Fabian Deutsch has uploaded a new change for review. Change subject: hooks: Run hooks from neutral context to allow SELinux transitions ......................................................................
hooks: Run hooks from neutral context to allow SELinux transitions In change I8a6e4533628fc217c8e6b0d9028b51f38895f4d2 the hooks got moved to, their own service. Prior to that relocation, we ensured that the hooks were called from the unconfined_t to ensure that all context transitions were working correctly. That change however dropped the runcon call which ensured that the hooks were started from the right context. This patch now adds back the runcon call to set the unconfined_t context when launching the hooks, this shall ensure propper transitions. The symptomps of this bug are for example that a service has the wrong SELinux context, because the hook was runin the ovirt_t context, which had no allowed transitions to the required target context of the service. I.e.: libvirtd was still running in the ovirt_t context, even if it should be running in the virtd_t context. Now that runcon -t unconfined_t $HOOK is used, a transition the service can happily transition from unconfined_t to ovirt_t Change-Id: I2802d92f1ef86fd6df490fe4196c1cf044626a35 Bur-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1281363 Signed-off-by: Fabian Deutsch <[email protected]> (cherry picked from commit 48b8851e8c5b440ed341c3269407619ee76995df) (cherry picked from commit 3d9f68c9a41057a5db2360fb6363178002350af3) --- M scripts/ovirt-node-hooks.sh 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/11/48611/1 diff --git a/scripts/ovirt-node-hooks.sh b/scripts/ovirt-node-hooks.sh index 4d0c0c6..21c7f01 100644 --- a/scripts/ovirt-node-hooks.sh +++ b/scripts/ovirt-node-hooks.sh @@ -36,7 +36,7 @@ for handler in "$HOOK_DIR/$1"/*; do echo "Running handler: $handler" - "$handler" >> $OVIRT_HOOKLOG 2>&1 + runcon -t unconfined_t "$handler" >> $OVIRT_HOOKLOG 2>&1 done fi -- To view, visit https://gerrit.ovirt.org/48611 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I2802d92f1ef86fd6df490fe4196c1cf044626a35 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-node Gerrit-Branch: ovirt-3.5 Gerrit-Owner: Fabian Deutsch <[email protected]> _______________________________________________ node-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/node-patches
