* [PATCH] xfstests: mount xfs with a context when selinux is on
@ 2010-02-17 19:12 Eric Sandeen
2010-02-17 23:03 ` Dave Chinner
0 siblings, 1 reply; 5+ messages in thread
From: Eric Sandeen @ 2010-02-17 19:12 UTC (permalink / raw)
To: xfs mailing list
When selinux is on, we get tons of new xattrs, which messes
up all kinds of output.
The simplest way out of this, for now, seems to be to just mount
with a global context instead and skip writing the extra xattrs.
I've been using this internally on Fedora and RHEL for a while now.
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
---
diff --git a/189 b/189
index 8f1c0e1..e91d5cd 100755
--- a/189
+++ b/189
@@ -45,7 +45,8 @@ _cleanup()
_scratch_filter()
{
sed -e "s#$SCRATCH_DEV#SCRATCH_DEV#" \
- -e "s#$SCRATCH_MNT#SCRATCH_MNT#"
+ -e "s#$SCRATCH_MNT#SCRATCH_MNT#" \
+ -e "s#,context.*s0\"##"
}
_check_mount()
diff --git a/common.rc b/common.rc
index c76bcde..ca2cd2c 100644
--- a/common.rc
+++ b/common.rc
@@ -47,8 +47,16 @@ _ls_l()
_mount_opts()
{
+ # SELinux adds extra xattrs which can mess up our expected output.
+ # So, mount with a context, and they won't be created
+ # nfs_t is a "liberal" context so we can use it.
+ if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
+ SELINUX_MOUNT_OPTIONS="-o context=system_u:object_r:nfs_t:s0"
+ fi
+
case $FSTYP in
xfs)
+ export SELINUX_MOUNT_OPTIONS
export MOUNT_OPTIONS=$XFS_MOUNT_OPTIONS
;;
udf)
@@ -214,7 +222,7 @@ _scratch_mount_options()
{
_scratch_options mount
- echo $SCRATCH_OPTIONS $MOUNT_OPTIONS $* $SCRATCH_DEV $SCRATCH_MNT
+ echo $SCRATCH_OPTIONS $MOUNT_OPTIONS $SELINUX_MOUNT_OPTIONS $* $SCRATCH_DEV $SCRATCH_MNT
}
_scratch_mount()
@@ -236,7 +244,7 @@ _scratch_remount()
_test_mount()
{
_test_options mount
- _mount -t $FSTYP $TEST_OPTIONS $TEST_FS_MOUNT_OPTS $* $TEST_DEV $TEST_DIR
+ _mount -t $FSTYP $TEST_OPTIONS $TEST_FS_MOUNT_OPTS $SELINUX_MOUNT_OPTIONS $* $TEST_DEV $TEST_DIR
}
_scratch_mkfs_options()
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] xfstests: mount xfs with a context when selinux is on
2010-02-17 19:12 [PATCH] xfstests: mount xfs with a context when selinux is on Eric Sandeen
@ 2010-02-17 23:03 ` Dave Chinner
2010-02-18 22:04 ` Eric Sandeen
0 siblings, 1 reply; 5+ messages in thread
From: Dave Chinner @ 2010-02-17 23:03 UTC (permalink / raw)
To: Eric Sandeen; +Cc: xfs mailing list
On Wed, Feb 17, 2010 at 01:12:24PM -0600, Eric Sandeen wrote:
> When selinux is on, we get tons of new xattrs, which messes
> up all kinds of output.
>
> The simplest way out of this, for now, seems to be to just mount
> with a global context instead and skip writing the extra xattrs.
>
> I've been using this internally on Fedora and RHEL for a while now.
>
> Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
I know very little about selinux, so while the code changes look OK
I have no idea if the context change is All Goodness.
> --- a/common.rc
> +++ b/common.rc
> @@ -47,8 +47,16 @@ _ls_l()
>
> _mount_opts()
> {
> + # SELinux adds extra xattrs which can mess up our expected output.
> + # So, mount with a context, and they won't be created
> + # nfs_t is a "liberal" context so we can use it.
> + if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
> + SELINUX_MOUNT_OPTIONS="-o context=system_u:object_r:nfs_t:s0"
> + fi
> +
i.e. is t_nfs a context specific to a RHEL/Fedora setup, or is it a
generic context that other distro's also define?
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] xfstests: mount xfs with a context when selinux is on
2010-02-17 23:03 ` Dave Chinner
@ 2010-02-18 22:04 ` Eric Sandeen
2010-02-18 22:54 ` Eric Sandeen
0 siblings, 1 reply; 5+ messages in thread
From: Eric Sandeen @ 2010-02-18 22:04 UTC (permalink / raw)
To: Dave Chinner; +Cc: xfs mailing list
Dave Chinner wrote:
> On Wed, Feb 17, 2010 at 01:12:24PM -0600, Eric Sandeen wrote:
>> When selinux is on, we get tons of new xattrs, which messes
>> up all kinds of output.
>>
>> The simplest way out of this, for now, seems to be to just mount
>> with a global context instead and skip writing the extra xattrs.
>>
>> I've been using this internally on Fedora and RHEL for a while now.
>>
>> Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
>
> I know very little about selinux, so while the code changes look OK
> I have no idea if the context change is All Goodness.
>
>> --- a/common.rc
>> +++ b/common.rc
>> @@ -47,8 +47,16 @@ _ls_l()
>>
>> _mount_opts()
>> {
>> + # SELinux adds extra xattrs which can mess up our expected output.
>> + # So, mount with a context, and they won't be created
>> + # nfs_t is a "liberal" context so we can use it.
>> + if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
>> + SELINUX_MOUNT_OPTIONS="-o context=system_u:object_r:nfs_t:s0"
>> + fi
>> +
>
> i.e. is t_nfs a context specific to a RHEL/Fedora setup, or is it a
> generic context that other distro's also define?
I'll ask; I think this is what they told me to use last time, but I
didn't ask if it was policy-specific...
-Eric
> Cheers,
>
> Dave.
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] xfstests: mount xfs with a context when selinux is on
2010-02-18 22:04 ` Eric Sandeen
@ 2010-02-18 22:54 ` Eric Sandeen
2010-02-18 23:32 ` Dave Chinner
0 siblings, 1 reply; 5+ messages in thread
From: Eric Sandeen @ 2010-02-18 22:54 UTC (permalink / raw)
To: Dave Chinner; +Cc: xfs mailing list
Eric Sandeen wrote:
> Dave Chinner wrote:
>> On Wed, Feb 17, 2010 at 01:12:24PM -0600, Eric Sandeen wrote:
>>> When selinux is on, we get tons of new xattrs, which messes
>>> up all kinds of output.
>>>
>>> The simplest way out of this, for now, seems to be to just mount
>>> with a global context instead and skip writing the extra xattrs.
>>>
>>> I've been using this internally on Fedora and RHEL for a while now.
>>>
>>> Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
>> I know very little about selinux, so while the code changes look OK
>> I have no idea if the context change is All Goodness.
>>
>>> --- a/common.rc
>>> +++ b/common.rc
>>> @@ -47,8 +47,16 @@ _ls_l()
>>>
>>> _mount_opts()
>>> {
>>> + # SELinux adds extra xattrs which can mess up our expected output.
>>> + # So, mount with a context, and they won't be created
>>> + # nfs_t is a "liberal" context so we can use it.
>>> + if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
>>> + SELINUX_MOUNT_OPTIONS="-o context=system_u:object_r:nfs_t:s0"
>>> + fi
>>> +
>> i.e. is t_nfs a context specific to a RHEL/Fedora setup, or is it a
>> generic context that other distro's also define?
>
> I'll ask; I think this is what they told me to use last time, but I
> didn't ask if it was policy-specific...
our selinux guys still recommend this context as suitably generic.
-Eric
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] xfstests: mount xfs with a context when selinux is on
2010-02-18 22:54 ` Eric Sandeen
@ 2010-02-18 23:32 ` Dave Chinner
0 siblings, 0 replies; 5+ messages in thread
From: Dave Chinner @ 2010-02-18 23:32 UTC (permalink / raw)
To: Eric Sandeen; +Cc: xfs mailing list
On Thu, Feb 18, 2010 at 04:54:05PM -0600, Eric Sandeen wrote:
> Eric Sandeen wrote:
> > Dave Chinner wrote:
> >> On Wed, Feb 17, 2010 at 01:12:24PM -0600, Eric Sandeen wrote:
> >>> When selinux is on, we get tons of new xattrs, which messes
> >>> up all kinds of output.
> >>>
> >>> The simplest way out of this, for now, seems to be to just mount
> >>> with a global context instead and skip writing the extra xattrs.
> >>>
> >>> I've been using this internally on Fedora and RHEL for a while now.
> >>>
> >>> Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
> >> I know very little about selinux, so while the code changes look OK
> >> I have no idea if the context change is All Goodness.
> >>
> >>> --- a/common.rc
> >>> +++ b/common.rc
> >>> @@ -47,8 +47,16 @@ _ls_l()
> >>>
> >>> _mount_opts()
> >>> {
> >>> + # SELinux adds extra xattrs which can mess up our expected output.
> >>> + # So, mount with a context, and they won't be created
> >>> + # nfs_t is a "liberal" context so we can use it.
> >>> + if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
> >>> + SELINUX_MOUNT_OPTIONS="-o context=system_u:object_r:nfs_t:s0"
> >>> + fi
> >>> +
> >> i.e. is t_nfs a context specific to a RHEL/Fedora setup, or is it a
> >> generic context that other distro's also define?
> >
> > I'll ask; I think this is what they told me to use last time, but I
> > didn't ask if it was policy-specific...
>
> our selinux guys still recommend this context as suitably generic.
OK. Consider it:
Reviewed-by: Dave Chinner <david@fromorbit.com>
--
Dave Chinner
david@fromorbit.com
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-02-18 23:31 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-02-17 19:12 [PATCH] xfstests: mount xfs with a context when selinux is on Eric Sandeen
2010-02-17 23:03 ` Dave Chinner
2010-02-18 22:04 ` Eric Sandeen
2010-02-18 22:54 ` Eric Sandeen
2010-02-18 23:32 ` Dave Chinner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox