| Message ID | 20160923002546.14537-1-joe@ovn.org |
|---|---|
| State | Accepted |
| Headers | show |
On 23 September 2016 at 03:25, Joe Stringer <joe@ovn.org> wrote: > ovs-lib creates several directories directly from the script, but > doesn't make any attempt to ensure that the correct SELinux context is > applied to these directories. As a result, the created directories end > up with type var_run_t rather than openvswitch_var_run_t. > > During reboot using a tmpfs for /var/run, startup scripts will invoke > ovs-lib to create these directories with the wrong context. If SELinux > is enabled, OVS will fail to start as it cannot write to this directory. > > Fix the issue by sprinkling "restorecon" in each of the places where > directories are created. In practice, many of these should otherwise be > handled by packaging scripts but if they exist then we should ensure the > correct SELinux context is set. > > On systems where 'restorecon' is unavailable, this should be a no-op. > > VMware-BZ: #1732672 > > Signed-off-by: Joe Stringer <joe@ovn.org> > Acked-by: Ansis Atteka <aatteka@ovn.org> > Thanks for taking care of this. I just did a basic test and I think your V2 patch is a good enhancement. > --- > v2: Only restore context in dir creation case. > Don't call restorecon with -R. > --- > utilities/ovs-lib.in | 16 ++++++++++++---- > 1 file changed, 12 insertions(+), 4 deletions(-) > > diff --git a/utilities/ovs-lib.in b/utilities/ovs-lib.in > index cbad85a36007..4c07750530b6 100644 > --- a/utilities/ovs-lib.in > +++ b/utilities/ovs-lib.in > @@ -148,6 +148,14 @@ version_geq() { > }' > } > > +install_dir () { > + DIR="$1" > + if test ! -d "$DIR"; then > + install -d -m 755 -o root -g root "$DIR" > + restorecon "$DIR" >/dev/null 2>&1 > + fi > +} > + > start_daemon () { > priority=$1 > wrapper=$2 > @@ -156,16 +164,16 @@ start_daemon () { > strace="" > > # drop core files in a sensible place > - test -d "$DAEMON_CWD" || install -d -m 755 -o root -g root > "$DAEMON_CWD" > + install_dir "$DAEMON_CWD" > set "$@" --no-chdir > cd "$DAEMON_CWD" > > # log file > - test -d "$logdir" || install -d -m 755 -o root -g root "$logdir" > + install_dir "$logdir" > set "$@" --log-file="$logdir/$daemon.log" > > # pidfile and monitoring > - test -d "$rundir" || install -d -m 755 -o root -g root "$rundir" > + install_dir "$rundir" > set "$@" --pidfile="$rundir/$daemon.pid" > set "$@" --detach > test X"$MONITOR" = Xno || set "$@" --monitor > @@ -380,7 +388,7 @@ upgrade_db () { > schemaver=`ovsdb_tool schema-version "$DB_SCHEMA"` > if test ! -e "$DB_FILE"; then > log_warning_msg "$DB_FILE does not exist" > - install -d -m 755 -o root -g root `dirname $DB_FILE` > + install_dir `dirname $DB_FILE` > create_db "$DB_FILE" "$DB_SCHEMA" > elif test X"`ovsdb_tool needs-conversion "$DB_FILE" "$DB_SCHEMA"`" != > Xno; then > # Back up the old version. > -- > 2.9.3 > >
On 23 September 2016 at 06:25, Ansis Atteka <ansisatteka@gmail.com> wrote: > > > On 23 September 2016 at 03:25, Joe Stringer <joe@ovn.org> wrote: >> >> ovs-lib creates several directories directly from the script, but >> doesn't make any attempt to ensure that the correct SELinux context is >> applied to these directories. As a result, the created directories end >> up with type var_run_t rather than openvswitch_var_run_t. >> >> During reboot using a tmpfs for /var/run, startup scripts will invoke >> ovs-lib to create these directories with the wrong context. If SELinux >> is enabled, OVS will fail to start as it cannot write to this directory. >> >> Fix the issue by sprinkling "restorecon" in each of the places where >> directories are created. In practice, many of these should otherwise be >> handled by packaging scripts but if they exist then we should ensure the >> correct SELinux context is set. >> >> On systems where 'restorecon' is unavailable, this should be a no-op. >> >> VMware-BZ: #1732672 >> >> Signed-off-by: Joe Stringer <joe@ovn.org> >> Acked-by: Ansis Atteka <aatteka@ovn.org> > > Thanks for taking care of this. I just did a basic test and I think your V2 > patch is a good enhancement. Thanks, I applied this to master and branch-2.6.
diff --git a/utilities/ovs-lib.in b/utilities/ovs-lib.in index cbad85a36007..4c07750530b6 100644 --- a/utilities/ovs-lib.in +++ b/utilities/ovs-lib.in @@ -148,6 +148,14 @@ version_geq() { }' } +install_dir () { + DIR="$1" + if test ! -d "$DIR"; then + install -d -m 755 -o root -g root "$DIR" + restorecon "$DIR" >/dev/null 2>&1 + fi +} + start_daemon () { priority=$1 wrapper=$2 @@ -156,16 +164,16 @@ start_daemon () { strace="" # drop core files in a sensible place - test -d "$DAEMON_CWD" || install -d -m 755 -o root -g root "$DAEMON_CWD" + install_dir "$DAEMON_CWD" set "$@" --no-chdir cd "$DAEMON_CWD" # log file - test -d "$logdir" || install -d -m 755 -o root -g root "$logdir" + install_dir "$logdir" set "$@" --log-file="$logdir/$daemon.log" # pidfile and monitoring - test -d "$rundir" || install -d -m 755 -o root -g root "$rundir" + install_dir "$rundir" set "$@" --pidfile="$rundir/$daemon.pid" set "$@" --detach test X"$MONITOR" = Xno || set "$@" --monitor @@ -380,7 +388,7 @@ upgrade_db () { schemaver=`ovsdb_tool schema-version "$DB_SCHEMA"` if test ! -e "$DB_FILE"; then log_warning_msg "$DB_FILE does not exist" - install -d -m 755 -o root -g root `dirname $DB_FILE` + install_dir `dirname $DB_FILE` create_db "$DB_FILE" "$DB_SCHEMA" elif test X"`ovsdb_tool needs-conversion "$DB_FILE" "$DB_SCHEMA"`" != Xno; then # Back up the old version.