From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ian Campbell <Ian.Campbell@citrix.com>
Subject: Re: [PATCH 1/7] tools/hotplug: remove SELinux options
 from var-lib-xenstored.mount
Date: Tue, 6 Jan 2015 11:27:38 +0000
Message-ID: <1420543658.28863.138.camel@citrix.com>
References: <1418988333-5404-1-git-send-email-olaf@aepfle.de>
	<1418988333-5404-2-git-send-email-olaf@aepfle.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <1418988333-5404-2-git-send-email-olaf@aepfle.de>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Olaf Hering <olaf@aepfle.de>
Cc: Wei Liu <wei.liu2@citrix.com>, Stefano Stabellini <stefano.stabellini@eu.citrix.com>, Ian Jackson <ian.jackson@eu.citrix.com>, xen-devel@lists.xen.org, m.a.young@durham.ac.uk, Anthony PERARD <anthony.perard@citrix.com>, "Luis R. Rodriguez" <mcgrof@do-not-panic.com>
List-Id: xen-devel@lists.xenproject.org

On Fri, 2014-12-19 at 12:25 +0100, Olaf Hering wrote:
> Using SELinux mount options per default breaks several systems.
> Either the context= mount option is not known at all to the kernel,
> as reported for ArchLinux. Or the default value "none" is unknown to
> SELinux, as reported for Fedora. In both cases the unit will fail.
> 
> The proper place to specify mount options is /etc/fstab. Appearently
> systemd is kind enough to use values from there even if Options= or
> What= is specified in a .mount file.
> 
> Remove XENSTORED_MOUNT_CTX, the reference to a non-existant
> EnvironmentFile and trim default Options= for the mount point.
> 
> The removed code was first mentioned in the patch referenced below,
> with the following description:
> ...
>  * Some systems define the selinux context in the systemd Option for
>    the /var/lib/xenstored tmpfs:
>      Options=mode=755,context="system_u:object_r:xenstored_var_lib_t:s0"
>    For the upstream version we remove that and let systems specify
>    the context on their system /etc/default/xenstored or
>    /etc/sysconfig/xenstored $XENSTORED_MOUNT_CTX variable
> ...
> It is nowhere stated (on xen-devel) what "Some systems" means, which
> is unfortunately common practice in nearly all opensource projects.
> http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg02462.html
> 
> Signed-off-by: Olaf Hering <olaf@aepfle.de>
> Cc: Ian Jackson <ian.jackson@eu.citrix.com>
> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

Acked-by: Ian Campbell <ian.campbell@citrix.com>

(on commit s/Appearently/Apparently/; s/non-existant/non-existent/ in
the commit log)

> -Options=mode=755,context="$XENSTORED_MOUNT_CTX"
> +Options=mode=755

FWIW an alternative might have been:
  Options=mode=755,$XENSTORED_MOUNT_OPTIONS
where the variable from the EnvironmentFile could contain context= as
necessary (and maybe even mode=... by default).

But if /etc/fstab is the Right Place(tm) then lets go with that for 4.5.

Ian.