From mboxrd@z Thu Jan  1 00:00:00 1970
From: Olaf Hering <olaf@aepfle.de>
Subject: Re: [PATCH 0/4 v2] tools/hotplug: systemd changes for
	4.5
Date: Thu, 11 Dec 2014 13:04:24 +0100
Message-ID: <20141211120424.GA25950@aepfle.de>
References: <1418033889-11616-1-git-send-email-olaf@aepfle.de>
	<20141210204226.GA13076@laptop.dumpdata.com>
	<20141211084302.GA16507@aepfle.de>
	<alpine.DEB.2.00.1412111149080.30133@procyon.dur.ac.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Content-Disposition: inline
In-Reply-To: <alpine.DEB.2.00.1412111149080.30133@procyon.dur.ac.uk>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: M A Young <m.a.young@durham.ac.uk>
Cc: xen-devel@lists.xen.org
List-Id: xen-devel@lists.xenproject.org

On Thu, Dec 11, M A Young wrote:

> Yes, you do need to set explicit selinux permissions when mounting
> /var/lib/xenstored as otherwise it gets a tmpfs selinux context which
> xenstored can't use in enforcing mode.

Is that "enforcing mode" the default? And would it be too cumbersome to
have these context settings in fstab?

> The other selinux issue is that it seems you can't run xenstored through a
> shell script wrapper, because it still has startup shell script selinux
> permissions when it is trying to connect to the sockets, so it doesn't work.
> It does work if you run xenstored directly from the systemd file.

This sounds like xenstored has to parse the possible environment
variables found in sysconfig.xencommons all by itself? Is there perhaps
a way out of the SELinux jail?

Olaf