Xen project Mailing List

Re: [Xen-devel] [PATCH] tools/hotplug: Use env rather than sh in xenstored.service

To: George Dunlap <george.dunlap@xxxxxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxx>

From: George Dunlap <george.dunlap@xxxxxxxxxx>

Date: Tue, 15 Sep 2015 12:12:06 +0100

Cc: Ian Jackson <ian.jackson@xxxxxxxxxx>, Olaf Hering <olaf@xxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Ian Campbell <ian.campbell@xxxxxxxxxx>

Delivery-date: Tue, 15 Sep 2015 11:12:23 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 09/15/2015 11:30 AM, George Dunlap wrote: > Using sh to exec xenstored breaks on selinux systems (at least, on > CentOS 7). The only purpose of doing that was to be able to expand > the $XENSTORED variable; this can be done with /usr/bin/env instead, > which still works on systemd systems (at least on CentOS 7). > > Suggested-by: Olaf Hering <olaf@xxxxxxxxx> > Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx> > --- > > One could argue that this is a bug in 4.6 and should be accepted. I > could also see an argument, however, that this late in the cycle we > should just wait until 4.6.1. I'll leave it up to Wei to decide. > > CC: Ian Campbell <ian.campbell@xxxxxxxxxx> > CC: Ian Jackson <ian.jackson@xxxxxxxxxx> > CC: Wei Liu <wei.liu2@xxxxxxxxxx> > CC: Olaf Hering <olaf@xxxxxxxxx> > --- > tools/hotplug/Linux/systemd/xenstored.service.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/tools/hotplug/Linux/systemd/xenstored.service.in > b/tools/hotplug/Linux/systemd/xenstored.service.in > index a5f836b..09964f3 100644 > --- a/tools/hotplug/Linux/systemd/xenstored.service.in > +++ b/tools/hotplug/Linux/systemd/xenstored.service.in > @@ -15,7 +15,7 @@ EnvironmentFile=-@CONFIG_DIR@/@CONFIG_LEAF_DIR@/xencommons > ExecStartPre=/bin/grep -q control_d /proc/xen/capabilities > ExecStartPre=-/bin/rm -f @XEN_LIB_STORED@/tdb* > ExecStartPre=/bin/mkdir -p @XEN_RUN_DIR@ > -ExecStart=/bin/sh -c "exec $XENSTORED --no-fork $XENSTORED_ARGS" > +ExecStart=/usr/bin/env $XENSTORED --no-fork $XENSTORED_ARGS Actually, hold off on this one -- apparently env destroys the selinux context in a way that's too permissive: # ps axZ | grep xenstored system_u:system_r:unconfined_service_t:s0 612 ? Ss 0:00 /usr/sbin/xenstored --no-fork IOW, a side effect this patch is to "fix" the /var/lib/xenstored tmpfs selinux context problem by basically disabling that selinux limitation. :-/ -George _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.