Russell Coker
2014-Oct-12 06:55 UTC
[Pkg-xen-devel] Bug#764912: xen-utils-common: needs to apply SE Linux labels after creating directories in start script
Package: xen-utils-common
Version: 4.4.1-2
Severity: normal
For correct operation under SE Linux the start script needs to assign correct
security labels to firectories it creates. Note that restorcon doesn't
cause
any problems if run twice. If it's executable then you can safely run it.
Below is a patch that demonstrates how to solve this problem.
--- xen.old 2014-10-12 17:49:11.348923959 +1100
+++ xen 2014-10-12 17:50:49.257694941 +1100
@@ -66,6 +66,7 @@
[ -d /run/xen ] && return 0
mkdir -m 700 /run/xen
+ [ -x /sbin/restorecon ] && /sbin/restorecon /run/xen
}
xend_start()
@@ -189,6 +190,7 @@
start-stop-daemon --start --quiet --pidfile "$XENSTORED_PIDFILE"
--exec "$XENSTORED" --test > /dev/null \
|| return 1
[ -d "$XENSTORED_DIR" ] || mkdir -p "$XENSTORED_DIR"
+ [ -x /sbin/restorecon ] && /sbin/restorecon "$XENSTORED_DIR"
export XENSTORED_ROOTDIR="$XENSTORED_DIR"
start-stop-daemon --start --quiet --pidfile "$XENSTORED_PIDFILE"
--exec "$XENSTORED" -- \
$XENSTORED_ARGS --pid-file="$XENSTORED_PIDFILE" \
-- System Information:
Debian Release: 7.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'unstable'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.14-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages xen-utils-common depends on:
ii lsb-base 4.1+Debian8+deb7u1
ii python 2.7.8-1
ii ucf 3.0025+nmu3
ii udev 175-7.2
ii xenstore-utils 4.1.4-3+deb7u3
xen-utils-common recommends no packages.
xen-utils-common suggests no packages.
-- Configuration Files:
/etc/init.d/xen changed:
.. /lib/init/vars.sh
.. /lib/lsb/init-functions
XENSTORED_DIR="/var/run/xenstored"
[ -r /etc/default/xen ] && . /etc/default/xen
[ -r /etc/default/xend ] && . /etc/default/xend
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DESC="Xen daemons"
ROOT=$(/usr/lib/xen-common/bin/xen-dir 2>/dev/null)
if [ $? -ne 0 ]; then
log_warning_msg "Not running within Xen or no compatible utils"
exit 0
fi
TOOLSTACK=$(/usr/lib/xen-common/bin/xen-toolstack 2>/dev/null)
if [ $? -ne 0 ]; then
log_warning_msg "No usable Xen toolstack selected"
exit 0
fi
[ -e "$ROOT"/bin/xend ] && XEND="$ROOT"/bin/xend
XENCONSOLED="$ROOT"/bin/xenconsoled
XENCONSOLED_PIDFILE="/var/run/xenconsoled.pid"
XENSTORED="$ROOT"/bin/xenstored
XENSTORED_PIDFILE="/var/run/xenstore.pid"
modules_setup()
{
modprobe xenfs 2>/dev/null
modprobe xen-evtchn 2>/dev/null
modprobe xen-gntdev 2>/dev/null
}
xenfs_setup()
{
[ -e "/proc/xen/capabilities" ] && return 0
log_progress_msg "xenfs"
[ -d "/proc/xen" ] || return 1
mount -t xenfs xenfs /proc/xen || return 1
return 0
}
capability_check()
{
[ -e "/proc/xen/capabilities" ] || return 1
grep -q "control_d" /proc/xen/capabilities || return 1
return 0
}
env_setup()
{
[ -d /run/xen ] && return 0
mkdir -m 700 /run/xen
[ -x /sbin/restorecon ] && /sbin/restorecon /run/xen
}
xend_start()
{
if [ -z "$XEND" ] || [ "$(basename "$TOOLSTACK")"
!= xm ]; then
return 0
fi
log_progress_msg "xend"
xend_start_real
return $?
}
xend_stop()
{
if [ -z "$XEND" ] || [ "$(basename "$TOOLSTACK")"
!= xm ]; then
return 0
fi
log_progress_msg "xend"
xend_stop_real
return $?
}
xend_restart()
{
if [ -z "$XEND" ] || [ "$(basename "$TOOLSTACK")"
!= xm ]; then
return 0
fi
log_progress_msg "xend"
xend_stop_real
case "$?" in
0|1)
xend_start_real
case "$?" in
0) ;;
*) return 2 ;;
esac
;;
*) return 2 ;;
esac
return 0
}
xend_start_real()
{
$XEND status && return 1
$XEND start || return 2
i=0
while [ $i -lt 10 ]; do
$XEND status && return 0 || true
i=$(($i + 1))
sleep 1
done
return 2
}
xend_stop_real()
{
log_progress_msg "xend"
$XEND status || return 0
$XEND stop || return 1
}
xenconsoled_start()
{
log_progress_msg "xenconsoled"
xenconsoled_start_real
return $?
}
xenconsoled_stop()
{
log_progress_msg "xenconsoled"
xenconsoled_stop_real
return $?
}
xenconsoled_restart()
{
log_progress_msg "xenconsoled"
xenconsoled_stop_real
case "$?" in
0|1)
xenconsoled_start_real
case "$?" in
0) ;;
*) return 2 ;;
esac
;;
*) return 2 ;;
esac
return 0
}
xenconsoled_start_real()
{
start-stop-daemon --start --quiet --pidfile "$XENCONSOLED_PIDFILE"
--exec "$XENCONSOLED" --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet --pidfile "$XENCONSOLED_PIDFILE"
--exec "$XENCONSOLED" -- \
$XENCONSOLED_ARGS --pid-file="$XENCONSOLED_PIDFILE" \
|| return 2
}
xenconsoled_stop_real()
{
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile
"$XENCONSOLED_PIDFILE" --name xenconsoled
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec
"$XENCONSOLED"
[ "$?" = 2 ] && return 2
rm -f $PIDFILE
return "$RETVAL"
}
xenstored_start()
{
log_progress_msg "xenstored"
start-stop-daemon --start --quiet --pidfile "$XENSTORED_PIDFILE"
--exec "$XENSTORED" --test > /dev/null \
|| return 1
[ -d "$XENSTORED_DIR" ] || mkdir -p "$XENSTORED_DIR"
[ -x /sbin/restorecon ] && /sbin/restorecon "$XENSTORED_DIR"
export XENSTORED_ROOTDIR="$XENSTORED_DIR"
start-stop-daemon --start --quiet --pidfile "$XENSTORED_PIDFILE"
--exec "$XENSTORED" -- \
$XENSTORED_ARGS --pid-file="$XENSTORED_PIDFILE" \
|| return 2
xenstore-write "/local/domain/0/name" "Domain-0"
xenstore-write "/local/domain/0/domid" "0"
}
case "$1" in
start)
log_daemon_msg "Starting $DESC"
modules_setup
xenfs_setup
case "$?" in
0) ;;
*) log_end_msg 1; exit ;;
esac
capability_check
case "$?" in
0) ;;
*) log_end_msg 255; exit ;;
esac
env_setup
xenstored_start
case "$?" in
0|1) ;;
*) log_end_msg 1; exit ;;
esac
xenconsoled_start
case "$?" in
0|1) ;;
*) log_end_msg 1; exit ;;
esac
xend_start
case "$?" in
0|1) ;;
*) log_end_msg 1; exit ;;
esac
log_end_msg 0
;;
stop)
capability_check
case "$?" in
0) ;;
*) exit ;;
esac
log_daemon_msg "Stopping $DESC"
ret=0
xend_stop
case "$?" in
0|1) ;;
*) ret=1 ;;
esac
xenconsoled_stop
case "$?" in
0|1) ;;
*) ret=1 ;;
esac
log_end_msg $ret
;;
restart|force-reload)
capability_check
case "$?" in
0) ;;
*) exit ;;
esac
log_daemon_msg "Restarting $DESC"
ret=0
xend_restart
case "$?" in
0|1) ;;
*) ret=1 ;;
esac
xenconsoled_restart
case "$?" in
0|1) ;;
*) ret=1 ;;
esac
log_end_msg $ret
;;
*)
echo "Usage: $0 {start|stop|restart|force-reload}" >&2
exit 3
;;
esac
exit 0
-- no debconf information
Debian Bug Tracking System
2015-Aug-21 20:00 UTC
[Pkg-xen-devel] Processed: Re: xen-utils-common: needs to apply SE Linux labels after creating directories in start script
Processing control commands:> tag -1 +patchBug #764912 [xen-utils-common] xen-utils-common: needs to apply SE Linux labels after creating directories in start script Added tag(s) patch. -- 764912: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764912 Debian Bug Tracking System Contact owner at bugs.debian.org with problems
Debian Bug Tracking System
2016-Dec-22 18:51 UTC
[Pkg-xen-devel] Bug#764912: marked as done (xen-utils-common: needs to apply SE Linux labels after creating directories in start script)
Your message dated Thu, 22 Dec 2016 18:49:44 +0000 with message-id <E1cK8Qy-0003my-D6 at fasolo.debian.org> and subject line Bug#764912: fixed in xen 4.8.0-1 has caused the Debian Bug report #764912, regarding xen-utils-common: needs to apply SE Linux labels after creating directories in start script to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 764912: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764912 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Russell Coker <russell at coker.com.au> Subject: xen-utils-common: needs to apply SE Linux labels after creating directories in start script Date: Sun, 12 Oct 2014 17:55:52 +1100 Size: 8331 URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20161222/0fece6e4/attachment-0002.mht> -------------- next part -------------- An embedded message was scrubbed... From: Ian Jackson <ian.jackson at eu.citrix.com> Subject: Bug#764912: fixed in xen 4.8.0-1 Date: Thu, 22 Dec 2016 18:49:44 +0000 Size: 11303 URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20161222/0fece6e4/attachment-0003.mht>
Maybe Matching Threads
- Bug#678719: xen-utils-common: please label all created directories for SE Linux
- Bug#742397: xen-utils-common: /etc/init.d/dom0weight is hardcoded to use xm
- Bug#597403: xen-utils-common: need to run restorecon in /etc/init.d/xend on SE Linux systems
- Bug#770456: Bug#770456: Please start a qemu process in domain 0.
- Ubuntu delta against 4.5.0-1 in experimental for disussion