resource-agents: Fix nfs mount contexts
Resolves: rhbz#635828
Signed-off-by: Lon Hohberger <lhh@redhat.com> Tested-by: Corey Marthaler <cmarthal@redhat.com> --- rgmanager/src/resources/nfsserver.sh | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/rgmanager/src/resources/nfsserver.sh b/rgmanager/src/resources/nfsserver.sh index 17f472d..bb2632e 100644 --- a/rgmanager/src/resources/nfsserver.sh +++ b/rgmanager/src/resources/nfsserver.sh @@ -222,6 +222,9 @@ create_tree() [ -f "$fp/xtab" ] || touch "$fp/xtab" [ -f "$fp/rmtab" ] || touch "$fp/rmtab" + chcon -R system_u:object_r:var_lib_nfs_t:s0 "$fp" + chcon -R system_u:object_r:var_lib_nfs_t:s0 "$fp/*" + # # Generate a random state file. If this ends up being what a client # already has in its list, that's bad, but the chances of this -- 1.7.3.4 |
resource-agents: Fix nfs mount contexts
Note - patch proposed for RHEL6 branch.
-- Lon Hohberger - Red Hat, Inc. |
resource-agents: Fix nfs mount contexts
ACK.
On Thu, Apr 14, 2011 at 03:57:06PM -0400, Lon Hohberger wrote: > Resolves: rhbz#635828 > > Signed-off-by: Lon Hohberger <lhh@redhat.com> > Tested-by: Corey Marthaler <cmarthal@redhat.com> > --- > rgmanager/src/resources/nfsserver.sh | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/rgmanager/src/resources/nfsserver.sh b/rgmanager/src/resources/nfsserver.sh > index 17f472d..bb2632e 100644 > --- a/rgmanager/src/resources/nfsserver.sh > +++ b/rgmanager/src/resources/nfsserver.sh > @@ -222,6 +222,9 @@ create_tree() > [ -f "$fp/xtab" ] || touch "$fp/xtab" > [ -f "$fp/rmtab" ] || touch "$fp/rmtab" > > + chcon -R system_u:object_r:var_lib_nfs_t:s0 "$fp" > + chcon -R system_u:object_r:var_lib_nfs_t:s0 "$fp/*" > + > # > # Generate a random state file. If this ends up being what a client > # already has in its list, that's bad, but the chances of this > -- > 1.7.3.4 |
resource-agents: Fix nfs mount contexts
Hi Lon,
2 small bits here.. in nfsserver.sh, we also call restorecon. IMHO execution of selinux tools should be conditional to selinux being enabled and tools available. To make this a generic upstream patch, we can do (at the beginning of the agent): selinuxon="" [ -n "$(which selinuxenabled)" ] && selinuxenabled && selinuxon=1 this is mostly paranoia and to cache the result for later use. invoking selinuxenabled is cheap. ..... [ -n "$selinuxon" ] && [ -n "$(which restorecon)" ] && restorecon... ..... [ -n "$selinuxon" ] && [ -n "$(which chcon)" ] && chcon -R.... chcon -R works recursively, so one invocation should be sufficient. The main motivator behind this approach is to guarantee that we don't need resource-agents to Requires those tools at packaging level and enforce them on a system. Fabio On 04/14/2011 09:57 PM, Lon Hohberger wrote: > Resolves: rhbz#635828 > > Signed-off-by: Lon Hohberger <lhh@redhat.com> > Tested-by: Corey Marthaler <cmarthal@redhat.com> > --- > rgmanager/src/resources/nfsserver.sh | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/rgmanager/src/resources/nfsserver.sh b/rgmanager/src/resources/nfsserver.sh > index 17f472d..bb2632e 100644 > --- a/rgmanager/src/resources/nfsserver.sh > +++ b/rgmanager/src/resources/nfsserver.sh > @@ -222,6 +222,9 @@ create_tree() > [ -f "$fp/xtab" ] || touch "$fp/xtab" > [ -f "$fp/rmtab" ] || touch "$fp/rmtab" > > + chcon -R system_u:object_r:var_lib_nfs_t:s0 "$fp" > + chcon -R system_u:object_r:var_lib_nfs_t:s0 "$fp/*" > + > # > # Generate a random state file. If this ends up being what a client > # already has in its list, that's bad, but the chances of this |
resource-agents: Fix nfs mount contexts
On Fri, Apr 15, 2011 at 06:44:47AM +0200, Fabio M. Di Nitto wrote:
> Hi Lon, > > 2 small bits here.. > > in nfsserver.sh, we also call restorecon. > > IMHO execution of selinux tools should be conditional to selinux being > enabled and tools available. > > To make this a generic upstream patch, we can do (at the beginning of > the agent): Yep, I'll revert the one I pushed. Sorry about that. > selinuxon="" > [ -n "$(which selinuxenabled)" ] && selinuxenabled && selinuxon=1 > > this is mostly paranoia and to cache the result for later use. invoking > selinuxenabled is cheap. > > ..... > > [ -n "$selinuxon" ] && [ -n "$(which restorecon)" ] && restorecon... > > ..... > > [ -n "$selinuxon" ] && [ -n "$(which chcon)" ] && chcon -R.... > > chcon -R works recursively, so one invocation should be sufficient. In my initial testing, it didn't work, but deleting the second line seemed to work fine now. > The main motivator behind this approach is to guarantee that we don't > need resource-agents to Requires those tools at packaging level and > enforce them on a system. Understood. -- Lon Hohberger - Red Hat, Inc. |
resource-agents: Fix nfs mount contexts
- check for SELinux enabled
- grab the installed distribution's SELinux label for /var/lib/nfs/statd - chcon / restorecon using that label (restorecon should be enough, but it seems to not work across bind mounts) Resolves: rhbz#635828 Signed-off-by: Lon Hohberger <lhh@redhat.com> --- rgmanager/src/resources/nfsserver.sh | 12 +++++++++++- 1 files changed, 11 insertions(+), 1 deletions(-) diff --git a/rgmanager/src/resources/nfsserver.sh b/rgmanager/src/resources/nfsserver.sh index 17f472d..f7b6b7a 100644 --- a/rgmanager/src/resources/nfsserver.sh +++ b/rgmanager/src/resources/nfsserver.sh @@ -16,6 +16,14 @@ export LC_ALL LANG PATH . $(dirname $0)/ocf-shellfuncs +# SELinux information +which restorecon &> /dev/null && selinuxenabled +export SELINUX_ENABLED=$? +if [ $SELINUX_ENABLED ]; then + export SELINUX_LABEL="$(ls -ldZ /var/lib/nfs/statd | cut -f4 -d' ')" +fi + + log_do() { ocf_log debug $* @@ -222,6 +230,8 @@ create_tree() [ -f "$fp/xtab" ] || touch "$fp/xtab" [ -f "$fp/rmtab" ] || touch "$fp/rmtab" + [ $SELINUX_ENABLED ] && chcon -R "$SELINUX_LABEL" "$fp" + # # Generate a random state file. If this ends up being what a client # already has in its list, that's bad, but the chances of this @@ -306,7 +316,7 @@ setup_tree() mount -o bind "$fp/statd" /var/lib/nfs/statd cp -a "$fp"/*tab /var/lib/nfs - restorecon /var/lib/nfs + [ $SELINUX_ENABLED ] && restorecon /var/lib/nfs } -- 1.7.3.4 |
resource-agents: Fix nfs mount contexts
ACK´ed.
Fabio On 4/15/2011 5:18 PM, Lon Hohberger wrote: > - check for SELinux enabled > - grab the installed distribution's SELinux label for > /var/lib/nfs/statd > - chcon / restorecon using that label (restorecon should be enough, > but it seems to not work across bind mounts) > > Resolves: rhbz#635828 > > Signed-off-by: Lon Hohberger <lhh@redhat.com> > --- > rgmanager/src/resources/nfsserver.sh | 12 +++++++++++- > 1 files changed, 11 insertions(+), 1 deletions(-) > > diff --git a/rgmanager/src/resources/nfsserver.sh b/rgmanager/src/resources/nfsserver.sh > index 17f472d..f7b6b7a 100644 > --- a/rgmanager/src/resources/nfsserver.sh > +++ b/rgmanager/src/resources/nfsserver.sh > @@ -16,6 +16,14 @@ export LC_ALL LANG PATH > > . $(dirname $0)/ocf-shellfuncs > > +# SELinux information > +which restorecon &> /dev/null && selinuxenabled > +export SELINUX_ENABLED=$? > +if [ $SELINUX_ENABLED ]; then > + export SELINUX_LABEL="$(ls -ldZ /var/lib/nfs/statd | cut -f4 -d' ')" > +fi > + > + > log_do() > { > ocf_log debug $* > @@ -222,6 +230,8 @@ create_tree() > [ -f "$fp/xtab" ] || touch "$fp/xtab" > [ -f "$fp/rmtab" ] || touch "$fp/rmtab" > > + [ $SELINUX_ENABLED ] && chcon -R "$SELINUX_LABEL" "$fp" > + > # > # Generate a random state file. If this ends up being what a client > # already has in its list, that's bad, but the chances of this > @@ -306,7 +316,7 @@ setup_tree() > > mount -o bind "$fp/statd" /var/lib/nfs/statd > cp -a "$fp"/*tab /var/lib/nfs > - restorecon /var/lib/nfs > + [ $SELINUX_ENABLED ] && restorecon /var/lib/nfs > } > > |
| All times are GMT. The time now is 11:44 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.