Change in vdsm[master]: lvm: Modify lv selinux label only if not labablled as libvir...
oVirt Jenkins CI Server has posted comments on this change. Change subject: lvm: Modify lv selinux label only if not labablled as libvirt image .. Patch Set 1: Build Failed http://jenkins.ovirt.org/job/vdsm_master_install-rpm-sanity-fc20_created/413/ : FAILURE http://jenkins.ovirt.org/job/vdsm_master_install-rpm-sanity-el6_created/430/ : SUCCESS http://jenkins.ovirt.org/job/vdsm_master_unit_tests_gerrit_el/11753/ : FAILURE http://jenkins.ovirt.org/job/vdsm_master_unit-tests_created/12697/ : FAILURE http://jenkins.ovirt.org/job/vdsm_master_pep8_gerrit/12542/ : SUCCESS -- To view, visit http://gerrit.ovirt.org/33620 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ide7560564e4c83c84dd288b5a8305ad1ddb4cfcb Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Nir Soffer nsof...@redhat.com Gerrit-Reviewer: Allon Mureinik amure...@redhat.com Gerrit-Reviewer: Dan Kenigsberg dan...@redhat.com Gerrit-Reviewer: Federico Simoncelli fsimo...@redhat.com Gerrit-Reviewer: Nir Soffer nsof...@redhat.com Gerrit-Reviewer: Sandro Bonazzola sbona...@redhat.com Gerrit-Reviewer: automat...@ovirt.org Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: No ___ vdsm-patches mailing list vdsm-patches@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
Change in vdsm[master]: lvm: Modify lv selinux label only if not labablled as libvir...
Nir Soffer has uploaded a new change for review.
Change subject: lvm: Modify lv selinux label only if not labablled as libvirt
image
..
lvm: Modify lv selinux label only if not labablled as libvirt image
When using the faulty version of systemd that removes libvirt image
labels from block devices, this patch has no effect. However when a fix
is available and libvirt image label exists, vdsm will not change the
original libvirt label. This allows the increase protection for virtual
machines.
Change-Id: Ide7560564e4c83c84dd288b5a8305ad1ddb4cfcb
Bug-Url: https://bugzilla.redhat.com/1127460
Signed-off-by: Nir Soffer nsof...@redhat.com
---
M .gitignore
M configure.ac
M vdsm.spec.in
A vdsm/storage/vdsm-chcon.in
M vdsm/storage/vdsm-lvm.rules.tpl.in
5 files changed, 32 insertions(+), 5 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/20/33620/1
diff --git a/.gitignore b/.gitignore
index 5890806..cba2247 100644
--- a/.gitignore
+++ b/.gitignore
@@ -60,6 +60,7 @@
vdsm/sos/vdsm.py
vdsm/storage/protect/safelease
vdsm/storage/lvm.env
+vdsm/storage/vdsm-chcon
vdsm/storage/vdsm-lvm.rules
vdsm/sudoers.vdsm
vdsm/svdsm.logger.conf
diff --git a/configure.ac b/configure.ac
index 40c37a9..e4b0c88 100644
--- a/configure.ac
+++ b/configure.ac
@@ -122,7 +122,10 @@
)
AC_SUBST([LIBVIRT_SERVICE_DEFAULT], [${with_libvirt_service_default}])
-AC_SUBST([LIBVIRT_IMAGE_LABEL], ['svirt_image_t'])
+
+# Selinux image label
+AC_SUBST([SVIRT_IMAGE_LABEL], ['svirt_image_t'])
+AC_SUBST([SVIRT_CONTENT_LABEL], ['svirt_content_t'])
# Users and groups
@@ -281,6 +284,7 @@
AC_PATH_PROG([IP_PATH], [ip], [/sbin/ip])
AC_PATH_PROG([ISCSIADM_PATH], [iscsiadm], [/sbin/iscsiadm])
AC_PATH_PROG([KILL_PATH], [kill], [/bin/kill])
+AC_PATH_PROG([LS_PATH], [ls], [/bin/ls])
AC_PATH_PROG([LVM_PATH], [lvm], [/sbin/lvm])
AC_PATH_PROG([MKFS_MSDOS_PATH], [mkfs.msdos], [/sbin/mkfs.msdos])
AC_PATH_PROG([MKFS_PATH], [mkfs], [/sbin/mkfs])
@@ -351,6 +355,7 @@
vdsm/storage/Makefile
vdsm/storage/imageRepository/Makefile
vdsm/storage/protect/Makefile
+ vdsm/storage/vdsm-chcon
vdsm/storage/vdsm-lvm.rules.tpl
vdsm/virt/Makefile
vdsm_hooks/Makefile
diff --git a/vdsm.spec.in b/vdsm.spec.in
index 15006d4..7ec5c42 100644
--- a/vdsm.spec.in
+++ b/vdsm.spec.in
@@ -55,8 +55,10 @@
%if 0%{?rhel} == 6
%global _udevrulesdir /lib/udev/rules.d/
+%global _udevexecdir /lib/udev/
%else
%global _udevrulesdir /usr/lib/udev/rules.d/
+%global _udevexecdir /usr/lib/udev/
%endif
Name: %{vdsm_name}
@@ -688,6 +690,11 @@
install -Dm 0644 vdsm/storage/vdsm-lvm.rules \
%{buildroot}%{_udevrulesdir}/12-vdsm-lvm.rules
+%if 0%{?with_chcon_hack}
+install -Dm 0755 vdsm/storage/vdsm-chcon \
+ %{buildroot}%{_udevexecdir}/vdsm-chcon
+%endif
+
install -Dm 0644 vdsm/limits.conf \
%{buildroot}/etc/security/limits.d/99-vdsm.conf
@@ -1174,6 +1181,9 @@
%endif
%{python_sitelib}/sos/plugins/vdsm.py*
%{_udevrulesdir}/12-vdsm-lvm.rules
+%if 0%{?with_chcon_hack}
+%{_udevexecdir}/vdsm-chcon
+%endif
/etc/security/limits.d/99-vdsm.conf
%{_mandir}/man8/vdsmd.8*
%if 0%{?rhel}
diff --git a/vdsm/storage/vdsm-chcon.in b/vdsm/storage/vdsm-chcon.in
new file mode 100644
index 000..6f1eb6e
--- /dev/null
+++ b/vdsm/storage/vdsm-chcon.in
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# This script must be called from a udev rule and assumes the udev environment
+# variables.
+
+# Do not touch the device if it is already labelled is libvirt image. It will
+# probably be a fixed_disk_t or it may have no selinux label.
+if @LS_PATH@ -Z $DEVNAME | \
+@GREP_PATH@ -q -E :@SVIRT_CONTENT_LABEL@:|:@SVIRT_IMAGE_LABEL@:; then
+exit 0
+fi
+
+echo Changing selinux type to @SVIRT_IMAGE_LABEL@ on $DEVNAME 2
+@CHCON_PATH@ -t @SVIRT_IMAGE_LABEL@ $DEVNAME
diff --git a/vdsm/storage/vdsm-lvm.rules.tpl.in
b/vdsm/storage/vdsm-lvm.rules.tpl.in
index 0869cdf..fb6c87a 100644
--- a/vdsm/storage/vdsm-lvm.rules.tpl.in
+++ b/vdsm/storage/vdsm-lvm.rules.tpl.in
@@ -23,16 +23,13 @@
# label is lost after refreshing a logical volume, and vm get paused. This rule
# ensures that the label exist after device changes. See
# https://bugzilla.redhat.com/1147910
-#
-# TODO: use SECLABEL{selinux}=@LIBVIRT_IMAGE_LABEL@ when this syntax is
-# supported. See https://bugzilla.redhat.com/1015300
{{endif}}
# add event is processed on coldplug only, so we need change, too.
ACTION!=add|change, GOTO=lvm_end
# Fix ownership for RHEV volumes
-ENV{DM_VG_NAME}==[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9],
Change in vdsm[master]: lvm: Modify lv selinux label only if not labablled as libvir...
Nir Soffer has posted comments on this change. Change subject: lvm: Modify lv selinux label only if not labablled as libvirt image .. Patch Set 1: Verified+1 Verified on el6 and el7. - Check installed lvm rule - Check that vdsm-chcon is installed correctly - Create and provision vm with thin provisioned disk and verify extend flow -- To view, visit http://gerrit.ovirt.org/33620 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ide7560564e4c83c84dd288b5a8305ad1ddb4cfcb Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Nir Soffer nsof...@redhat.com Gerrit-Reviewer: Allon Mureinik amure...@redhat.com Gerrit-Reviewer: Dan Kenigsberg dan...@redhat.com Gerrit-Reviewer: Federico Simoncelli fsimo...@redhat.com Gerrit-Reviewer: Nir Soffer nsof...@redhat.com Gerrit-Reviewer: Sandro Bonazzola sbona...@redhat.com Gerrit-Reviewer: automat...@ovirt.org Gerrit-HasComments: No ___ vdsm-patches mailing list vdsm-patches@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
Change in vdsm[master]: lvm: Modify lv selinux label only if not labablled as libvir...
Dan Kenigsberg has posted comments on this change. Change subject: lvm: Modify lv selinux label only if not labablled as libvirt image .. Patch Set 1: Code-Review+1 -- To view, visit http://gerrit.ovirt.org/33620 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ide7560564e4c83c84dd288b5a8305ad1ddb4cfcb Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Nir Soffer nsof...@redhat.com Gerrit-Reviewer: Allon Mureinik amure...@redhat.com Gerrit-Reviewer: Dan Kenigsberg dan...@redhat.com Gerrit-Reviewer: Federico Simoncelli fsimo...@redhat.com Gerrit-Reviewer: Nir Soffer nsof...@redhat.com Gerrit-Reviewer: Sandro Bonazzola sbona...@redhat.com Gerrit-Reviewer: automat...@ovirt.org Gerrit-HasComments: No ___ vdsm-patches mailing list vdsm-patches@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
Change in vdsm[master]: lvm: Modify lv selinux label only if not labablled as libvir...
Federico Simoncelli has posted comments on this change. Change subject: lvm: Modify lv selinux label only if not labablled as libvirt image .. Patch Set 1: Code-Review-1 If we limit ourselves to chcon -t svirt_image_t I don't think we fiddle with the category part. -- To view, visit http://gerrit.ovirt.org/33620 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ide7560564e4c83c84dd288b5a8305ad1ddb4cfcb Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Nir Soffer nsof...@redhat.com Gerrit-Reviewer: Allon Mureinik amure...@redhat.com Gerrit-Reviewer: Dan Kenigsberg dan...@redhat.com Gerrit-Reviewer: Federico Simoncelli fsimo...@redhat.com Gerrit-Reviewer: Nir Soffer nsof...@redhat.com Gerrit-Reviewer: Sandro Bonazzola sbona...@redhat.com Gerrit-Reviewer: automat...@ovirt.org Gerrit-HasComments: No ___ vdsm-patches mailing list vdsm-patches@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
Change in vdsm[master]: lvm: Modify lv selinux label only if not labablled as libvir...
Federico Simoncelli has posted comments on this change. Change subject: lvm: Modify lv selinux label only if not labablled as libvirt image .. Patch Set 1: Code-Review+1 Ok because of the difference between svirt_content_t and svirt_image_t. -- To view, visit http://gerrit.ovirt.org/33620 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ide7560564e4c83c84dd288b5a8305ad1ddb4cfcb Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Nir Soffer nsof...@redhat.com Gerrit-Reviewer: Allon Mureinik amure...@redhat.com Gerrit-Reviewer: Dan Kenigsberg dan...@redhat.com Gerrit-Reviewer: Federico Simoncelli fsimo...@redhat.com Gerrit-Reviewer: Nir Soffer nsof...@redhat.com Gerrit-Reviewer: Sandro Bonazzola sbona...@redhat.com Gerrit-Reviewer: automat...@ovirt.org Gerrit-HasComments: No ___ vdsm-patches mailing list vdsm-patches@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
Change in vdsm[master]: lvm: Modify lv selinux label only if not labablled as libvir...
Dan Kenigsberg has submitted this change and it was merged. Change subject: lvm: Modify lv selinux label only if not labablled as libvirt image .. lvm: Modify lv selinux label only if not labablled as libvirt image When using the faulty version of systemd that removes libvirt image labels from block devices, this patch has no effect. However when a fix is available and libvirt image label exists, vdsm will not change the original libvirt label. This allows the increase protection for virtual machines. Change-Id: Ide7560564e4c83c84dd288b5a8305ad1ddb4cfcb Bug-Url: https://bugzilla.redhat.com/1127460 Signed-off-by: Nir Soffer nsof...@redhat.com Reviewed-on: http://gerrit.ovirt.org/33620 Reviewed-by: Federico Simoncelli fsimo...@redhat.com Reviewed-by: Dan Kenigsberg dan...@redhat.com --- M .gitignore M configure.ac M vdsm.spec.in A vdsm/storage/vdsm-chcon.in M vdsm/storage/vdsm-lvm.rules.tpl.in 5 files changed, 32 insertions(+), 5 deletions(-) Approvals: Nir Soffer: Verified Federico Simoncelli: Looks good to me, but someone else must approve Dan Kenigsberg: Looks good to me, approved -- To view, visit http://gerrit.ovirt.org/33620 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ide7560564e4c83c84dd288b5a8305ad1ddb4cfcb Gerrit-PatchSet: 2 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Nir Soffer nsof...@redhat.com Gerrit-Reviewer: Allon Mureinik amure...@redhat.com Gerrit-Reviewer: Dan Kenigsberg dan...@redhat.com Gerrit-Reviewer: Federico Simoncelli fsimo...@redhat.com Gerrit-Reviewer: Nir Soffer nsof...@redhat.com Gerrit-Reviewer: Sandro Bonazzola sbona...@redhat.com Gerrit-Reviewer: automat...@ovirt.org ___ vdsm-patches mailing list vdsm-patches@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
Change in vdsm[master]: lvm: Modify lv selinux label only if not labablled as libvir...
Dan Kenigsberg has posted comments on this change. Change subject: lvm: Modify lv selinux label only if not labablled as libvirt image .. Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.ovirt.org/33620 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ide7560564e4c83c84dd288b5a8305ad1ddb4cfcb Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Nir Soffer nsof...@redhat.com Gerrit-Reviewer: Allon Mureinik amure...@redhat.com Gerrit-Reviewer: Dan Kenigsberg dan...@redhat.com Gerrit-Reviewer: Federico Simoncelli fsimo...@redhat.com Gerrit-Reviewer: Nir Soffer nsof...@redhat.com Gerrit-Reviewer: Sandro Bonazzola sbona...@redhat.com Gerrit-Reviewer: automat...@ovirt.org Gerrit-HasComments: No ___ vdsm-patches mailing list vdsm-patches@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
Change in vdsm[master]: lvm: Modify lv selinux label only if not labablled as libvir...
oVirt Jenkins CI Server has posted comments on this change. Change subject: lvm: Modify lv selinux label only if not labablled as libvirt image .. Patch Set 2: Build Failed http://jenkins.ovirt.org/job/vdsm_master_create-rpms_merged_test_debug/248/ : SUCCESS http://jenkins.ovirt.org/job/vdsm_master_verify-error-codes_merged/5881/ : SUCCESS http://jenkins.ovirt.org/job/vdsm_master_unit-tests_merged/4041/ : FAILURE http://jenkins.ovirt.org/job/vdsm_master_create-rpms-el7-x86_64_merged/51/ : SUCCESS http://jenkins.ovirt.org/job/vdsm_master_create-rpms-fc20-x86_64_merged/47/ : SUCCESS http://jenkins.ovirt.org/job/vdsm_master_create-rpms-el6-x86_64_merged/53/ : SUCCESS http://jenkins.ovirt.org/job/vdsm_master_create-rpms-fc21-x86_64_merged/27/ : SUCCESS -- To view, visit http://gerrit.ovirt.org/33620 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ide7560564e4c83c84dd288b5a8305ad1ddb4cfcb Gerrit-PatchSet: 2 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Nir Soffer nsof...@redhat.com Gerrit-Reviewer: Allon Mureinik amure...@redhat.com Gerrit-Reviewer: Dan Kenigsberg dan...@redhat.com Gerrit-Reviewer: Federico Simoncelli fsimo...@redhat.com Gerrit-Reviewer: Nir Soffer nsof...@redhat.com Gerrit-Reviewer: Sandro Bonazzola sbona...@redhat.com Gerrit-Reviewer: automat...@ovirt.org Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: No ___ vdsm-patches mailing list vdsm-patches@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
