Change in vdsm[ovirt-3.5]: lvm: Modify lv selinux label only if not labablled as libvir...
oVirt Jenkins CI Server has posted comments on this change. Change subject: lvm: Modify lv selinux label only if not labablled as libvirt image .. Patch Set 2: Build Successful http://jenkins.ovirt.org/job/vdsm_3.5_create-rpms-el6-x86_64_merged/29/ : SUCCESS http://jenkins.ovirt.org/job/vdsm_3.5_create-rpms-fc19-x86_64_merged/25/ : SUCCESS http://jenkins.ovirt.org/job/vdsm_3.5_create-rpms-fc20-x86_64_merged/24/ : SUCCESS http://jenkins.ovirt.org/job/vdsm_3.5_create-rpms-el7-x86_64_merged/29/ : SUCCESS -- To view, visit http://gerrit.ovirt.org/33632 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ide7560564e4c83c84dd288b5a8305ad1ddb4cfcb Gerrit-PatchSet: 2 Gerrit-Project: vdsm Gerrit-Branch: ovirt-3.5 Gerrit-Owner: Nir Soffer Gerrit-Reviewer: Allon Mureinik Gerrit-Reviewer: Dan Kenigsberg Gerrit-Reviewer: Federico Simoncelli Gerrit-Reviewer: Nir Soffer Gerrit-Reviewer: Yaniv Bronhaim Gerrit-Reviewer: automat...@ovirt.org Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: No ___ vdsm-patches mailing list vdsm-patches@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
Change in vdsm[ovirt-3.5]: lvm: Modify lv selinux label only if not labablled as libvir...
Yaniv Bronhaim has submitted this change and it was merged. Change subject: lvm: Modify lv selinux label only if not labablled as libvirt image .. lvm: Modify lv selinux label only if not labablled as libvirt image When using the faulty version of systemd that removes libvirt image labels from block devices, this patch has no effect. However when a fix is available and libvirt image label exists, vdsm will not change the original libvirt label. This allows the increase protection for virtual machines. Change-Id: Ide7560564e4c83c84dd288b5a8305ad1ddb4cfcb Bug-Url: https://bugzilla.redhat.com/1127460 Signed-off-by: Nir Soffer Reviewed-on: http://gerrit.ovirt.org/33620 Reviewed-by: Federico Simoncelli Reviewed-by: Dan Kenigsberg Reviewed-on: http://gerrit.ovirt.org/33632 --- M .gitignore M configure.ac M vdsm.spec.in A vdsm/storage/vdsm-chcon.in M vdsm/storage/vdsm-lvm.rules.tpl.in 5 files changed, 32 insertions(+), 5 deletions(-) Approvals: Nir Soffer: Verified Dan Kenigsberg: Looks good to me, approved -- To view, visit http://gerrit.ovirt.org/33632 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ide7560564e4c83c84dd288b5a8305ad1ddb4cfcb Gerrit-PatchSet: 2 Gerrit-Project: vdsm Gerrit-Branch: ovirt-3.5 Gerrit-Owner: Nir Soffer Gerrit-Reviewer: Allon Mureinik Gerrit-Reviewer: Dan Kenigsberg Gerrit-Reviewer: Federico Simoncelli Gerrit-Reviewer: Nir Soffer Gerrit-Reviewer: Yaniv Bronhaim Gerrit-Reviewer: automat...@ovirt.org ___ vdsm-patches mailing list vdsm-patches@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
Change in vdsm[ovirt-3.5]: lvm: Modify lv selinux label only if not labablled as libvir...
Dan Kenigsberg has posted comments on this change. Change subject: lvm: Modify lv selinux label only if not labablled as libvirt image .. Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.ovirt.org/33632 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ide7560564e4c83c84dd288b5a8305ad1ddb4cfcb Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: ovirt-3.5 Gerrit-Owner: Nir Soffer Gerrit-Reviewer: Allon Mureinik Gerrit-Reviewer: Dan Kenigsberg Gerrit-Reviewer: Federico Simoncelli Gerrit-Reviewer: Nir Soffer Gerrit-Reviewer: Yaniv Bronhaim Gerrit-Reviewer: automat...@ovirt.org Gerrit-HasComments: No ___ vdsm-patches mailing list vdsm-patches@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
Change in vdsm[ovirt-3.5]: lvm: Modify lv selinux label only if not labablled as libvir...
Nir Soffer has posted comments on this change. Change subject: lvm: Modify lv selinux label only if not labablled as libvirt image .. Patch Set 1: Verified+1 Verified the extend flow on el6 and el7, other flows. -- To view, visit http://gerrit.ovirt.org/33632 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ide7560564e4c83c84dd288b5a8305ad1ddb4cfcb Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: ovirt-3.5 Gerrit-Owner: Nir Soffer Gerrit-Reviewer: Dan Kenigsberg Gerrit-Reviewer: Federico Simoncelli Gerrit-Reviewer: Nir Soffer Gerrit-Reviewer: automat...@ovirt.org Gerrit-HasComments: No ___ vdsm-patches mailing list vdsm-patches@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
Change in vdsm[ovirt-3.5]: lvm: Modify lv selinux label only if not labablled as libvir...
Hello Federico Simoncelli, Dan Kenigsberg,
I'd like you to do a code review. Please visit
http://gerrit.ovirt.org/33632
to review the following change.
Change subject: lvm: Modify lv selinux label only if not labablled as libvirt
image
..
lvm: Modify lv selinux label only if not labablled as libvirt image
When using the faulty version of systemd that removes libvirt image
labels from block devices, this patch has no effect. However when a fix
is available and libvirt image label exists, vdsm will not change the
original libvirt label. This allows the increase protection for virtual
machines.
Change-Id: Ide7560564e4c83c84dd288b5a8305ad1ddb4cfcb
Bug-Url: https://bugzilla.redhat.com/1127460
Signed-off-by: Nir Soffer
Reviewed-on: http://gerrit.ovirt.org/33620
Reviewed-by: Federico Simoncelli
Reviewed-by: Dan Kenigsberg
---
M .gitignore
M configure.ac
M vdsm.spec.in
A vdsm/storage/vdsm-chcon.in
M vdsm/storage/vdsm-lvm.rules.tpl.in
5 files changed, 32 insertions(+), 5 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/32/33632/1
diff --git a/.gitignore b/.gitignore
index efb99aa..cafa8d8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -57,6 +57,7 @@
vdsm/sos/vdsm.py
vdsm/storage/protect/safelease
vdsm/storage/lvm.env
+vdsm/storage/vdsm-chcon
vdsm/storage/vdsm-lvm.rules
vdsm/sudoers.vdsm
vdsm/svdsm.logger.conf
diff --git a/configure.ac b/configure.ac
index 4261216..3aae03e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -122,7 +122,10 @@
)
AC_SUBST([LIBVIRT_SERVICE_DEFAULT], ["${with_libvirt_service_default}"])
-AC_SUBST([LIBVIRT_IMAGE_LABEL], ['svirt_image_t'])
+
+# Selinux image label
+AC_SUBST([SVIRT_IMAGE_LABEL], ['svirt_image_t'])
+AC_SUBST([SVIRT_CONTENT_LABEL], ['svirt_content_t'])
# Users and groups
@@ -228,6 +231,7 @@
AC_PATH_PROG([ISCSIADM_PATH], [iscsiadm], [/sbin/iscsiadm])
AC_PATH_PROG([KILL_PATH], [kill], [/bin/kill])
AC_PATH_PROG([LSBLK_PATH], [lsblk], [/bin/lsblk])
+AC_PATH_PROG([LS_PATH], [ls], [/bin/ls])
AC_PATH_PROG([LVM_PATH], [lvm], [/sbin/lvm])
AC_PATH_PROG([MKFS_MSDOS_PATH], [mkfs.msdos], [/sbin/mkfs.msdos])
AC_PATH_PROG([MKFS_PATH], [mkfs], [/sbin/mkfs])
@@ -296,6 +300,7 @@
vdsm/storage/Makefile
vdsm/storage/imageRepository/Makefile
vdsm/storage/protect/Makefile
+ vdsm/storage/vdsm-chcon
vdsm/storage/vdsm-lvm.rules.tpl
vdsm/virt/Makefile
vdsm_hooks/Makefile
diff --git a/vdsm.spec.in b/vdsm.spec.in
index f867105..4f822e4 100644
--- a/vdsm.spec.in
+++ b/vdsm.spec.in
@@ -50,8 +50,10 @@
%if 0%{?rhel} == 6
%global _udevrulesdir /lib/udev/rules.d/
+%global _udevexecdir /lib/udev/
%else
%global _udevrulesdir /usr/lib/udev/rules.d/
+%global _udevexecdir /usr/lib/udev/
%endif
Name: %{vdsm_name}
@@ -668,6 +670,11 @@
install -Dm 0644 vdsm/storage/vdsm-lvm.rules \
%{buildroot}%{_udevrulesdir}/12-vdsm-lvm.rules
+%if 0%{?with_chcon_hack}
+install -Dm 0755 vdsm/storage/vdsm-chcon \
+ %{buildroot}%{_udevexecdir}/vdsm-chcon
+%endif
+
install -Dm 0644 vdsm/limits.conf \
%{buildroot}/etc/security/limits.d/99-vdsm.conf
@@ -1143,6 +1150,9 @@
%endif
%{python_sitelib}/sos/plugins/vdsm.py*
%{_udevrulesdir}/12-vdsm-lvm.rules
+%if 0%{?with_chcon_hack}
+%{_udevexecdir}/vdsm-chcon
+%endif
/etc/security/limits.d/99-vdsm.conf
%{_mandir}/man8/vdsmd.8*
%if 0%{?rhel}
diff --git a/vdsm/storage/vdsm-chcon.in b/vdsm/storage/vdsm-chcon.in
new file mode 100644
index 000..6f1eb6e
--- /dev/null
+++ b/vdsm/storage/vdsm-chcon.in
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# This script must be called from a udev rule and assumes the udev environment
+# variables.
+
+# Do not touch the device if it is already labelled is libvirt image. It will
+# probably be a fixed_disk_t or it may have no selinux label.
+if @LS_PATH@ -Z "$DEVNAME" | \
+@GREP_PATH@ -q -E ":@SVIRT_CONTENT_LABEL@:|:@SVIRT_IMAGE_LABEL@:"; then
+exit 0
+fi
+
+echo "Changing selinux type to @SVIRT_IMAGE_LABEL@ on $DEVNAME" >&2
+@CHCON_PATH@ -t @SVIRT_IMAGE_LABEL@ "$DEVNAME"
diff --git a/vdsm/storage/vdsm-lvm.rules.tpl.in
b/vdsm/storage/vdsm-lvm.rules.tpl.in
index 0869cdf..fb6c87a 100644
--- a/vdsm/storage/vdsm-lvm.rules.tpl.in
+++ b/vdsm/storage/vdsm-lvm.rules.tpl.in
@@ -23,16 +23,13 @@
# label is lost after refreshing a logical volume, and vm get paused. This rule
# ensures that the label exist after device changes. See
# https://bugzilla.redhat.com/1147910
-#
-# TODO: use SECLABEL{selinux}="@LIBVIRT_IMAGE_LABEL@" when this syntax is
-# supported. See https://bugzilla.redhat.com/1015300
{{endif}}
# "add" event is processed on coldplug only, so we need "change", too.
ACTION!="add|change", GOTO="lvm_end"
# Fix ownership for RHEV volumes
-ENV{DM_VG_NAME}=="[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a
