From mboxrd@z Thu Jan 1 00:00:00 1970 From: Fabio M. Di Nitto Date: Fri, 15 Apr 2011 06:44:47 +0200 Subject: [Cluster-devel] [PATCH] resource-agents: Fix nfs mount contexts In-Reply-To: <1302811026-7803-1-git-send-email-lhh@redhat.com> References: <1302811026-7803-1-git-send-email-lhh@redhat.com> Message-ID: <4DA7CD3F.8060106@redhat.com> List-Id: To: cluster-devel.redhat.com MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi Lon, 2 small bits here.. in nfsserver.sh, we also call restorecon. IMHO execution of selinux tools should be conditional to selinux being enabled and tools available. To make this a generic upstream patch, we can do (at the beginning of the agent): selinuxon="" [ -n "$(which selinuxenabled)" ] && selinuxenabled && selinuxon=1 this is mostly paranoia and to cache the result for later use. invoking selinuxenabled is cheap. ..... [ -n "$selinuxon" ] && [ -n "$(which restorecon)" ] && restorecon... ..... [ -n "$selinuxon" ] && [ -n "$(which chcon)" ] && chcon -R.... chcon -R works recursively, so one invocation should be sufficient. The main motivator behind this approach is to guarantee that we don't need resource-agents to Requires those tools at packaging level and enforce them on a system. Fabio On 04/14/2011 09:57 PM, Lon Hohberger wrote: > Resolves: rhbz#635828 > > Signed-off-by: Lon Hohberger > Tested-by: Corey Marthaler > --- > rgmanager/src/resources/nfsserver.sh | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/rgmanager/src/resources/nfsserver.sh b/rgmanager/src/resources/nfsserver.sh > index 17f472d..bb2632e 100644 > --- a/rgmanager/src/resources/nfsserver.sh > +++ b/rgmanager/src/resources/nfsserver.sh > @@ -222,6 +222,9 @@ create_tree() > [ -f "$fp/xtab" ] || touch "$fp/xtab" > [ -f "$fp/rmtab" ] || touch "$fp/rmtab" > > + chcon -R system_u:object_r:var_lib_nfs_t:s0 "$fp" > + chcon -R system_u:object_r:var_lib_nfs_t:s0 "$fp/*" > + > # > # Generate a random state file. If this ends up being what a client > # already has in its list, that's bad, but the chances of this