From mboxrd@z Thu Jan  1 00:00:00 1970
From: George Dunlap <george.dunlap@citrix.com>
Subject: Re: [PATCH] tools/hotplug: Use env rather than sh in
 xenstored.service
Date: Tue, 15 Sep 2015 12:12:06 +0100
Message-ID: <55F7FD06.5020805@citrix.com>
References: <1442313000-5576-1-git-send-email-george.dunlap@eu.citrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <1442313000-5576-1-git-send-email-george.dunlap@eu.citrix.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: George Dunlap <george.dunlap@eu.citrix.com>, xen-devel@lists.xen.org
Cc: Ian Jackson <ian.jackson@citrix.com>, Olaf Hering <olaf@aepfle.de>, Wei Liu <wei.liu2@citrix.com>, Ian Campbell <ian.campbell@citrix.com>
List-Id: xen-devel@lists.xenproject.org

On 09/15/2015 11:30 AM, George Dunlap wrote:
> Using sh to exec xenstored breaks on selinux systems (at least, on
> CentOS 7).  The only purpose of doing that was to be able to expand
> the $XENSTORED variable; this can be done with /usr/bin/env instead,
> which still works on systemd systems (at least on CentOS 7).
> 
> Suggested-by: Olaf Hering <olaf@aepfle.de>
> Signed-off-by: George Dunlap <george.dunlap@citrix.com>
> ---
> 
> One could argue that this is a bug in 4.6 and should be accepted.  I
> could also see an argument, however, that this late in the cycle we
> should just wait until 4.6.1.  I'll leave it up to Wei to decide.
> 
> CC: Ian Campbell <ian.campbell@citrix.com>
> CC: Ian Jackson <ian.jackson@citrix.com>
> CC: Wei Liu <wei.liu2@citrix.com>
> CC: Olaf Hering <olaf@aepfle.de>
> ---
>  tools/hotplug/Linux/systemd/xenstored.service.in | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/tools/hotplug/Linux/systemd/xenstored.service.in b/tools/hotplug/Linux/systemd/xenstored.service.in
> index a5f836b..09964f3 100644
> --- a/tools/hotplug/Linux/systemd/xenstored.service.in
> +++ b/tools/hotplug/Linux/systemd/xenstored.service.in
> @@ -15,7 +15,7 @@ EnvironmentFile=-@CONFIG_DIR@/@CONFIG_LEAF_DIR@/xencommons
>  ExecStartPre=/bin/grep -q control_d /proc/xen/capabilities
>  ExecStartPre=-/bin/rm -f @XEN_LIB_STORED@/tdb*
>  ExecStartPre=/bin/mkdir -p @XEN_RUN_DIR@
> -ExecStart=/bin/sh -c "exec $XENSTORED --no-fork $XENSTORED_ARGS"
> +ExecStart=/usr/bin/env $XENSTORED --no-fork $XENSTORED_ARGS

Actually, hold off on this one -- apparently env destroys the selinux
context in a way that's too permissive:

# ps axZ | grep xenstored
system_u:system_r:unconfined_service_t:s0 612 ? Ss    0:00
/usr/sbin/xenstored --no-fork

IOW, a side effect this patch is to "fix" the /var/lib/xenstored tmpfs
selinux context problem by basically disabling that selinux limitation. :-/

 -George