[oe] [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi
Joe MacDonald
Joe_MacDonald at mentor.com
Wed Mar 4 13:39:13 UTC 2015
[Re: [oe] [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi] On 15.03.04 (Wed 15:25) wenzong fan wrote:
> On 02/12/2015 10:17 AM, Joe MacDonald wrote:
> >Hey Wenzong,
> >
> >[[oe] [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi] On 15.02.04 (Wed 17:33) wenzong.fan at windriver.com wrote:
> >
> >>From: Wenzong Fan <wenzong.fan at windriver.com>
> >>
> >>* /etc/iscsi/initiatorname.iscsi: etc_runtime_t -> etc_t
> >>
> >>This config file was created by postinstall or initscript, fix SELinux
> >>label for it to remove:
> >>
> >> avc: denied { read } for pid=6094 comm="iscsid" \
> >> name="initiatorname.iscsi" dev="sda3" ino=1057846 \
> >> scontext=system_u:system_r:iscsid_t:s0-s15:c0.c1023 \
> >> tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
> >
> >Since this is an issue that only shows up when you have SELinux on your
> >system and since it is tweaking a file that is manually installed by a
> >do_install() in iscsi-initiator-utils, could you re-work this as a
> >bbappend in meta-selinux?
>
> Hi Joe,
>
> This make sense, but there's an issue that meta-networking is not
> depended by meta-selinux, adding a bbappend may block the building
> of meta-selinux & oe-core only.
>
> Any suggestions about that?
As a matter of fact, we just addressed that with
d382d54f0a9a913791fca1d7f61e87fcfd32842b in meta-selinux a couple of
weeks back. There is still a mistake in that, but Philip has a patch
for it that I'm integrating now, but the core idea works. So your patch
would go into a networking-layer/ hierarchy in meta-selinux/ and then it
would either be picked up if meta-networking is included or ignored in
the meta-selinux+oe-core-only scenario.
-J.
>
> Thanks
> Wenzong
>
> >
> >-J.
> >
> >>
> >>Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
> >>---
> >> .../recipes-daemons/iscsi-initiator-utils/files/initd.debian | 4 ++++
> >> 1 file changed, 4 insertions(+)
> >>
> >>diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
> >>index 99a7638..43fb348 100644
> >>--- a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
> >>+++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
> >>@@ -39,6 +39,10 @@ start() {
> >> InitiatorName=$INITIATORNAME
> >> EOF
> >> fi
> >>+
> >>+ # Fix label for /etc/iscsi/initiatorname.iscsi if SELinux was enabled
> >>+ test ! -x /sbin/restorecon || /sbin/restorecon -F /etc/iscsi/initiatorname.iscsi
> >>+
> >> start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON
> >> RETVAL=$?
> >> starttargets
> >>--
> >>1.9.1
> >>
--
-Joe MacDonald.
:wq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.openembedded.org/pipermail/openembedded-devel/attachments/20150304/e2b0d8f3/attachment-0002.sig>
More information about the Openembedded-devel
mailing list