Nir Soffer has posted comments on this change. Change subject: multipath: Fix multipath.conf selinux labels ......................................................................
Patch Set 1: (1 comment) https://gerrit.ovirt.org/#/c/46398/1/lib/vdsm/tool/configurators/multipath.py File lib/vdsm/tool/configurators/multipath.py: Line 120: delete=False) as f: Line 121: try: Line 122: f.write(_CONF_DATA) Line 123: f.flush() Line 124: selinux.restorecon(f.name) > Tested on rhel 7.1, this does not fail when selinux is disabled. Ok, reproduce the failure - previously I was testing a file created when selinux was enabled, so it had selinux labels. When creating new file with selinux disabled, we get file without any labels: >>> os.system('ls -Z multipath.conf*') -rw-r--r--. root root system_u:object_r:etc_t:s0 multipath.conf -rw-r--r-- root root ? multipath.conf.new 0 And now restorecon will fail: >>> selinux.restorecon('/etc/multipath.conf.new') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 88, in restorecon status, oldcontext = lgetfilecon(path) OSError: [Errno 61] No data available But this is a bug in restorecon - it assumes that file has a selinux label, which is not true when the file was created when selinux was disabled. We can however use other selinux apis to set the selinux lables successfully, even when selinux is disabled: >>> path = "/etc/multipath.conf.new" >>> st, con = selinux.matchpathcon(path, os.lstat(path).st_mode) >>> st 0 >>> con 'system_u:object_r:etc_t:s0' >>> selinux.chcon(path, con) >>> os.system('ls -Z multipath.conf*') -rw-r--r--. root root system_u:object_r:etc_t:s0 multipath.conf -rw-r--r--. root root system_u:object_r:etc_t:s0 multipath.conf.new 0 I'll open selinux bug about and ask selinux guys advice if this is the best way to do this. Line 125: os.chmod(f.name, 0o644) Line 126: os.rename(f.name, _CONF_FILE) Line 127: except: Line 128: os.unlink(f.name) -- To view, visit https://gerrit.ovirt.org/46398 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Id0aebae46f30abf908a8f48c4f1f2257394fe616 Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Nir Soffer <[email protected]> Gerrit-Reviewer: Adam Litke <[email protected]> Gerrit-Reviewer: Allon Mureinik <[email protected]> Gerrit-Reviewer: Dan Kenigsberg <[email protected]> Gerrit-Reviewer: Fabian Deutsch <[email protected]> Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Nir Soffer <[email protected]> Gerrit-Reviewer: Piotr Kliczewski <[email protected]> Gerrit-Reviewer: Yeela Kaplan <[email protected]> Gerrit-Reviewer: [email protected] Gerrit-HasComments: Yes _______________________________________________ vdsm-patches mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
