From patchwork Thu Sep 22 00:54:37 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joe Stringer X-Patchwork-Id: 673111 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (archives.nicira.com [96.126.127.54]) by ozlabs.org (Postfix) with ESMTP id 3sfdLg4FClz9sD6 for ; Thu, 22 Sep 2016 10:54:50 +1000 (AEST) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id BF8A61070F; Wed, 21 Sep 2016 17:54:49 -0700 (PDT) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx1e4.cudamail.com (mx1.cudamail.com [69.90.118.67]) by archives.nicira.com (Postfix) with ESMTPS id 6B0D910708 for ; Wed, 21 Sep 2016 17:54:49 -0700 (PDT) Received: from bar5.cudamail.com (unknown [192.168.21.12]) by mx1e4.cudamail.com (Postfix) with ESMTPS id C988C1E03A8 for ; Wed, 21 Sep 2016 18:54:48 -0600 (MDT) X-ASG-Debug-ID: 1474505688-09eadd596b88c40001-byXFYA Received: from mx1-pf1.cudamail.com ([192.168.24.1]) by bar5.cudamail.com with ESMTP id Y6MJq6VKkMPntMc4 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 21 Sep 2016 18:54:48 -0600 (MDT) X-Barracuda-Envelope-From: joe@ovn.org X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.1 Received: from unknown (HELO relay2-d.mail.gandi.net) (217.70.183.194) by mx1-pf1.cudamail.com with ESMTPS (DHE-RSA-AES256-SHA encrypted); 22 Sep 2016 00:54:47 -0000 Received-SPF: pass (mx1-pf1.cudamail.com: SPF record at ovn.org designates 217.70.183.194 as permitted sender) X-Barracuda-Apparent-Source-IP: 217.70.183.194 X-Barracuda-RBL-IP: 217.70.183.194 Received: from mfilter41-d.gandi.net (mfilter41-d.gandi.net [217.70.178.173]) by relay2-d.mail.gandi.net (Postfix) with ESMTP id EE7E1C5A49; Thu, 22 Sep 2016 02:54:44 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter41-d.gandi.net Received: from relay2-d.mail.gandi.net ([IPv6:::ffff:217.70.183.194]) by mfilter41-d.gandi.net (mfilter41-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id ZxjXQMFODjqC; Thu, 22 Sep 2016 02:54:43 +0200 (CEST) X-Originating-IP: 208.91.1.34 Received: from archer.eng.vmware.com (unknown [208.91.1.34]) (Authenticated sender: joe@ovn.org) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id AE456C5A53; Thu, 22 Sep 2016 02:54:42 +0200 (CEST) X-CudaMail-Envelope-Sender: joe@ovn.org From: Joe Stringer To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-E1-920085292 X-CudaMail-DTE: 092116 X-CudaMail-Originating-IP: 217.70.183.194 Date: Wed, 21 Sep 2016 17:54:37 -0700 X-ASG-Orig-Subj: [##CM-E1-920085292##][PATCH] ovs-lib: Fix SELinux contexts for created dirs. Message-Id: <20160922005437.9955-1-joe@ovn.org> X-Mailer: git-send-email 2.9.3 X-Barracuda-Connect: UNKNOWN[192.168.24.1] X-Barracuda-Start-Time: 1474505688 X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384 X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Cc: aatteka@ovn.org Subject: [ovs-dev] [PATCH] ovs-lib: Fix SELinux contexts for created dirs. X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" ovs-lib creates several directories directly from the script, but doesn't make any attempt to ensure that the correct SELinux context is applied to these directories. As a result, the created directories end up with type var_run_t rather than openvswitch_var_run_t. During reboot using a tmpfs for /var/run, startup scripts will invoke ovs-lib to create these directories with the wrong context. If SELinux is enabled, OVS will fail to start as it cannot write to this directory. Fix the issue by sprinkling "restorecon" in each of the places where directories are created. In practice, many of these should otherwise be handled by packaging scripts but if they exist then we should ensure the correct SELinux context is set. On systems where 'restorecon' is unavailable, this should be a no-op. VMware-BZ: #1732672 Signed-off-by: Joe Stringer Acked-by: Ansis Atteka --- Fortunately, the 'install' command comes with a handy '-Z' option which should set the default SELinux context for a file when creating it. Unfortunately, this doesn't work the way we need it to - rather than taking the correct context for this particular file, it seems to take some generic global default context so it doesn't fix the problem. Using 'restorecon' seems like the most robust way to address this. --- utilities/ovs-lib.in | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/utilities/ovs-lib.in b/utilities/ovs-lib.in index cbad85a36007..a6c446a9fbec 100644 --- a/utilities/ovs-lib.in +++ b/utilities/ovs-lib.in @@ -157,15 +157,18 @@ start_daemon () { # drop core files in a sensible place test -d "$DAEMON_CWD" || install -d -m 755 -o root -g root "$DAEMON_CWD" + restorecon -R "$DAEMON_CWD" >/dev/null 2>&1 set "$@" --no-chdir cd "$DAEMON_CWD" # log file test -d "$logdir" || install -d -m 755 -o root -g root "$logdir" + restorecon -R "$logdir" >/dev/null 2>&1 set "$@" --log-file="$logdir/$daemon.log" # pidfile and monitoring test -d "$rundir" || install -d -m 755 -o root -g root "$rundir" + restorecon -R "$rundir" >/dev/null 2>&1 set "$@" --pidfile="$rundir/$daemon.pid" set "$@" --detach test X"$MONITOR" = Xno || set "$@" --monitor @@ -381,6 +384,7 @@ upgrade_db () { if test ! -e "$DB_FILE"; then log_warning_msg "$DB_FILE does not exist" install -d -m 755 -o root -g root `dirname $DB_FILE` + restorecon -R `dirname $DB_FILE` >/dev/null 2>&1 create_db "$DB_FILE" "$DB_SCHEMA" elif test X"`ovsdb_tool needs-conversion "$DB_FILE" "$DB_SCHEMA"`" != Xno; then # Back up the old version.