Ovirt devel - Sep 2008 - [PATCH node-image] add ovirt semodule in Node

For now, it is only to allow qemu to access disk partitions directly,
required in order to use iSCSI storage pools with SELinux enabled.

Signed-off-by: Alan Pevec <apevec at redhat.com>
---
 common-post.ks |   16 +++++++++++++++-
 1 files changed, 15 insertions(+), 1 deletions(-)

diff --git a/common-post.ks b/common-post.ks
index a4f5858..d44324c 100644
--- a/common-post.ks
+++ b/common-post.ks
@@ -43,12 +43,26 @@ cat > /etc/sysconfig/iptables << \EOF
 COMMIT
 EOF
 
+# make disks available to VMs
+cat > /tmp/ovirt.te <<EOF
+module ovirt 1.0.0;
+require {
+    type fixed_disk_device_t;
+    type qemu_t;
+    class blk_file { ioctl getattr setattr read write };
+}
+allow qemu_t fixed_disk_device_t:blk_file { ioctl getattr setattr read write };
+EOF
+checkmodule -M -m -o /tmp/ovirt.mod /tmp/ovirt.te
+semodule_package -o /tmp/ovirt.pp -m /tmp/ovirt.mod
+semodule -i /tmp/ovirt.pp
+
 echo "Removing excess RPMs"
 
 RPM="rpm -v -e --nodeps"
 
 # kernel pulls in mkinitrd which pulls in isomd5sum which pulls in python,
-# and livecd-tools needs lokkit to disable SELinux.
+# and livecd-tools needs lokkit to configure SELinux.
 # However, this is just an install-time dependency; we can remove
 # it afterwards, which we do here
 $RPM -e system-config-firewall-tui system-config-network-tui rhpl \
-- 
1.5.5.1

Alan Pevec wrote:
> For now, it is only to allow qemu to access disk partitions directly,
> required in order to use iSCSI storage pools with SELinux enabled.
ACK since it fixes the immediate problem.  But, longer term...

Should this selinux policy be a part of ovirt-node installation instead of 
in ovirt-node-image kickstart?

We'll want to install ovirt-node on baremetal Fedora hosts and on those 
hosts we'll want to be able to use iSCSI storage.  We can always tell the 
administrator to 'make it work' but since we require it anyhow I think
it
would make sense to have this policy set in ovirt-node RPM.

Even longer term... Shouldn't this be a part of libvirt install and not in 
oVirt at all?

Perry
> Signed-off-by: Alan Pevec <apevec at redhat.com>
> ---
>  common-post.ks |   16 +++++++++++++++-
>  1 files changed, 15 insertions(+), 1 deletions(-)
> 
> diff --git a/common-post.ks b/common-post.ks
> index a4f5858..d44324c 100644
> --- a/common-post.ks
> +++ b/common-post.ks
> @@ -43,12 +43,26 @@ cat > /etc/sysconfig/iptables << \EOF
>  COMMIT
>  EOF
>  
> +# make disks available to VMs
> +cat > /tmp/ovirt.te <<EOF
> +module ovirt 1.0.0;
> +require {
> +    type fixed_disk_device_t;
> +    type qemu_t;
> +    class blk_file { ioctl getattr setattr read write };
> +}
> +allow qemu_t fixed_disk_device_t:blk_file { ioctl getattr setattr read
write };
> +EOF
> +checkmodule -M -m -o /tmp/ovirt.mod /tmp/ovirt.te
> +semodule_package -o /tmp/ovirt.pp -m /tmp/ovirt.mod
> +semodule -i /tmp/ovirt.pp
> +
>  echo "Removing excess RPMs"
>  
>  RPM="rpm -v -e --nodeps"
>  
>  # kernel pulls in mkinitrd which pulls in isomd5sum which pulls in python,
> -# and livecd-tools needs lokkit to disable SELinux.
> +# and livecd-tools needs lokkit to configure SELinux.
>  # However, this is just an install-time dependency; we can remove
>  # it afterwards, which we do here
>  $RPM -e system-config-firewall-tui system-config-network-tui rhpl \
-- 
|=-        Red Hat, Engineering, Emerging Technologies, Boston        -=|
|=-                     Email: pmyers at redhat.com                      -=|
|=-         Office: +1 412 474 3552   Mobile: +1 703 362 9622         -=|
|=- GnuPG: E65E4F3D 88F9 F1C9 C2F3 1303 01FE 817C C5D2 8B91 E65E 4F3D -=|

Alan Pevec <apevec at redhat.com> wrote:
> For now, it is only to allow qemu to access disk partitions directly,
> required in order to use iSCSI storage pools with SELinux enabled.
>
> Signed-off-by: Alan Pevec <apevec at redhat.com>
> ---
>  common-post.ks |   16 +++++++++++++++-
>  1 files changed, 15 insertions(+), 1 deletions(-)
>
> diff --git a/common-post.ks b/common-post.ks
> index a4f5858..d44324c 100644
> --- a/common-post.ks
> +++ b/common-post.ks
> @@ -43,12 +43,26 @@ cat > /etc/sysconfig/iptables << \EOF
>  COMMIT
>  EOF
>
> +# make disks available to VMs
> +cat > /tmp/ovirt.te <<EOF
Nice.
One suggestion: if you add single quotes or a backslash ('EOF' or \EOF),

    cat > /tmp/ovirt.te <<\EOF

then the reviewer wouldn't have to examine contents for occurrences
of "$" or `` that would be substituted.
> +module ovirt 1.0.0;
> +require {
> +    type fixed_disk_device_t;
> +    type qemu_t;
> +    class blk_file { ioctl getattr setattr read write };
> +}
> +allow qemu_t fixed_disk_device_t:blk_file { ioctl getattr setattr read
write };
> +EOF
...