From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Olaf Hering <olaf@aepfle.de>, Wei Liu <wei.liu2@citrix.com>,
Ian Campbell <Ian.Campbell@citrix.com>,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
xen-devel@lists.xen.org, m.a.young@durham.ac.uk
Subject: Re: [PATCH 7/7] tools/hotplug: add wrapper to start xenstored
Date: Wed, 7 Jan 2015 10:42:09 -0500 [thread overview]
Message-ID: <20150107154209.GA30955@l.oracle.com> (raw)
In-Reply-To: <21677.20563.58876.918037@mariner.uk.xensource.com>
On Wed, Jan 07, 2015 at 03:27:15PM +0000, Ian Jackson wrote:
> Olaf Hering writes ("Re: [PATCH 7/7] tools/hotplug: add wrapper to start xenstored"):
> > If I recall correctly the point of the current 'sh -c "exec ..."' stunt
> > was to expand the XENSTORE variable from the sysconfig file. But this
> > approach leads to failures with SELinux because the socket passing does
> > not work this way. Up to now I have not seen a success report for
> > selinux+systemd+xenstored. Maybe its already somewhere in the other
> > unread mails.
>
> The selinux policy should follow the actual code, not vice versa.
>
> That is, if the approach which we select (based on all the other
> criteria) is not compatible with existing selinux policies, this
> should be fixed by changing the selinux policies.
>
> Since the selinux policies are not in xen.git, and are not maintained
> as part of the Xen Project, there is no reason to delay introducing
> changes in xen.git#master which are known to be incompatible with some
> selinux policies.
>
> My conclusion therefore is that selinux policies are an irrelevant
> consideration when deciding what the scripts, systemd integration,
> etc. should look like in xen.git#master.
>
> (And what applies to xen.git#master applies to the as-yet-unreleased
> xen.git#staging-4.5 too.)
>
> > Hopefully someone with access to a SELinux enabled system will report
> > which approach actually works.
>
> I have concluded that the right approach is to disregard selinux.
> Developers of selinux-enforcing setups should update the selinux
> policies to support what the upstream Xen Project code does.
... which is none. We don't ship any SELinux policies.
Anyhow I concur with the sentiment which is why I was aiming at just
having an release note about the SELinux part - and having this patch
not worry that much about SELinux and instead be satisfactory
to you and IanC.
Olaf, that hopefully would make it easier for you to come up with
a nice patch ?
>
> Thanks,
> Ian.
next prev parent reply other threads:[~2015-01-07 15:42 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-19 11:25 [PATCH 0/7 v3] tools/hotplug: systemd changes for 4.5 Olaf Hering
2014-12-19 11:25 ` [PATCH 1/7] tools/hotplug: remove SELinux options from var-lib-xenstored.mount Olaf Hering
2015-01-06 11:27 ` Ian Campbell
2015-01-07 9:23 ` Olaf Hering
2015-01-07 9:31 ` Ian Campbell
2015-01-07 14:53 ` Konrad Rzeszutek Wilk
2015-01-06 14:48 ` Ian Jackson
2015-09-10 13:52 ` George Dunlap
2015-09-10 14:13 ` M A Young
2015-09-10 14:17 ` George Dunlap
2015-09-11 6:31 ` Olaf Hering
2015-09-14 16:30 ` George Dunlap
2015-09-14 18:33 ` Olaf Hering
2015-09-15 8:55 ` George Dunlap
2015-09-15 12:48 ` Olaf Hering
2015-09-15 12:55 ` George Dunlap
2015-09-15 13:58 ` Konrad Rzeszutek Wilk
2015-09-15 14:01 ` George Dunlap
2015-09-15 15:12 ` Konrad Rzeszutek Wilk
2015-09-15 15:52 ` George Dunlap
2015-09-15 13:57 ` Konrad Rzeszutek Wilk
2014-12-19 11:25 ` [PATCH 2/7] tools/hotplug: remove XENSTORED_ROOTDIR from xenstored.service Olaf Hering
2014-12-19 11:25 ` [PATCH 3/7] tools/hotplug: xendomains.service depends on network Olaf Hering
2014-12-19 11:25 ` [PATCH 4/7] tools/hotplug: use xencommons as EnvironmentFile in xenconsoled.service Olaf Hering
2015-01-06 11:29 ` Ian Campbell
2015-01-06 14:45 ` Ian Jackson
2014-12-19 11:25 ` [PATCH 5/7] tools/hotplug: use XENCONSOLED_TRACE " Olaf Hering
2015-01-06 11:30 ` Ian Campbell
2015-01-06 15:26 ` Konrad Rzeszutek Wilk
2015-01-06 14:46 ` Ian Jackson
2014-12-19 11:25 ` [PATCH 6/7] tools/hotplug: remove EnvironmentFile from xen-qemu-dom0-disk-backend.service Olaf Hering
2015-01-06 11:33 ` Ian Campbell
2015-01-06 14:50 ` Ian Jackson
2014-12-19 11:25 ` [PATCH 7/7] tools/hotplug: add wrapper to start xenstored Olaf Hering
2015-01-06 11:41 ` Ian Campbell
2015-01-07 9:40 ` Olaf Hering
2015-01-07 15:27 ` Ian Jackson
2015-01-07 15:42 ` Konrad Rzeszutek Wilk [this message]
2015-09-10 14:19 ` George Dunlap
2015-09-10 14:53 ` Wei Liu
2015-09-10 15:01 ` M A Young
2015-09-10 15:10 ` Wei Liu
2015-09-10 15:11 ` George Dunlap
2015-09-10 16:01 ` Ian Jackson
2015-09-11 6:42 ` Olaf Hering
2015-01-06 14:58 ` Ian Jackson
2015-01-07 9:49 ` Olaf Hering
2015-01-07 14:55 ` Konrad Rzeszutek Wilk
2014-12-19 19:10 ` [PATCH 0/7 v3] tools/hotplug: systemd changes for 4.5 Konrad Rzeszutek Wilk
2014-12-22 8:06 ` Olaf Hering
2014-12-31 15:31 ` Konrad Rzeszutek Wilk
2015-01-05 21:22 ` Konrad Rzeszutek Wilk
2015-01-06 10:05 ` Ian Campbell
2015-01-06 15:00 ` Ian Jackson
2015-01-06 15:19 ` Konrad Rzeszutek Wilk
2015-01-07 9:53 ` Olaf Hering
2015-01-07 14:56 ` Konrad Rzeszutek Wilk
2015-01-07 15:03 ` Olaf Hering
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150107154209.GA30955@l.oracle.com \
--to=konrad.wilk@oracle.com \
--cc=Ian.Campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=m.a.young@durham.ac.uk \
--cc=olaf@aepfle.de \
--cc=stefano.stabellini@eu.citrix.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).