Nir Soffer has uploaded a new change for review. Change subject: lvm: Modify lv selinux label only if not labablled as libvirt image ......................................................................
lvm: Modify lv selinux label only if not labablled as libvirt image When using the faulty version of systemd that removes libvirt image labels from block devices, this patch has no effect. However when a fix is available and libvirt image label exists, vdsm will not change the original libvirt label. This allows the increase protection for virtual machines. Change-Id: Ide7560564e4c83c84dd288b5a8305ad1ddb4cfcb Bug-Url: https://bugzilla.redhat.com/1127460 Signed-off-by: Nir Soffer <nsof...@redhat.com> --- M .gitignore M configure.ac M vdsm.spec.in A vdsm/storage/vdsm-chcon.in M vdsm/storage/vdsm-lvm.rules.tpl.in 5 files changed, 32 insertions(+), 5 deletions(-) git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/20/33620/1 diff --git a/.gitignore b/.gitignore index 5890806..cba2247 100644 --- a/.gitignore +++ b/.gitignore @@ -60,6 +60,7 @@ vdsm/sos/vdsm.py vdsm/storage/protect/safelease vdsm/storage/lvm.env +vdsm/storage/vdsm-chcon vdsm/storage/vdsm-lvm.rules vdsm/sudoers.vdsm vdsm/svdsm.logger.conf diff --git a/configure.ac b/configure.ac index 40c37a9..e4b0c88 100644 --- a/configure.ac +++ b/configure.ac @@ -122,7 +122,10 @@ ) AC_SUBST([LIBVIRT_SERVICE_DEFAULT], ["${with_libvirt_service_default}"]) -AC_SUBST([LIBVIRT_IMAGE_LABEL], ['svirt_image_t']) + +# Selinux image label +AC_SUBST([SVIRT_IMAGE_LABEL], ['svirt_image_t']) +AC_SUBST([SVIRT_CONTENT_LABEL], ['svirt_content_t']) # Users and groups @@ -281,6 +284,7 @@ AC_PATH_PROG([IP_PATH], [ip], [/sbin/ip]) AC_PATH_PROG([ISCSIADM_PATH], [iscsiadm], [/sbin/iscsiadm]) AC_PATH_PROG([KILL_PATH], [kill], [/bin/kill]) +AC_PATH_PROG([LS_PATH], [ls], [/bin/ls]) AC_PATH_PROG([LVM_PATH], [lvm], [/sbin/lvm]) AC_PATH_PROG([MKFS_MSDOS_PATH], [mkfs.msdos], [/sbin/mkfs.msdos]) AC_PATH_PROG([MKFS_PATH], [mkfs], [/sbin/mkfs]) @@ -351,6 +355,7 @@ vdsm/storage/Makefile vdsm/storage/imageRepository/Makefile vdsm/storage/protect/Makefile + vdsm/storage/vdsm-chcon vdsm/storage/vdsm-lvm.rules.tpl vdsm/virt/Makefile vdsm_hooks/Makefile diff --git a/vdsm.spec.in b/vdsm.spec.in index 15006d4..7ec5c42 100644 --- a/vdsm.spec.in +++ b/vdsm.spec.in @@ -55,8 +55,10 @@ %if 0%{?rhel} == 6 %global _udevrulesdir /lib/udev/rules.d/ +%global _udevexecdir /lib/udev/ %else %global _udevrulesdir /usr/lib/udev/rules.d/ +%global _udevexecdir /usr/lib/udev/ %endif Name: %{vdsm_name} @@ -688,6 +690,11 @@ install -Dm 0644 vdsm/storage/vdsm-lvm.rules \ %{buildroot}%{_udevrulesdir}/12-vdsm-lvm.rules +%if 0%{?with_chcon_hack} +install -Dm 0755 vdsm/storage/vdsm-chcon \ + %{buildroot}%{_udevexecdir}/vdsm-chcon +%endif + install -Dm 0644 vdsm/limits.conf \ %{buildroot}/etc/security/limits.d/99-vdsm.conf @@ -1174,6 +1181,9 @@ %endif %{python_sitelib}/sos/plugins/vdsm.py* %{_udevrulesdir}/12-vdsm-lvm.rules +%if 0%{?with_chcon_hack} +%{_udevexecdir}/vdsm-chcon +%endif /etc/security/limits.d/99-vdsm.conf %{_mandir}/man8/vdsmd.8* %if 0%{?rhel} diff --git a/vdsm/storage/vdsm-chcon.in b/vdsm/storage/vdsm-chcon.in new file mode 100644 index 0000000..6f1eb6e --- /dev/null +++ b/vdsm/storage/vdsm-chcon.in @@ -0,0 +1,14 @@ +#!/bin/sh + +# This script must be called from a udev rule and assumes the udev environment +# variables. + +# Do not touch the device if it is already labelled is libvirt image. It will +# probably be a fixed_disk_t or it may have no selinux label. +if @LS_PATH@ -Z "$DEVNAME" | \ + @GREP_PATH@ -q -E ":@SVIRT_CONTENT_LABEL@:|:@SVIRT_IMAGE_LABEL@:"; then + exit 0 +fi + +echo "Changing selinux type to @SVIRT_IMAGE_LABEL@ on $DEVNAME" >&2 +@CHCON_PATH@ -t @SVIRT_IMAGE_LABEL@ "$DEVNAME" diff --git a/vdsm/storage/vdsm-lvm.rules.tpl.in b/vdsm/storage/vdsm-lvm.rules.tpl.in index 0869cdf..fb6c87a 100644 --- a/vdsm/storage/vdsm-lvm.rules.tpl.in +++ b/vdsm/storage/vdsm-lvm.rules.tpl.in @@ -23,16 +23,13 @@ # label is lost after refreshing a logical volume, and vm get paused. This rule # ensures that the label exist after device changes. See # https://bugzilla.redhat.com/1147910 -# -# TODO: use SECLABEL{selinux}="@LIBVIRT_IMAGE_LABEL@" when this syntax is -# supported. See https://bugzilla.redhat.com/1015300 {{endif}} # "add" event is processed on coldplug only, so we need "change", too. ACTION!="add|change", GOTO="lvm_end" # Fix ownership for RHEV volumes -ENV{DM_VG_NAME}=="[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]", ENV{DM_LV_NAME}=="[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]", OWNER:="@VDSMUSER@", GROUP:="@QEMUGROUP@"{{if chcon_hack}}, RUN+="@CHCON_PATH@ -t @LIBVIRT_IMAGE_LABEL@ $env{DEVNAME}"{{endif}}, GOTO="lvm_end" +ENV{DM_VG_NAME}=="[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]", ENV{DM_LV_NAME}=="[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]", OWNER:="@VDSMUSER@", GROUP:="@QEMUGROUP@"{{if chcon_hack}}, RUN+="vdsm-chcon"{{endif}}, GOTO="lvm_end" ENV{DM_VG_NAME}=="[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]", ENV{DM_LV_NAME}=="[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]_MERGE", OWNER:="@VDSMUSER@", GROUP:="@QEMUGROUP@", GOTO="lvm_end" ENV{DM_VG_NAME}=="[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]", ENV{DM_LV_NAME}=="_remove_me_[a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9]_[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]", OWNER:="@VDSMUSER@", GROUP:="@QEMUGROUP@", GOTO="lvm_end" ENV{DM_VG_NAME}=="[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9]-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]", ENV{DM_LV_NAME}=="metadata", MODE:="0600", OWNER:="@VDSMUSER@", GROUP:="@QEMUGROUP@", GOTO="lvm_end" -- To view, visit http://gerrit.ovirt.org/33620 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ide7560564e4c83c84dd288b5a8305ad1ddb4cfcb Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Nir Soffer <nsof...@redhat.com> _______________________________________________ vdsm-patches mailing list vdsm-patches@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches