On 23 September 2016 at 03:25, Joe Stringer <j...@ovn.org> wrote:
> ovs-lib creates several directories directly from the script, but
> doesn't make any attempt to ensure that the correct SELinux context is
> applied to these directories. As a result, the created directories end
> up with type var_run_t rather than openvswitch_var_run_t.
>
> During reboot using a tmpfs for /var/run, startup scripts will invoke
> ovs-lib to create these directories with the wrong context. If SELinux
> is enabled, OVS will fail to start as it cannot write to this directory.
>
> Fix the issue by sprinkling "restorecon" in each of the places where
> directories are created. In practice, many of these should otherwise be
> handled by packaging scripts but if they exist then we should ensure the
> correct SELinux context is set.
>
> On systems where 'restorecon' is unavailable, this should be a no-op.
>
> VMware-BZ: #1732672
>
> Signed-off-by: Joe Stringer <j...@ovn.org>
> Acked-by: Ansis Atteka <aatt...@ovn.org>
>
Thanks for taking care of this. I just did a basic test and I think your V2
patch is a good enhancement.
> ---
> v2: Only restore context in dir creation case.
> Don't call restorecon with -R.
> ---
> utilities/ovs-lib.in | 16 ++++++++++++----
> 1 file changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/utilities/ovs-lib.in b/utilities/ovs-lib.in
> index cbad85a36007..4c07750530b6 100644
> --- a/utilities/ovs-lib.in
> +++ b/utilities/ovs-lib.in
> @@ -148,6 +148,14 @@ version_geq() {
> }'
> }
>
> +install_dir () {
> + DIR="$1"
> + if test ! -d "$DIR"; then
> + install -d -m 755 -o root -g root "$DIR"
> + restorecon "$DIR" >/dev/null 2>&1
> + fi
> +}
> +
> start_daemon () {
> priority=$1
> wrapper=$2
> @@ -156,16 +164,16 @@ start_daemon () {
> strace=""
>
> # drop core files in a sensible place
> - test -d "$DAEMON_CWD" || install -d -m 755 -o root -g root
> "$DAEMON_CWD"
> + install_dir "$DAEMON_CWD"
> set "$@" --no-chdir
> cd "$DAEMON_CWD"
>
> # log file
> - test -d "$logdir" || install -d -m 755 -o root -g root "$logdir"
> + install_dir "$logdir"
> set "$@" --log-file="$logdir/$daemon.log"
>
> # pidfile and monitoring
> - test -d "$rundir" || install -d -m 755 -o root -g root "$rundir"
> + install_dir "$rundir"
> set "$@" --pidfile="$rundir/$daemon.pid"
> set "$@" --detach
> test X"$MONITOR" = Xno || set "$@" --monitor
> @@ -380,7 +388,7 @@ upgrade_db () {
> schemaver=`ovsdb_tool schema-version "$DB_SCHEMA"`
> if test ! -e "$DB_FILE"; then
> log_warning_msg "$DB_FILE does not exist"
> - install -d -m 755 -o root -g root `dirname $DB_FILE`
> + install_dir `dirname $DB_FILE`
> create_db "$DB_FILE" "$DB_SCHEMA"
> elif test X"`ovsdb_tool needs-conversion "$DB_FILE" "$DB_SCHEMA"`" !=
> Xno; then
> # Back up the old version.
> --
> 2.9.3
>
>
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
