[PATCH node] ovirt-node-selinux policy: bind-mount all files [PATCH node] select boot partition for grub [PATCH node] fix disk partitioning
Alan Pevec
2008-Dec-16 23:02 UTC
[Ovirt-devel] [PATCH node] ovirt-node-selinux policy: bind-mount all files
default policy doesn't allow file types in security_file_type attribute
to be mounted, e.g. shadow_t for /etc/shadow:
allow $1 { file_type -security_file_type }:file mounton;
This blocks file bind-mounts from /config partition for config files in
that set.
By allowing all file mounts, security risk is not really increased,
for example /etc/shadow could be bypassed anyway by mounting /etc/passwd.
---
ovirt-node-selinux.te | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/ovirt-node-selinux.te b/ovirt-node-selinux.te
index a53d3de..327c231 100644
--- a/ovirt-node-selinux.te
+++ b/ovirt-node-selinux.te
@@ -1,8 +1,14 @@
module ovirt 1.0.0;
require {
type fixed_disk_device_t;
+ attribute file_type;
+ type mount_t;
type qemu_t;
class blk_file { ioctl getattr setattr read write };
+ class file mounton;
}
# Give qemu_t access to any block device
allow qemu_t fixed_disk_device_t:blk_file { ioctl getattr setattr read write };
+# allow any file to be bindmounted (for /config)
+allow mount_t file_type:file mounton;
+
--
1.6.0.4
Alan Pevec
2008-Dec-16 23:02 UTC
[Ovirt-devel] [PATCH node] select boot partition for grub
---
scripts/ovirt-config-boot | 12 ++++++++++--
1 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/scripts/ovirt-config-boot b/scripts/ovirt-config-boot
index ad0aeb1..9fa0144 100755
--- a/scripts/ovirt-config-boot
+++ b/scripts/ovirt-config-boot
@@ -29,6 +29,14 @@ ovirt_boot_setup() {
local bootparams=$3
printf "installing oVirt Node image ... "
mount_boot
+ # check that /boot mounted ok and find partition number for GRUB
+ BOOT=$(mount|awk '$3 == "/boot" {print $1}')
+ BOOT=$(( ${BOOT#$disk} - 1 ))
+ rc=$?
+ if [ $rc -ne 0 -o $BOOT -lt 0 ]; then
+ printf "boot partition not available\n"
+ return $rc
+ fi
mount_liveos
# install oVirt Node image for local boot
if [ -e "$live/syslinux" ]; then
@@ -91,14 +99,14 @@ default=0
timeout=5
hiddenmenu
title oVirt Node
- root (hd0,0)
+ root (hd0,$BOOT)
kernel /vmlinuz0 ro root=/dev/HostVG/Root roottypefs=ext3 liveimg
$bootparams
initrd /initrd0.img
EOF
echo "(hd0) $disk" > /boot/grub/device.map
( cd /usr/share/grub/*; cp -p stage? e2fs_stage1_5 /boot/grub )
grub --device-map=/boot/grub/device.map > /dev/null <<EOF
-root (hd0,0)
+root (hd0,$BOOT)
setup --prefix=/grub (hd0)
EOF
rc=$?
--
1.6.0.4
wipe disk more throughly
ensure /boot is formated, otherwise gptsynce ignores it
---
scripts/ovirt-config-storage | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/scripts/ovirt-config-storage b/scripts/ovirt-config-storage
index 89ba175..ff2a3b2 100755
--- a/scripts/ovirt-config-storage
+++ b/scripts/ovirt-config-storage
@@ -178,7 +178,7 @@ perform_partitioning()
set -e
# FIXME: save a backup copy, just in case?
- dd if=/dev/zero of=$DRIVE bs=1K count=1
+ dd if=/dev/zero of=$DRIVE bs=1024K count=1
blockdev --rereadpt $DRIVE
partprobe -s $DRIVE
@@ -187,9 +187,11 @@ perform_partitioning()
BOOT_SIZE=10
fi
parted $DRIVE -s "mklabel gpt"
- parted $DRIVE -s "mkpart primary ext2 0M ${BOOT_SIZE}M"
+ parted $DRIVE -s "mkpartfs primary ext2 0M ${BOOT_SIZE}M"
parted $DRIVE -s "mkpart primary ext2 ${BOOT_SIZE}M ${SPACE}M"
+ parted $DRIVE -s "set 1 boot on"
parted $DRIVE -s "set 2 lvm on"
+ parted $DRIVE -s "print"
udevadm settle 2> /dev/null || udevsettle
# sync GPT to the legacy MBR partitions
gptsync $DRIVE
--
1.6.0.4