Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
On Mon, Sep 14, 2015 at 7:33 PM, Olaf Heringwrote: > On Mon, Sep 14, George Dunlap wrote: > >> Well if you "know nothing about SELinux", and you don't use it, and >> don't have any test systems that use it, then why did you assert >> "The proper place to specify [an SELinux mount context] is /etc/fstab"? >> This patchset was accepted because you represented it as the "right" >> way of doing things. > > Because at that time the way SELinux was handled failed on systems which > had SELinux disabled, or which did not recognize the option. > And I still think that mount options have to go into fstab. It's very reasonable for you to expect it to be fixed on non-SELinux systems. But what you did is fix it for non-SELinux systems by simply breaking it on SELinux systems -- that's not at all reasonable. And I'm not really familiar enough with the standards around fstab and whatever to have a strong opinion on the "right" way to do things; but "fiddle with fstab and pray that the added lines fit the system policies" is definitely not my idea of the Right Way to do things. In any case, it looks like adding manual mount options isn't actually the Right Way to do fix things for SELinux, no matter where you put them -- it requires your mount options to be kept in sync with the global SELinux policy, which is more fragile. The way most other tmpfs things get dealt with, as I said, is running "restorecon", which updates labels from the master SELinux policy. -George ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
On 09/15/2015 04:12 PM, Konrad Rzeszutek Wilk wrote: > On Tue, Sep 15, 2015 at 03:01:31PM +0100, George Dunlap wrote: >> On 09/15/2015 02:58 PM, Konrad Rzeszutek Wilk wrote: >>> On Tue, Sep 15, 2015 at 01:55:15PM +0100, George Dunlap wrote: On Tue, Sep 15, 2015 at 1:48 PM, Olaf Heringwrote: > On Tue, Sep 15, George Dunlap wrote: > >> It's very reasonable for you to expect it to be fixed on non-SELinux >> systems. But what you did is fix it for non-SELinux systems by simply >> breaking it on SELinux systems -- that's not at all reasonable. > > Konrad did some testing at that time and said 4.5 was ok. > Why is 4.6 broken now? OK -- I see that he committed it, but I didn't see him say that he had tested this particular patch. It would be interesting to find out why it worked for him. >>> >>> It just worked out of the box when I installed an source build of the Xen >>> on a virgin Fedora box. >>> >>> I am not sure how it worked if SELinux ended up being disabled! >> >> So how did you install Xen? "make install"? Or did you do "make rpmball"? > > ./configure --enable-systemd --prefix=/usr > > make -j31556 > make install > > cat README | grep systemctl > [paste all of those in the command line] > > grub2-mkconfig -o /boot/grub/grub2.cfg > > reboot Right -- so you never did "restorecon" or "fixfiles -f relabel" or "touch /.autorelabel" or anything explicitly to give the installed binares their selinux labels? In which case I'm *guessing* that you never actually set up selinux for the Xen binares, and the reason it worked for you was that you weren't actualling using the selinux rules. >> Is it possible that /usr/sbin/xenstored never got the default selinux >> label, and so never had any issues from the fact that /var/lib/xenstored >> also didn't have the proper label? > > > I think you are asking me to try this once more and seeing if > I see the error you think I should be seeing :-) > > I can certainly do that - but not today. Would Friday be OK? Well, I did think about asking you to try again, but I purposely didn't. :-) Since you've offered though, yes, it would be good if you could do exactly what you did before, and then look at ls -lZ /usr/sbin/xenstored And then, perhaps, do "touch /.autorelabel" (assuming that works on Fedora the way it works on CentOS), reboot, and see what happens (and what ls -lZ /usr/sbin/xenstored comes up with)? I won't be working Friday, but I'll be back in Monday. Thanks, -George ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
On Tue, Sep 15, 2015 at 03:01:31PM +0100, George Dunlap wrote: > On 09/15/2015 02:58 PM, Konrad Rzeszutek Wilk wrote: > > On Tue, Sep 15, 2015 at 01:55:15PM +0100, George Dunlap wrote: > >> On Tue, Sep 15, 2015 at 1:48 PM, Olaf Heringwrote: > >>> On Tue, Sep 15, George Dunlap wrote: > >>> > It's very reasonable for you to expect it to be fixed on non-SELinux > systems. But what you did is fix it for non-SELinux systems by simply > breaking it on SELinux systems -- that's not at all reasonable. > >>> > >>> Konrad did some testing at that time and said 4.5 was ok. > >>> Why is 4.6 broken now? > >> > >> OK -- I see that he committed it, but I didn't see him say that he had > >> tested this particular patch. It would be interesting to find out why > >> it worked for him. > > > > It just worked out of the box when I installed an source build of the Xen > > on a virgin Fedora box. > > > > I am not sure how it worked if SELinux ended up being disabled! > > So how did you install Xen? "make install"? Or did you do "make rpmball"? ./configure --enable-systemd --prefix=/usr make -j31556 make install cat README | grep systemctl [paste all of those in the command line] grub2-mkconfig -o /boot/grub/grub2.cfg reboot > > Is it possible that /usr/sbin/xenstored never got the default selinux > label, and so never had any issues from the fact that /var/lib/xenstored > also didn't have the proper label? I think you are asking me to try this once more and seeing if I see the error you think I should be seeing :-) I can certainly do that - but not today. Would Friday be OK? > > -George > ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
On Tue, Sep 15, 2015 at 02:48:57PM +0200, Olaf Hering wrote: > On Tue, Sep 15, George Dunlap wrote: > > > It's very reasonable for you to expect it to be fixed on non-SELinux > > systems. But what you did is fix it for non-SELinux systems by simply > > breaking it on SELinux systems -- that's not at all reasonable. > > Konrad did some testing at that time and said 4.5 was ok. Correct. > Why is 4.6 broken now? > > Olaf > > ___ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
On Tue, Sep 15, 2015 at 01:55:15PM +0100, George Dunlap wrote: > On Tue, Sep 15, 2015 at 1:48 PM, Olaf Heringwrote: > > On Tue, Sep 15, George Dunlap wrote: > > > >> It's very reasonable for you to expect it to be fixed on non-SELinux > >> systems. But what you did is fix it for non-SELinux systems by simply > >> breaking it on SELinux systems -- that's not at all reasonable. > > > > Konrad did some testing at that time and said 4.5 was ok. > > Why is 4.6 broken now? > > OK -- I see that he committed it, but I didn't see him say that he had > tested this particular patch. It would be interesting to find out why > it worked for him. It just worked out of the box when I installed an source build of the Xen on a virgin Fedora box. I am not sure how it worked if SELinux ended up being disabled! > > -George ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
On 09/15/2015 02:58 PM, Konrad Rzeszutek Wilk wrote: > On Tue, Sep 15, 2015 at 01:55:15PM +0100, George Dunlap wrote: >> On Tue, Sep 15, 2015 at 1:48 PM, Olaf Heringwrote: >>> On Tue, Sep 15, George Dunlap wrote: >>> It's very reasonable for you to expect it to be fixed on non-SELinux systems. But what you did is fix it for non-SELinux systems by simply breaking it on SELinux systems -- that's not at all reasonable. >>> >>> Konrad did some testing at that time and said 4.5 was ok. >>> Why is 4.6 broken now? >> >> OK -- I see that he committed it, but I didn't see him say that he had >> tested this particular patch. It would be interesting to find out why >> it worked for him. > > It just worked out of the box when I installed an source build of the Xen > on a virgin Fedora box. > > I am not sure how it worked if SELinux ended up being disabled! So how did you install Xen? "make install"? Or did you do "make rpmball"? Is it possible that /usr/sbin/xenstored never got the default selinux label, and so never had any issues from the fact that /var/lib/xenstored also didn't have the proper label? -George ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
On Tue, Sep 15, George Dunlap wrote: > It's very reasonable for you to expect it to be fixed on non-SELinux > systems. But what you did is fix it for non-SELinux systems by simply > breaking it on SELinux systems -- that's not at all reasonable. Konrad did some testing at that time and said 4.5 was ok. Why is 4.6 broken now? Olaf ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
On Tue, Sep 15, 2015 at 1:48 PM, Olaf Heringwrote: > On Tue, Sep 15, George Dunlap wrote: > >> It's very reasonable for you to expect it to be fixed on non-SELinux >> systems. But what you did is fix it for non-SELinux systems by simply >> breaking it on SELinux systems -- that's not at all reasonable. > > Konrad did some testing at that time and said 4.5 was ok. > Why is 4.6 broken now? OK -- I see that he committed it, but I didn't see him say that he had tested this particular patch. It would be interesting to find out why it worked for him. -George ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
On 09/11/2015 07:31 AM, Olaf Hering wrote: > On Thu, Sep 10, George Dunlap wrote: > >> On Fri, Dec 19, 2014 at 11:25 AM, Olaf Heringwrote: >>> Using SELinux mount options per default breaks several systems. >>> Either the context= mount option is not known at all to the kernel, >>> as reported for ArchLinux. Or the default value "none" is unknown to >>> SELinux, as reported for Fedora. In both cases the unit will fail. >>> >>> The proper place to specify mount options is /etc/fstab. Appearently >>> systemd is kind enough to use values from there even if Options= or >>> What= is specified in a .mount file. >> >> For the benefit of someone moonlighting as a CentOS package >> maintainer, could you tell me how adding such an entry in a package is >> normally done? Or alternately, how you would recommend a package >> maintainer to add the appropriate context? > > George, I know nothing about SELinux. > I think its either up to a rpm %post install script to fiddle with fstab > and pray that the added lines fit the system policies. Or its up to the > documentation team to describe how SELinux is supposed to be configured > for the third party app "Xen" on CentOS. Well if you "know nothing about SELinux", and you don't use it, and don't have any test systems that use it, then why did you assert "The proper place to specify [an SELinux mount context] is /etc/fstab"? This patchset was accepted because you represented it as the "right" way of doing things. So poking around CentOS 7, it looks like in most cases, after a tmpfs is mounted, "restorecon -R $mountpoint" is also run, which restores the default selinux tags. Manually starting var-lib-xenstored, then running restorecon, then manually starting xenstored.service seems to work. So at the moment I'm trying to figure out if there's a "right" way to get restorecon run at the right time (or alternately, a "right" way to mount a tmpfs at /var/lib/xenstored such that it happens automatically). If that doesn't work, then adding a xenstored configuration file that can contain mount options is probably the best option. -George ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
On Mon, Sep 14, George Dunlap wrote: > Well if you "know nothing about SELinux", and you don't use it, and > don't have any test systems that use it, then why did you assert > "The proper place to specify [an SELinux mount context] is /etc/fstab"? > This patchset was accepted because you represented it as the "right" > way of doing things. Because at that time the way SELinux was handled failed on systems which had SELinux disabled, or which did not recognize the option. And I still think that mount options have to go into fstab. Olaf ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
On Thu, Sep 10, George Dunlap wrote: > On Fri, Dec 19, 2014 at 11:25 AM, Olaf Heringwrote: > > Using SELinux mount options per default breaks several systems. > > Either the context= mount option is not known at all to the kernel, > > as reported for ArchLinux. Or the default value "none" is unknown to > > SELinux, as reported for Fedora. In both cases the unit will fail. > > > > The proper place to specify mount options is /etc/fstab. Appearently > > systemd is kind enough to use values from there even if Options= or > > What= is specified in a .mount file. > > For the benefit of someone moonlighting as a CentOS package > maintainer, could you tell me how adding such an entry in a package is > normally done? Or alternately, how you would recommend a package > maintainer to add the appropriate context? George, I know nothing about SELinux. I think its either up to a rpm %post install script to fiddle with fstab and pray that the added lines fit the system policies. Or its up to the documentation team to describe how SELinux is supposed to be configured for the third party app "Xen" on CentOS. Olaf ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
On Thu, 10 Sep 2015, George Dunlap wrote: > On Fri, Dec 19, 2014 at 11:25 AM, Olaf Heringwrote: > > Using SELinux mount options per default breaks several systems. > > Either the context= mount option is not known at all to the kernel, > > as reported for ArchLinux. Or the default value "none" is unknown to > > SELinux, as reported for Fedora. In both cases the unit will fail. > > > > The proper place to specify mount options is /etc/fstab. Appearently > > systemd is kind enough to use values from there even if Options= or > > What= is specified in a .mount file. > > For the benefit of someone moonlighting as a CentOS package > maintainer, could you tell me how adding such an entry in a package is > normally done? Or alternately, how you would recommend a package > maintainer to add the appropriate context? I suspect it is actually easier to put the selinux context back into systemd file rather than trying to edit /etc/fstab which could get messy. If that is what you want to do you could look at http://pkgs.fedoraproject.org/cgit/xen.git/tree/xen.fedora.systemd.patch for ideas on how to do it. Michael Young ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
On 09/10/2015 03:13 PM, M A Young wrote: > On Thu, 10 Sep 2015, George Dunlap wrote: > >> On Fri, Dec 19, 2014 at 11:25 AM, Olaf Heringwrote: >>> Using SELinux mount options per default breaks several systems. >>> Either the context= mount option is not known at all to the kernel, >>> as reported for ArchLinux. Or the default value "none" is unknown to >>> SELinux, as reported for Fedora. In both cases the unit will fail. >>> >>> The proper place to specify mount options is /etc/fstab. Appearently >>> systemd is kind enough to use values from there even if Options= or >>> What= is specified in a .mount file. >> >> For the benefit of someone moonlighting as a CentOS package >> maintainer, could you tell me how adding such an entry in a package is >> normally done? Or alternately, how you would recommend a package >> maintainer to add the appropriate context? > > I suspect it is actually easier to put the selinux context back into > systemd file rather than trying to edit /etc/fstab which could get messy. > If that is what you want to do you could look at > http://pkgs.fedoraproject.org/cgit/xen.git/tree/xen.fedora.systemd.patch > for ideas on how to do it. Right, well manually modifying the upstream source file is not a good "interface" to provide. If modifying /etc/fstab is not "the right solution" for packages, then much better solution would have been to do what IanC suggested later in this thread, and do something like this instead: Options=mode=755,$XENSTORED_MOUNT_OPTIONS -George ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
On Tue, Jan 06, Ian Campbell wrote: On Fri, 2014-12-19 at 12:25 +0100, Olaf Hering wrote: ... Acked-by: Ian Campbell ian.campb...@citrix.com (on commit s/Appearently/Apparently/; s/non-existant/non-existent/ in the commit log) I made typos also in other commit messages. Should I resend the entire series, or will this be done during commit? Olaf ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
On Wed, Jan 07, 2015 at 09:31:50AM +, Ian Campbell wrote: On Wed, 2015-01-07 at 10:23 +0100, Olaf Hering wrote: On Tue, Jan 06, Ian Campbell wrote: On Fri, 2014-12-19 at 12:25 +0100, Olaf Hering wrote: ... Acked-by: Ian Campbell ian.campb...@citrix.com (on commit s/Appearently/Apparently/; s/non-existant/non-existent/ in the commit log) I made typos also in other commit messages. Should I resend the entire series, or will this be done during commit? Looks like Konrad already committed, I don't know if he fixed the typos (I suppose it doesn't matter now either way). I did the changes you pointed our here. Ian. ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
On Fri, 2014-12-19 at 12:25 +0100, Olaf Hering wrote: Using SELinux mount options per default breaks several systems. Either the context= mount option is not known at all to the kernel, as reported for ArchLinux. Or the default value none is unknown to SELinux, as reported for Fedora. In both cases the unit will fail. The proper place to specify mount options is /etc/fstab. Appearently systemd is kind enough to use values from there even if Options= or What= is specified in a .mount file. Remove XENSTORED_MOUNT_CTX, the reference to a non-existant EnvironmentFile and trim default Options= for the mount point. The removed code was first mentioned in the patch referenced below, with the following description: ... * Some systems define the selinux context in the systemd Option for the /var/lib/xenstored tmpfs: Options=mode=755,context=system_u:object_r:xenstored_var_lib_t:s0 For the upstream version we remove that and let systems specify the context on their system /etc/default/xenstored or /etc/sysconfig/xenstored $XENSTORED_MOUNT_CTX variable ... It is nowhere stated (on xen-devel) what Some systems means, which is unfortunately common practice in nearly all opensource projects. http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg02462.html Signed-off-by: Olaf Hering o...@aepfle.de Cc: Ian Jackson ian.jack...@eu.citrix.com Cc: Stefano Stabellini stefano.stabell...@eu.citrix.com Acked-by: Ian Campbell ian.campb...@citrix.com (on commit s/Appearently/Apparently/; s/non-existant/non-existent/ in the commit log) -Options=mode=755,context=$XENSTORED_MOUNT_CTX +Options=mode=755 FWIW an alternative might have been: Options=mode=755,$XENSTORED_MOUNT_OPTIONS where the variable from the EnvironmentFile could contain context= as necessary (and maybe even mode=... by default). But if /etc/fstab is the Right Place(tm) then lets go with that for 4.5. Ian. ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
Olaf Hering writes ([PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount): Using SELinux mount options per default breaks several systems. Either the context= mount option is not known at all to the kernel, as reported for ArchLinux. Or the default value none is unknown to SELinux, as reported for Fedora. In both cases the unit will fail. ... Signed-off-by: Olaf Hering o...@aepfle.de Acked-by: Ian Jackson ian.jack...@eu.citrix.com When applied along with the README change provided by Konrad. Ian. ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
[Xen-devel] [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount
Using SELinux mount options per default breaks several systems. Either the context= mount option is not known at all to the kernel, as reported for ArchLinux. Or the default value none is unknown to SELinux, as reported for Fedora. In both cases the unit will fail. The proper place to specify mount options is /etc/fstab. Appearently systemd is kind enough to use values from there even if Options= or What= is specified in a .mount file. Remove XENSTORED_MOUNT_CTX, the reference to a non-existant EnvironmentFile and trim default Options= for the mount point. The removed code was first mentioned in the patch referenced below, with the following description: ... * Some systems define the selinux context in the systemd Option for the /var/lib/xenstored tmpfs: Options=mode=755,context=system_u:object_r:xenstored_var_lib_t:s0 For the upstream version we remove that and let systems specify the context on their system /etc/default/xenstored or /etc/sysconfig/xenstored $XENSTORED_MOUNT_CTX variable ... It is nowhere stated (on xen-devel) what Some systems means, which is unfortunately common practice in nearly all opensource projects. http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg02462.html Signed-off-by: Olaf Hering o...@aepfle.de Cc: Ian Jackson ian.jack...@eu.citrix.com Cc: Stefano Stabellini stefano.stabell...@eu.citrix.com Cc: Ian Campbell ian.campb...@citrix.com Cc: Wei Liu wei.l...@citrix.com Cc: Anthony PERARD anthony.per...@citrix.com Cc: M A Young m.a.yo...@durham.ac.uk Cc: Luis R. Rodriguez mcg...@do-not-panic.com --- tools/hotplug/Linux/systemd/var-lib-xenstored.mount.in | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tools/hotplug/Linux/systemd/var-lib-xenstored.mount.in b/tools/hotplug/Linux/systemd/var-lib-xenstored.mount.in index d5e04db..11a7d50 100644 --- a/tools/hotplug/Linux/systemd/var-lib-xenstored.mount.in +++ b/tools/hotplug/Linux/systemd/var-lib-xenstored.mount.in @@ -6,9 +6,7 @@ ConditionPathExists=/proc/xen/capabilities RefuseManualStop=true [Mount] -Environment=XENSTORED_MOUNT_CTX=none -EnvironmentFile=-@CONFIG_DIR@/@CONFIG_LEAF_DIR@/xenstored What=xenstore Where=@XEN_LIB_STORED@ Type=tmpfs -Options=mode=755,context=$XENSTORED_MOUNT_CTX +Options=mode=755 ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel