[Cluster-devel] [PATCH] resource-agents: Fix nfs mount contexts

cluster-devel.redhat.com archive mirror
 help / color / mirror / Atom feed

* [Cluster-devel] [PATCH] resource-agents: Fix nfs mount contexts
@ 2011-04-15 15:18 Lon Hohberger
  2011-04-15 15:24 ` Fabio M. Di Nitto
  0 siblings, 1 reply; 7+ messages in thread
From: Lon Hohberger @ 2011-04-15 15:18 UTC (permalink / raw)
  To: cluster-devel.redhat.com

 - check for SELinux enabled
 - grab the installed distribution's SELinux label for
   /var/lib/nfs/statd
 - chcon / restorecon using that label (restorecon should be enough,
   but it seems to not work across bind mounts)

Resolves: rhbz#635828

Signed-off-by: Lon Hohberger <lhh@redhat.com>
---
 rgmanager/src/resources/nfsserver.sh |   12 +++++++++++-
 1 files changed, 11 insertions(+), 1 deletions(-)

diff --git a/rgmanager/src/resources/nfsserver.sh b/rgmanager/src/resources/nfsserver.sh
index 17f472d..f7b6b7a 100644
--- a/rgmanager/src/resources/nfsserver.sh
+++ b/rgmanager/src/resources/nfsserver.sh
@@ -16,6 +16,14 @@ export LC_ALL LANG PATH
 
 . $(dirname $0)/ocf-shellfuncs
 
+# SELinux information
+which restorecon &> /dev/null && selinuxenabled
+export SELINUX_ENABLED=$?
+if [ $SELINUX_ENABLED ]; then
+	export SELINUX_LABEL="$(ls -ldZ /var/lib/nfs/statd | cut -f4 -d' ')"
+fi
+
+
 log_do()
 {
 	ocf_log debug $*
@@ -222,6 +230,8 @@ create_tree()
 	[ -f "$fp/xtab" ] || touch "$fp/xtab"
 	[ -f "$fp/rmtab" ] || touch "$fp/rmtab"
 
+	[ $SELINUX_ENABLED ] && chcon -R "$SELINUX_LABEL" "$fp"
+
         #
         # Generate a random state file.  If this ends up being what a client
         # already has in its list, that's bad, but the chances of this
@@ -306,7 +316,7 @@ setup_tree()
 
 	mount -o bind "$fp/statd" /var/lib/nfs/statd
 	cp -a "$fp"/*tab /var/lib/nfs
-	restorecon /var/lib/nfs
+	[ $SELINUX_ENABLED ] && restorecon /var/lib/nfs
 }
 
 
-- 
1.7.3.4



^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [Cluster-devel] [PATCH] resource-agents: Fix nfs mount contexts
  2011-04-15 15:18 [Cluster-devel] [PATCH] resource-agents: Fix nfs mount contexts Lon Hohberger
@ 2011-04-15 15:24 ` Fabio M. Di Nitto
  0 siblings, 0 replies; 7+ messages in thread
From: Fabio M. Di Nitto @ 2011-04-15 15:24 UTC (permalink / raw)
  To: cluster-devel.redhat.com

ACK?ed.

Fabio

On 4/15/2011 5:18 PM, Lon Hohberger wrote:
>  - check for SELinux enabled
>  - grab the installed distribution's SELinux label for
>    /var/lib/nfs/statd
>  - chcon / restorecon using that label (restorecon should be enough,
>    but it seems to not work across bind mounts)
> 
> Resolves: rhbz#635828
> 
> Signed-off-by: Lon Hohberger <lhh@redhat.com>
> ---
>  rgmanager/src/resources/nfsserver.sh |   12 +++++++++++-
>  1 files changed, 11 insertions(+), 1 deletions(-)
> 
> diff --git a/rgmanager/src/resources/nfsserver.sh b/rgmanager/src/resources/nfsserver.sh
> index 17f472d..f7b6b7a 100644
> --- a/rgmanager/src/resources/nfsserver.sh
> +++ b/rgmanager/src/resources/nfsserver.sh
> @@ -16,6 +16,14 @@ export LC_ALL LANG PATH
>  
>  . $(dirname $0)/ocf-shellfuncs
>  
> +# SELinux information
> +which restorecon &> /dev/null && selinuxenabled
> +export SELINUX_ENABLED=$?
> +if [ $SELINUX_ENABLED ]; then
> +	export SELINUX_LABEL="$(ls -ldZ /var/lib/nfs/statd | cut -f4 -d' ')"
> +fi
> +
> +
>  log_do()
>  {
>  	ocf_log debug $*
> @@ -222,6 +230,8 @@ create_tree()
>  	[ -f "$fp/xtab" ] || touch "$fp/xtab"
>  	[ -f "$fp/rmtab" ] || touch "$fp/rmtab"
>  
> +	[ $SELINUX_ENABLED ] && chcon -R "$SELINUX_LABEL" "$fp"
> +
>          #
>          # Generate a random state file.  If this ends up being what a client
>          # already has in its list, that's bad, but the chances of this
> @@ -306,7 +316,7 @@ setup_tree()
>  
>  	mount -o bind "$fp/statd" /var/lib/nfs/statd
>  	cp -a "$fp"/*tab /var/lib/nfs
> -	restorecon /var/lib/nfs
> +	[ $SELINUX_ENABLED ] && restorecon /var/lib/nfs
>  }
>  
>  



^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Cluster-devel] [PATCH] resource-agents: Fix nfs mount contexts
@ 2011-04-14 19:57 Lon Hohberger
  2011-04-14 21:41 ` Lon Hohberger
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: Lon Hohberger @ 2011-04-14 19:57 UTC (permalink / raw)
  To: cluster-devel.redhat.com

Resolves: rhbz#635828

Signed-off-by: Lon Hohberger <lhh@redhat.com>
Tested-by: Corey Marthaler <cmarthal@redhat.com>
---
 rgmanager/src/resources/nfsserver.sh |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/rgmanager/src/resources/nfsserver.sh b/rgmanager/src/resources/nfsserver.sh
index 17f472d..bb2632e 100644
--- a/rgmanager/src/resources/nfsserver.sh
+++ b/rgmanager/src/resources/nfsserver.sh
@@ -222,6 +222,9 @@ create_tree()
 	[ -f "$fp/xtab" ] || touch "$fp/xtab"
 	[ -f "$fp/rmtab" ] || touch "$fp/rmtab"
 
+	chcon -R system_u:object_r:var_lib_nfs_t:s0 "$fp"
+	chcon -R system_u:object_r:var_lib_nfs_t:s0 "$fp/*"
+
         #
         # Generate a random state file.  If this ends up being what a client
         # already has in its list, that's bad, but the chances of this
-- 
1.7.3.4



^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [Cluster-devel] [PATCH] resource-agents: Fix nfs mount contexts
  2011-04-14 19:57 Lon Hohberger
@ 2011-04-14 21:41 ` Lon Hohberger
  2011-04-14 22:25 ` Ryan O'Hara
  2011-04-15  4:44 ` Fabio M. Di Nitto
  2 siblings, 0 replies; 7+ messages in thread
From: Lon Hohberger @ 2011-04-14 21:41 UTC (permalink / raw)
  To: cluster-devel.redhat.com

Note - patch proposed for RHEL6 branch.

-- 
Lon Hohberger - Red Hat, Inc.



^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Cluster-devel] [PATCH] resource-agents: Fix nfs mount contexts
  2011-04-14 19:57 Lon Hohberger
  2011-04-14 21:41 ` Lon Hohberger
@ 2011-04-14 22:25 ` Ryan O'Hara
  2011-04-15  4:44 ` Fabio M. Di Nitto
  2 siblings, 0 replies; 7+ messages in thread
From: Ryan O'Hara @ 2011-04-14 22:25 UTC (permalink / raw)
  To: cluster-devel.redhat.com


ACK.

On Thu, Apr 14, 2011 at 03:57:06PM -0400, Lon Hohberger wrote:
> Resolves: rhbz#635828
> 
> Signed-off-by: Lon Hohberger <lhh@redhat.com>
> Tested-by: Corey Marthaler <cmarthal@redhat.com>
> ---
>  rgmanager/src/resources/nfsserver.sh |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/rgmanager/src/resources/nfsserver.sh b/rgmanager/src/resources/nfsserver.sh
> index 17f472d..bb2632e 100644
> --- a/rgmanager/src/resources/nfsserver.sh
> +++ b/rgmanager/src/resources/nfsserver.sh
> @@ -222,6 +222,9 @@ create_tree()
>  	[ -f "$fp/xtab" ] || touch "$fp/xtab"
>  	[ -f "$fp/rmtab" ] || touch "$fp/rmtab"
>  
> +	chcon -R system_u:object_r:var_lib_nfs_t:s0 "$fp"
> +	chcon -R system_u:object_r:var_lib_nfs_t:s0 "$fp/*"
> +
>          #
>          # Generate a random state file.  If this ends up being what a client
>          # already has in its list, that's bad, but the chances of this
> -- 
> 1.7.3.4



^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Cluster-devel] [PATCH] resource-agents: Fix nfs mount contexts
  2011-04-14 19:57 Lon Hohberger
  2011-04-14 21:41 ` Lon Hohberger
  2011-04-14 22:25 ` Ryan O'Hara
@ 2011-04-15  4:44 ` Fabio M. Di Nitto
  2011-04-15 14:49   ` Lon Hohberger
  2 siblings, 1 reply; 7+ messages in thread
From: Fabio M. Di Nitto @ 2011-04-15  4:44 UTC (permalink / raw)
  To: cluster-devel.redhat.com

Hi Lon,

2 small bits here..

in nfsserver.sh, we also call restorecon.

IMHO execution of selinux tools should be conditional to selinux being
enabled and tools available.

To make this a generic upstream patch, we can do (at the beginning of
the agent):

selinuxon=""
[ -n "$(which selinuxenabled)" ] && selinuxenabled && selinuxon=1

this is mostly paranoia and to cache the result for later use. invoking
selinuxenabled is cheap.

.....

[ -n "$selinuxon" ] && [ -n "$(which restorecon)" ] && restorecon...

.....

[ -n "$selinuxon" ] && [ -n "$(which chcon)" ] && chcon -R....

chcon -R works recursively, so one invocation should be sufficient.

The main motivator behind this approach is to guarantee that we don't
need resource-agents to Requires those tools at packaging level and
enforce them on a system.

Fabio

On 04/14/2011 09:57 PM, Lon Hohberger wrote:
> Resolves: rhbz#635828
> 
> Signed-off-by: Lon Hohberger <lhh@redhat.com>
> Tested-by: Corey Marthaler <cmarthal@redhat.com>
> ---
>  rgmanager/src/resources/nfsserver.sh |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/rgmanager/src/resources/nfsserver.sh b/rgmanager/src/resources/nfsserver.sh
> index 17f472d..bb2632e 100644
> --- a/rgmanager/src/resources/nfsserver.sh
> +++ b/rgmanager/src/resources/nfsserver.sh
> @@ -222,6 +222,9 @@ create_tree()
>  	[ -f "$fp/xtab" ] || touch "$fp/xtab"
>  	[ -f "$fp/rmtab" ] || touch "$fp/rmtab"
>  
> +	chcon -R system_u:object_r:var_lib_nfs_t:s0 "$fp"
> +	chcon -R system_u:object_r:var_lib_nfs_t:s0 "$fp/*"
> +
>          #
>          # Generate a random state file.  If this ends up being what a client
>          # already has in its list, that's bad, but the chances of this



^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Cluster-devel] [PATCH] resource-agents: Fix nfs mount contexts
  2011-04-15  4:44 ` Fabio M. Di Nitto
@ 2011-04-15 14:49   ` Lon Hohberger
  0 siblings, 0 replies; 7+ messages in thread
From: Lon Hohberger @ 2011-04-15 14:49 UTC (permalink / raw)
  To: cluster-devel.redhat.com

On Fri, Apr 15, 2011 at 06:44:47AM +0200, Fabio M. Di Nitto wrote:
> Hi Lon,
> 
> 2 small bits here..
> 
> in nfsserver.sh, we also call restorecon.
> 
> IMHO execution of selinux tools should be conditional to selinux being
> enabled and tools available.
> 
> To make this a generic upstream patch, we can do (at the beginning of
> the agent):

Yep, I'll revert the one I pushed.  Sorry about that.

> selinuxon=""
> [ -n "$(which selinuxenabled)" ] && selinuxenabled && selinuxon=1
> 
> this is mostly paranoia and to cache the result for later use. invoking
> selinuxenabled is cheap.
> 
> .....
> 
> [ -n "$selinuxon" ] && [ -n "$(which restorecon)" ] && restorecon...
> 
> .....
> 
> [ -n "$selinuxon" ] && [ -n "$(which chcon)" ] && chcon -R....
> 
> chcon -R works recursively, so one invocation should be sufficient.

In my initial testing, it didn't work, but deleting the second line
seemed to work fine now.

> The main motivator behind this approach is to guarantee that we don't
> need resource-agents to Requires those tools at packaging level and
> enforce them on a system.

Understood.

-- 
Lon Hohberger - Red Hat, Inc.



^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2011-04-15 15:24 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-04-15 15:18 [Cluster-devel] [PATCH] resource-agents: Fix nfs mount contexts Lon Hohberger
2011-04-15 15:24 ` Fabio M. Di Nitto
  -- strict thread matches above, loose matches on Subject: below --
2011-04-14 19:57 Lon Hohberger
2011-04-14 21:41 ` Lon Hohberger
2011-04-14 22:25 ` Ryan O'Hara
2011-04-15  4:44 ` Fabio M. Di Nitto
2011-04-15 14:49   ` Lon Hohberger

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).