Francesco Romani has posted comments on this change.

Change subject: gluster: set selinux labels while creating bricks
......................................................................


Patch Set 5:

(1 comment)

https://gerrit.ovirt.org/#/c/62773/5/vdsm/gluster/storagedev.py
File vdsm/gluster/storagedev.py:

Line 329:         try:
Line 330:             selinux.restorecon(mountPoint, recursive=True)
Line 331:         except OSError as e:
Line 332:             errMsg = "[Errno %s] %s: '%s'" % (e.errno, e.strerror, 
e.filename)
Line 333:             raise ge.GlusterHostFailedToRunRestorecon(mountPoint, 
err=errMsg)
this works, no doubt about that, but why has not the parent directory (/rhgs) 
the right labelling in the first place?
Let me share on example of what I mean

On a pristine CentOS 7.2 box (which I have handy for experimenting):

KENji> 13:21:56 root [~]$ mkdir /rhgs
KENji> 13:22:00 root [~]$ ls -lhZd /rhgs
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /rhgs

So /rhgs has wrong context. And it is empty:
KENji> 13:22:05 root [~]$ ls -lh /rhgs
total 0

Let's fix the context of this root directory:
KENji> 13:22:46 root [~]$ semanage fcontext -a -t glusterd_brick_t /rhgs
KENji> 13:23:22 root [~]$ restorecon -Rv /rhgs/
restorecon reset /rhgs context 
unconfined_u:object_r:default_t:s0->unconfined_u:object_r:glusterd_brick_t:s0

Now, if we create any subfolder:
KENji> 13:23:31 root [~]$ mkdir /rhgs/brick1
KENji> 13:23:54 root [~]$ mkdir /rhgs/brick2
KENji> 13:23:54 root [~]$ ls -lh /rhgs
total 8.0K
drwxr-xr-x. 2 root root 4.0K Sep 20 13:23 brick1
drwxr-xr-x. 2 root root 4.0K Sep 20 13:23 brick2
KENji> 13:23:58 root [~]$ ls -lhZd /rhgs
drwxr-xr-x. root root unconfined_u:object_r:glusterd_brick_t:s0 /rhgs
KENji> 13:24:04 root [~]$ ls -lhZd /rhgs/*
drwxr-xr-x. root root unconfined_u:object_r:glusterd_brick_t:s0 /rhgs/brick1
drwxr-xr-x. root root unconfined_u:object_r:glusterd_brick_t:s0 /rhgs/brick2


Looks better, and it has the correct context since the beginning, no room for 
races.

Is that what you want? Please confirm. If so, fixing the context of the parent 
seems better; I'm pretty sure we can make one step even further and patch the 
selinux-policy package to make sure the /rhgs directory gets the right context 
when it is created, but I don't have the instructions handy now. Could be worth 
to just file a bug and depend on that.


-- 
To view, visit https://gerrit.ovirt.org/62773
To unsubscribe, visit https://gerrit.ovirt.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I1ca5fec80831073643635875095b88c1c4c2132e
Gerrit-PatchSet: 5
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Ramesh N <rnach...@redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <dan...@redhat.com>
Gerrit-Reviewer: Francesco Romani <from...@redhat.com>
Gerrit-Reviewer: Jenkins CI
Gerrit-Reviewer: Piotr Kliczewski <piotr.kliczew...@gmail.com>
Gerrit-Reviewer: Ramesh N <rnach...@redhat.com>
Gerrit-Reviewer: Sahina Bose <sab...@redhat.com>
Gerrit-Reviewer: Yaniv Bronhaim <ybron...@redhat.com>
Gerrit-Reviewer: gerrit-hooks <automat...@ovirt.org>
Gerrit-HasComments: Yes
_______________________________________________
vdsm-patches mailing list -- vdsm-patches@lists.fedorahosted.org
To unsubscribe send an email to vdsm-patches-le...@lists.fedorahosted.org

Reply via email to