[PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi
@ 2015-02-04  9:33 wenzong.fan
  2015-02-12  2:17 ` Joe MacDonald
  0 siblings, 1 reply; 5+ messages in thread
From: wenzong.fan @ 2015-02-04  9:33 UTC (permalink / raw)
  To: openembedded-devel

From: Wenzong Fan <wenzong.fan@windriver.com>

* /etc/iscsi/initiatorname.iscsi: etc_runtime_t -> etc_t

This config file was created by postinstall or initscript, fix SELinux
label for it to remove:

  avc: denied { read } for pid=6094 comm="iscsid" \
  name="initiatorname.iscsi" dev="sda3" ino=1057846 \
  scontext=system_u:system_r:iscsid_t:s0-s15:c0.c1023 \
  tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
 .../recipes-daemons/iscsi-initiator-utils/files/initd.debian          | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
index 99a7638..43fb348 100644
--- a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
+++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
@@ -39,6 +39,10 @@ start() {
 InitiatorName=$INITIATORNAME
 EOF
 	fi
+
+	# Fix label for /etc/iscsi/initiatorname.iscsi if SELinux was enabled
+	test ! -x /sbin/restorecon || /sbin/restorecon -F /etc/iscsi/initiatorname.iscsi
+
 	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON
 	RETVAL=$?
 	starttargets
-- 
1.9.1



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi
  2015-02-04  9:33 [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi wenzong.fan
@ 2015-02-12  2:17 ` Joe MacDonald
  2015-03-04  7:25   ` wenzong fan
  0 siblings, 1 reply; 5+ messages in thread
From: Joe MacDonald @ 2015-02-12  2:17 UTC (permalink / raw)
  To: wenzong.fan; +Cc: openembedded-devel

[-- Attachment #1: Type: text/plain, Size: 1836 bytes --]

Hey Wenzong,

[[oe] [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi] On 15.02.04 (Wed 17:33) wenzong.fan@windriver.com wrote:

> From: Wenzong Fan <wenzong.fan@windriver.com>
> 
> * /etc/iscsi/initiatorname.iscsi: etc_runtime_t -> etc_t
> 
> This config file was created by postinstall or initscript, fix SELinux
> label for it to remove:
> 
>   avc: denied { read } for pid=6094 comm="iscsid" \
>   name="initiatorname.iscsi" dev="sda3" ino=1057846 \
>   scontext=system_u:system_r:iscsid_t:s0-s15:c0.c1023 \
>   tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file

Since this is an issue that only shows up when you have SELinux on your
system and since it is tweaking a file that is manually installed by a
do_install() in iscsi-initiator-utils, could you re-work this as a
bbappend in meta-selinux?

-J.

> 
> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
> ---
>  .../recipes-daemons/iscsi-initiator-utils/files/initd.debian          | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
> index 99a7638..43fb348 100644
> --- a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
> +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
> @@ -39,6 +39,10 @@ start() {
>  InitiatorName=$INITIATORNAME
>  EOF
>  	fi
> +
> +	# Fix label for /etc/iscsi/initiatorname.iscsi if SELinux was enabled
> +	test ! -x /sbin/restorecon || /sbin/restorecon -F /etc/iscsi/initiatorname.iscsi
> +
>  	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON
>  	RETVAL=$?
>  	starttargets
> -- 
> 1.9.1
> 
-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 501 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi
  2015-02-12  2:17 ` Joe MacDonald
@ 2015-03-04  7:25   ` wenzong fan
  2015-03-04 13:39     ` Joe MacDonald
  0 siblings, 1 reply; 5+ messages in thread
From: wenzong fan @ 2015-03-04  7:25 UTC (permalink / raw)
  To: Joe MacDonald; +Cc: openembedded-devel

On 02/12/2015 10:17 AM, Joe MacDonald wrote:
> Hey Wenzong,
>
> [[oe] [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi] On 15.02.04 (Wed 17:33) wenzong.fan@windriver.com wrote:
>
>> From: Wenzong Fan <wenzong.fan@windriver.com>
>>
>> * /etc/iscsi/initiatorname.iscsi: etc_runtime_t -> etc_t
>>
>> This config file was created by postinstall or initscript, fix SELinux
>> label for it to remove:
>>
>>    avc: denied { read } for pid=6094 comm="iscsid" \
>>    name="initiatorname.iscsi" dev="sda3" ino=1057846 \
>>    scontext=system_u:system_r:iscsid_t:s0-s15:c0.c1023 \
>>    tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
>
> Since this is an issue that only shows up when you have SELinux on your
> system and since it is tweaking a file that is manually installed by a
> do_install() in iscsi-initiator-utils, could you re-work this as a
> bbappend in meta-selinux?

Hi Joe,

This make sense, but there's an issue that meta-networking is not 
depended by meta-selinux, adding a bbappend may block the building of 
meta-selinux & oe-core only.

Any suggestions about that?

Thanks
Wenzong

>
> -J.
>
>>
>> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>> ---
>>   .../recipes-daemons/iscsi-initiator-utils/files/initd.debian          | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
>> index 99a7638..43fb348 100644
>> --- a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
>> +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
>> @@ -39,6 +39,10 @@ start() {
>>   InitiatorName=$INITIATORNAME
>>   EOF
>>   	fi
>> +
>> +	# Fix label for /etc/iscsi/initiatorname.iscsi if SELinux was enabled
>> +	test ! -x /sbin/restorecon || /sbin/restorecon -F /etc/iscsi/initiatorname.iscsi
>> +
>>   	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON
>>   	RETVAL=$?
>>   	starttargets
>> --
>> 1.9.1
>>


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi
  2015-03-04  7:25   ` wenzong fan
@ 2015-03-04 13:39     ` Joe MacDonald
  2015-03-05  7:57       ` wenzong fan
  0 siblings, 1 reply; 5+ messages in thread
From: Joe MacDonald @ 2015-03-04 13:39 UTC (permalink / raw)
  To: wenzong fan; +Cc: openembedded-devel

[-- Attachment #1: Type: text/plain, Size: 2870 bytes --]

[Re: [oe] [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi] On 15.03.04 (Wed 15:25) wenzong fan wrote:

> On 02/12/2015 10:17 AM, Joe MacDonald wrote:
> >Hey Wenzong,
> >
> >[[oe] [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi] On 15.02.04 (Wed 17:33) wenzong.fan@windriver.com wrote:
> >
> >>From: Wenzong Fan <wenzong.fan@windriver.com>
> >>
> >>* /etc/iscsi/initiatorname.iscsi: etc_runtime_t -> etc_t
> >>
> >>This config file was created by postinstall or initscript, fix SELinux
> >>label for it to remove:
> >>
> >>   avc: denied { read } for pid=6094 comm="iscsid" \
> >>   name="initiatorname.iscsi" dev="sda3" ino=1057846 \
> >>   scontext=system_u:system_r:iscsid_t:s0-s15:c0.c1023 \
> >>   tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
> >
> >Since this is an issue that only shows up when you have SELinux on your
> >system and since it is tweaking a file that is manually installed by a
> >do_install() in iscsi-initiator-utils, could you re-work this as a
> >bbappend in meta-selinux?
> 
> Hi Joe,
> 
> This make sense, but there's an issue that meta-networking is not
> depended by meta-selinux, adding a bbappend may block the building
> of meta-selinux & oe-core only.
> 
> Any suggestions about that?

As a matter of fact, we just addressed that with
d382d54f0a9a913791fca1d7f61e87fcfd32842b in meta-selinux a couple of
weeks back.  There is still a mistake in that, but Philip has a patch
for it that I'm integrating now, but the core idea works.  So your patch
would go into a networking-layer/ hierarchy in meta-selinux/ and then it
would either be picked up if meta-networking is included or ignored in
the meta-selinux+oe-core-only scenario.

-J.

> 
> Thanks
> Wenzong
> 
> >
> >-J.
> >
> >>
> >>Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
> >>---
> >>  .../recipes-daemons/iscsi-initiator-utils/files/initd.debian          | 4 ++++
> >>  1 file changed, 4 insertions(+)
> >>
> >>diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
> >>index 99a7638..43fb348 100644
> >>--- a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
> >>+++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
> >>@@ -39,6 +39,10 @@ start() {
> >>  InitiatorName=$INITIATORNAME
> >>  EOF
> >>  	fi
> >>+
> >>+	# Fix label for /etc/iscsi/initiatorname.iscsi if SELinux was enabled
> >>+	test ! -x /sbin/restorecon || /sbin/restorecon -F /etc/iscsi/initiatorname.iscsi
> >>+
> >>  	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON
> >>  	RETVAL=$?
> >>  	starttargets
> >>--
> >>1.9.1
> >>

-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 501 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi
  2015-03-04 13:39     ` Joe MacDonald
@ 2015-03-05  7:57       ` wenzong fan
  0 siblings, 0 replies; 5+ messages in thread
From: wenzong fan @ 2015-03-05  7:57 UTC (permalink / raw)
  To: Joe MacDonald; +Cc: openembedded-devel

On 03/04/2015 09:39 PM, Joe MacDonald wrote:
> [Re: [oe] [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi] On 15.03.04 (Wed 15:25) wenzong fan wrote:
>
>> On 02/12/2015 10:17 AM, Joe MacDonald wrote:
>>> Hey Wenzong,
>>>
>>> [[oe] [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi] On 15.02.04 (Wed 17:33) wenzong.fan@windriver.com wrote:
>>>
>>>> From: Wenzong Fan <wenzong.fan@windriver.com>
>>>>
>>>> * /etc/iscsi/initiatorname.iscsi: etc_runtime_t -> etc_t
>>>>
>>>> This config file was created by postinstall or initscript, fix SELinux
>>>> label for it to remove:
>>>>
>>>>    avc: denied { read } for pid=6094 comm="iscsid" \
>>>>    name="initiatorname.iscsi" dev="sda3" ino=1057846 \
>>>>    scontext=system_u:system_r:iscsid_t:s0-s15:c0.c1023 \
>>>>    tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
>>>
>>> Since this is an issue that only shows up when you have SELinux on your
>>> system and since it is tweaking a file that is manually installed by a
>>> do_install() in iscsi-initiator-utils, could you re-work this as a
>>> bbappend in meta-selinux?
>>
>> Hi Joe,
>>
>> This make sense, but there's an issue that meta-networking is not
>> depended by meta-selinux, adding a bbappend may block the building
>> of meta-selinux & oe-core only.
>>
>> Any suggestions about that?
>
> As a matter of fact, we just addressed that with
> d382d54f0a9a913791fca1d7f61e87fcfd32842b in meta-selinux a couple of
> weeks back.  There is still a mistake in that, but Philip has a patch
> for it that I'm integrating now, but the core idea works.  So your patch
> would go into a networking-layer/ hierarchy in meta-selinux/ and then it
> would either be picked up if meta-networking is included or ignored in
> the meta-selinux+oe-core-only scenario.

Cool, I've made the bbappend and sent meta-selinux patches to 
yocto@yoctoproject.org.

Thanks a lot!

Wenzong

>
> -J.
>
>>
>> Thanks
>> Wenzong
>>
>>>
>>> -J.
>>>
>>>>
>>>> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>>>> ---
>>>>   .../recipes-daemons/iscsi-initiator-utils/files/initd.debian          | 4 ++++
>>>>   1 file changed, 4 insertions(+)
>>>>
>>>> diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
>>>> index 99a7638..43fb348 100644
>>>> --- a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
>>>> +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
>>>> @@ -39,6 +39,10 @@ start() {
>>>>   InitiatorName=$INITIATORNAME
>>>>   EOF
>>>>   	fi
>>>> +
>>>> +	# Fix label for /etc/iscsi/initiatorname.iscsi if SELinux was enabled
>>>> +	test ! -x /sbin/restorecon || /sbin/restorecon -F /etc/iscsi/initiatorname.iscsi
>>>> +
>>>>   	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON
>>>>   	RETVAL=$?
>>>>   	starttargets
>>>> --
>>>> 1.9.1
>>>>
>


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2015-03-05  7:57 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-02-04  9:33 [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi wenzong.fan
2015-02-12  2:17 ` Joe MacDonald
2015-03-04  7:25   ` wenzong fan
2015-03-04 13:39     ` Joe MacDonald
2015-03-05  7:57       ` wenzong fan

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.