the right context. This patch now adds back the runcon call to set the unconfined_t context when launching the hooks, this shall ensure propper transitions. The symptomps of this bug are for example that a service has the wrong SELinux context, because the hook was runin the ovirt_t context, which had no allowed transitions to the required target context of the service. I.e.: libvirtd was still running in the ovirt_t context, even if it should be running in the virtd_t context. Now that runcon -t unconfined_t $HOOK is used, a transition the service can happily transition from unconfined_t to ovirt_t Change-Id: I2802d92f1ef86fd6df490fe4196c1cf044626a35 Bur-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1281363 Signed-off-by: Fabian Deutsch <[email protected]> --- M scripts/ovirt-node-hooks.sh 1 file changed, 1 insertion(+), 1 deletion(-) Approvals: Fabian Deutsch: Verified; Looks good to me, approved; Passed CI tests Douglas Schilling Landgraf: Looks good to me, but someone else must approve -- To view, visit https://gerrit.ovirt.org/48532 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: merged Gerrit-Change-Id: I2802d92f1ef86fd6df490fe4196c1cf044626a35 Gerrit-PatchSet: 2 Gerrit-Project: ovirt-node Gerrit-Branch: master Gerrit-Owner: Fabian Deutsch <[email protected]> Gerrit-Reviewer: Douglas Schilling Landgraf <[email protected]> Gerrit-Reviewer: Fabian Deutsch <[email protected]> Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: gerrit-hooks <[email protected]> _______________________________________________ node-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/node-patches
