[oe] [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi
wenzong fan
wenzong.fan at windriver.com
Thu Mar 5 07:57:51 UTC 2015
On 03/04/2015 09:39 PM, Joe MacDonald wrote:
> [Re: [oe] [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi] On 15.03.04 (Wed 15:25) wenzong fan wrote:
>
>> On 02/12/2015 10:17 AM, Joe MacDonald wrote:
>>> Hey Wenzong,
>>>
>>> [[oe] [PATCH][meta-networking] iscsi-initiator-utils: fix SELinux label for initiatorname.iscsi] On 15.02.04 (Wed 17:33) wenzong.fan at windriver.com wrote:
>>>
>>>> From: Wenzong Fan <wenzong.fan at windriver.com>
>>>>
>>>> * /etc/iscsi/initiatorname.iscsi: etc_runtime_t -> etc_t
>>>>
>>>> This config file was created by postinstall or initscript, fix SELinux
>>>> label for it to remove:
>>>>
>>>> avc: denied { read } for pid=6094 comm="iscsid" \
>>>> name="initiatorname.iscsi" dev="sda3" ino=1057846 \
>>>> scontext=system_u:system_r:iscsid_t:s0-s15:c0.c1023 \
>>>> tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
>>>
>>> Since this is an issue that only shows up when you have SELinux on your
>>> system and since it is tweaking a file that is manually installed by a
>>> do_install() in iscsi-initiator-utils, could you re-work this as a
>>> bbappend in meta-selinux?
>>
>> Hi Joe,
>>
>> This make sense, but there's an issue that meta-networking is not
>> depended by meta-selinux, adding a bbappend may block the building
>> of meta-selinux & oe-core only.
>>
>> Any suggestions about that?
>
> As a matter of fact, we just addressed that with
> d382d54f0a9a913791fca1d7f61e87fcfd32842b in meta-selinux a couple of
> weeks back. There is still a mistake in that, but Philip has a patch
> for it that I'm integrating now, but the core idea works. So your patch
> would go into a networking-layer/ hierarchy in meta-selinux/ and then it
> would either be picked up if meta-networking is included or ignored in
> the meta-selinux+oe-core-only scenario.
Cool, I've made the bbappend and sent meta-selinux patches to
yocto at yoctoproject.org.
Thanks a lot!
Wenzong
>
> -J.
>
>>
>> Thanks
>> Wenzong
>>
>>>
>>> -J.
>>>
>>>>
>>>> Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
>>>> ---
>>>> .../recipes-daemons/iscsi-initiator-utils/files/initd.debian | 4 ++++
>>>> 1 file changed, 4 insertions(+)
>>>>
>>>> diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
>>>> index 99a7638..43fb348 100644
>>>> --- a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
>>>> +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/initd.debian
>>>> @@ -39,6 +39,10 @@ start() {
>>>> InitiatorName=$INITIATORNAME
>>>> EOF
>>>> fi
>>>> +
>>>> + # Fix label for /etc/iscsi/initiatorname.iscsi if SELinux was enabled
>>>> + test ! -x /sbin/restorecon || /sbin/restorecon -F /etc/iscsi/initiatorname.iscsi
>>>> +
>>>> start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON
>>>> RETVAL=$?
>>>> starttargets
>>>> --
>>>> 1.9.1
>>>>
>
More information about the Openembedded-devel
mailing list