Russell Coker
2012-Jun-24 00:33 UTC
[Pkg-xen-devel] Bug#678719: xen-utils-common: please label all created directories for SE Linux
Package: xen-utils-common
Version: 4.1.3~rc1+hg-20120614.a9c0a89c08f2-2
Severity: important
Please modify the init scripts in a manner similar to the following to give
the correct SE Linux labels. Failing to correctly label them may result in
Xen not working correctly when SE Linux is enabled.
--- /etc/init.d/xen.orig 2012-06-24 10:29:04.000000000 +1000
+++ /etc/init.d/xen 2012-06-24 10:29:54.000000000 +1000
@@ -182,6 +182,7 @@
start-stop-daemon --start --quiet --pidfile "$XENSTORED_PIDFILE"
--exec "$XENSTORED" --test > /dev/null \
|| return 1
[ -d "$XENSTORED_DIR" ] || mkdir -p "$XENSTORED_DIR"
+ [ -x /sbin/restorecon ] && /sbin/restorecon "$XENSTORED_DIR"
export XENSTORED_ROOTDIR="$XENSTORED_DIR"
start-stop-daemon --start --quiet --pidfile "$XENSTORED_PIDFILE"
--exec "$XENSTORED" -- \
$XENSTORED_ARGS --pid-file="$XENSTORED_PIDFILE" \
--- /etc/init.d/xendomains.orig 2012-06-24 10:29:08.000000000 +1000
+++ /etc/init.d/xendomains 2012-06-24 10:30:05.000000000 +1000
@@ -152,6 +152,7 @@
{
[ -n "$XENDOMAINS_SAVE" ] || return
[ -d "$XENDOMAINS_SAVE" ] || mkdir -m 0700 -p
"$XENDOMAINS_SAVE"
+ [ -x /sbin/restorecon ] && /sbin/restorecon
"$XENDOMAINS_SAVE"
while read id name rest; do
log_action_begin_msg "Saving Xen domain $name ($id)"
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages xen-utils-common depends on:
ii gawk 1:4.0.1+dfsg-2
ii lsb-base 4.1+Debian7
ii python 2.7.3~rc2-1
ii ucf 3.0025+nmu3
ii udev 175-3.1
ii xenstore-utils 4.1.3~rc1+hg-20120614.a9c0a89c08f2-2
xen-utils-common recommends no packages.
xen-utils-common suggests no packages.
-- Configuration Files:
/etc/init.d/xen changed:
. /lib/init/vars.sh
. /lib/lsb/init-functions
XENSTORED_DIR="/var/run/xenstored"
[ -r /etc/default/xen ] && . /etc/default/xen
[ -r /etc/default/xend ] && . /etc/default/xend
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DESC="Xen daemons"
ROOT=$(/usr/lib/xen-common/bin/xen-dir 2>/dev/null)
if [ $? -ne 0 ]; then
log_warning_msg "Not running within Xen or no compatible utils"
exit 0
fi
TOOLSTACK=$(/usr/lib/xen-common/bin/xen-toolstack 2>/dev/null)
if [ $? -ne 0 ]; then
log_warning_msg "No usable Xen toolstack selected"
exit 0
fi
[ -e "$ROOT"/bin/xend ] && XEND="$ROOT"/bin/xend
XENCONSOLED="$ROOT"/bin/xenconsoled
XENCONSOLED_PIDFILE="/var/run/xenconsoled.pid"
XENSTORED="$ROOT"/bin/xenstored
XENSTORED_PIDFILE="/var/run/xenstore.pid"
modules_setup()
{
modprobe xenfs 2>/dev/null
modprobe xen-evtchn 2>/dev/null
modprobe xen-gntdev 2>/dev/null
}
xenfs_setup()
{
[ -e "/proc/xen/capabilities" ] && return 0
log_progress_msg "xenfs"
[ -d "/proc/xen" ] || return 1
mount -t xenfs xenfs /proc/xen || return 1
return 0
}
capability_check()
{
[ -e "/proc/xen/capabilities" ] || return 1
grep -q "control_d" /proc/xen/capabilities || return 1
return 0
}
xend_start()
{
if [ -z "$XEND" ] || [ "$(basename "$TOOLSTACK")"
!= xm ]; then
return 0
fi
log_progress_msg "xend"
xend_start_real
return $?
}
xend_stop()
{
if [ -z "$XEND" ] || [ "$(basename "$TOOLSTACK")"
!= xm ]; then
return 0
fi
log_progress_msg "xend"
xend_stop_real
return $?
}
xend_restart()
{
if [ -z "$XEND" ] || [ "$(basename "$TOOLSTACK")"
!= xm ]; then
return 0
fi
log_progress_msg "xend"
xend_stop_real
case "$?" in
0|1)
xend_start_real
case "$?" in
0) ;;
*) return 2 ;;
esac
;;
*) return 2 ;;
esac
return 0
}
xend_start_real()
{
$XEND status && return 1
$XEND start || return 2
i=0
while [ $i -lt 10 ]; do
$XEND status && return 0 || true
i=$(($i + 1))
sleep 1
done
return 2
}
xend_stop_real()
{
log_progress_msg "xend"
$XEND status || return 0
$XEND stop || return 1
}
xenconsoled_start()
{
log_progress_msg "xenconsoled"
xenconsoled_start_real
return $?
}
xenconsoled_stop()
{
log_progress_msg "xenconsoled"
xenconsoled_stop_real
return $?
}
xenconsoled_restart()
{
log_progress_msg "xenconsoled"
xenconsoled_stop_real
case "$?" in
0|1)
xenconsoled_start_real
case "$?" in
0) ;;
*) return 2 ;;
esac
;;
*) return 2 ;;
esac
return 0
}
xenconsoled_start_real()
{
start-stop-daemon --start --quiet --pidfile "$XENCONSOLED_PIDFILE"
--exec "$XENCONSOLED" --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet --pidfile "$XENCONSOLED_PIDFILE"
--exec "$XENCONSOLED" -- \
$XENCONSOLED_ARGS --pid-file="$XENCONSOLED_PIDFILE" \
|| return 2
}
xenconsoled_stop_real()
{
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile
"$XENCONSOLED_PIDFILE" --name xenconsoled
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec
"$XENCONSOLED"
[ "$?" = 2 ] && return 2
rm -f $PIDFILE
return "$RETVAL"
}
xenstored_start()
{
log_progress_msg "xenstored"
start-stop-daemon --start --quiet --pidfile "$XENSTORED_PIDFILE"
--exec "$XENSTORED" --test > /dev/null \
|| return 1
[ -d "$XENSTORED_DIR" ] || mkdir -p "$XENSTORED_DIR"
[ -x /sbin/restorecon ] && /sbin/restorecon "$XENSTORED_DIR"
export XENSTORED_ROOTDIR="$XENSTORED_DIR"
start-stop-daemon --start --quiet --pidfile "$XENSTORED_PIDFILE"
--exec "$XENSTORED" -- \
$XENSTORED_ARGS --pid-file="$XENSTORED_PIDFILE" \
|| return 2
xenstore-write "/local/domain/0/name" "Domain-0"
}
case "$1" in
start)
log_daemon_msg "Starting $DESC"
modules_setup
xenfs_setup
case "$?" in
0) ;;
*) log_end_msg 1; exit ;;
esac
capability_check
case "$?" in
0) ;;
*) log_end_msg 255; exit ;;
esac
xenstored_start
case "$?" in
0|1) ;;
*) log_end_msg 1; exit ;;
esac
xenconsoled_start
case "$?" in
0|1) ;;
*) log_end_msg 1; exit ;;
esac
xend_start
case "$?" in
0|1) ;;
*) log_end_msg 1; exit ;;
esac
log_end_msg 0
;;
stop)
capability_check
case "$?" in
0) ;;
*) exit ;;
esac
log_daemon_msg "Stopping $DESC"
ret=0
xend_stop
case "$?" in
0|1) ;;
*) ret=1 ;;
esac
xenconsoled_stop
case "$?" in
0|1) ;;
*) ret=1 ;;
esac
log_end_msg $ret
;;
restart|force-reload)
capability_check
case "$?" in
0) ;;
*) exit ;;
esac
log_daemon_msg "Restarting $DESC"
ret=0
xend_restart
case "$?" in
0|1) ;;
*) ret=1 ;;
esac
xenconsoled_restart
case "$?" in
0|1) ;;
*) ret=1 ;;
esac
log_end_msg $ret
;;
*)
echo "Usage: $0 {start|stop|restart|force-reload}" >&2
exit 3
;;
esac
exit 0
/etc/init.d/xendomains changed:
. /lib/init/vars.sh
. /lib/lsb/init-functions
xen list &> /dev/null
if test $? -ne 0
then
exit 0;
fi
if ! [ -e /proc/xen/privcmd ]; then
exit 0
fi
[ -r /etc/default/xendomains ] && . /etc/default/xendomains
shopt -s nullglob
check_config_name()
{
xen create --quiet --dryrun --defconfig "$1" | sed -n
's/^.*(name \(.*\))$/\1/p'
}
check_running()
{
xen domid "$1" > /dev/null 2>&1
return $?
}
timeout_coproc()
{
TIMEOUT="$1"
for no in $(seq 0 $TIMEOUT); do
if [ -z "$COPROC_PID" ]; then return 0; fi
sleep 1
log_action_cont_msg
done
kill -INT "$COPROC_PID" >/dev/null 2>&1
wait $COPROC_PID
return 1
}
timeout_domain()
{
name="$1"
TIMEOUT="$2"
for no in $(seq 0 $TIMEOUT); do
if ! check_running "$name"; then return 0; fi
sleep 1
log_action_cont_msg
done
return 1
}
do_start_restore()
{
[ -n "$XENDOMAINS_SAVE" ] || return
[ -d "$XENDOMAINS_SAVE" ] || return
[ -n "$XENDOMAINS_RESTORE" ] || return
for file in $XENDOMAINS_SAVE/*; do
if [ -f $file ] ; then
name="${file##*/}"
log_action_begin_msg "Restoring Xen domain $name (from $file)"
out=$(xen restore "$file" 2>&1 1>/dev/null)
case "$?" in
0)
rm "$file"
domains[$name]='started'
log_action_end_msg 0
;;
*)
domains[$name]='failed'
log_action_end_msg 1
echo "$out"
;;
esac
fi
done
}
do_start_auto()
{
[ -n "$XENDOMAINS_AUTO" ] || return
[ -d "$XENDOMAINS_AUTO" ] || return
for file in $XENDOMAINS_AUTO/*; do
name="$(check_config_name $file)"
if [ "${domains[$name]}" = started ]; then
:
elif check_running "$name"; then
log_action_msg "Xen domain $name already running"
else
log_action_begin_msg "Starting Xen domain $name (from $file)"
if [ "${domains[$name]}" = failed ]; then
log_action_end_msg 1 "restore failed"
else
out=$(xen create --quiet --defconfig "$file" 2>&1
1>/dev/null)
case "$?" in
0)
log_action_end_msg 0
;;
*)
log_action_end_msg 1
echo "$out"
;;
esac
fi
fi
done
}
do_start()
{
declare -A domains
do_start_restore
do_start_auto
}
do_stop_migrate()
{
[ -n "$XENDOMAINS_MIGRATE" ] || return
while read id name rest; do
log_action_begin_msg "Migrating Xen domain $name ($id)"
coproc xen migrate $id $XENDOMAINS_MIGRATE 2>&1 1>/dev/null
timeout_coproc "$XENDOMAINS_STOP_MAXWAIT"
log_action_end_msg $?
done < <(/usr/lib/xen-common/bin/xen-init-list)
}
do_stop_save()
{
[ -n "$XENDOMAINS_SAVE" ] || return
[ -d "$XENDOMAINS_SAVE" ] || mkdir -m 0700 -p
"$XENDOMAINS_SAVE"
[ -x /sbin/restorecon ] && /sbin/restorecon
"$XENDOMAINS_SAVE"
while read id name rest; do
log_action_begin_msg "Saving Xen domain $name ($id)"
coproc xen save $id $XENDOMAINS_SAVE/$name 2>&1 1>/dev/null
timeout_coproc "$XENDOMAINS_STOP_MAXWAIT"
log_action_end_msg $?
done < <(/usr/lib/xen-common/bin/xen-init-list)
}
do_stop_shutdown()
{
while read id name rest; do
log_action_begin_msg "Shutting down Xen domain $name ($id)"
xen shutdown $id 2>&1 1>/dev/null
timeout_domain "$name" "$XENDOMAINS_STOP_MAXWAIT"
log_action_end_msg $?
done < <(/usr/lib/xen-common/bin/xen-init-list)
}
do_stop()
{
do_stop_migrate
do_stop_save
do_stop_shutdown
}
case "$1" in
start)
do_start
;;
stop)
do_stop
;;
restart)
do_stop
do_start
;;
reload|force-reload)
do_stop
do_start
;;
*)
echo "Usage: $0 {start|stop|restart|reload|force-reload}"
exit 3
;;
esac
exit 0
-- debconf-show failed
Debian Bug Tracking System
2012-Jun-24 08:15 UTC
[Pkg-xen-devel] Bug#678719: marked as done (xen-utils-common: please label all created directories for SE Linux)
Your message dated Sun, 24 Jun 2012 10:11:51 +0200 with message-id <20120624081151.GB2595 at wavehammer.waldi.eu.org> and subject line Re: [Pkg-xen-devel] Bug#678719: xen-utils-common: please label all created directories for SE Linux has caused the Debian Bug report #678719, regarding xen-utils-common: please label all created directories for SE Linux to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 678719: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678719 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Russell Coker <russell at coker.com.au> Subject: xen-utils-common: please label all created directories for SE Linux Date: Sun, 24 Jun 2012 10:33:23 +1000 Size: 12496 URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20120624/7c39b3af/attachment-0002.mht> -------------- next part -------------- An embedded message was scrubbed... From: Bastian Blank <waldi at debian.org> Subject: Re: [Pkg-xen-devel] Bug#678719: xen-utils-common: please label all created directories for SE Linux Date: Sun, 24 Jun 2012 10:11:51 +0200 Size: 1903 URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20120624/7c39b3af/attachment-0003.mht>
Laurent Bigonville
2012-Jun-28 19:52 UTC
[Pkg-xen-devel] Bug#678719: xen-utils-common: please label all created directories for SE Linux
Hi, Since you are creating the directory you should ensure that the correct permission are set to it, I feel that the same should apply to selinux labels. Grepping under /etc/init.d show me that other initscripts are already doing the same. Please consider applying Russell patch. Cheers Laurent Bigonville
Debian Bug Tracking System
2012-Aug-17 09:09 UTC
[Pkg-xen-devel] Bug#678719: marked as done (xen-utils-common: please label all created directories for SE Linux)
Your message dated Fri, 17 Aug 2012 11:06:07 +0200 with message-id <20120817090607.GA32563 at wavehammer.waldi.eu.org> and subject line Re: [Pkg-xen-devel] Bug#678719: xen-utils-common: please label all created directories for SE Linux has caused the Debian Bug report #678719, regarding xen-utils-common: please label all created directories for SE Linux to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 678719: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678719 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Russell Coker <russell at coker.com.au> Subject: xen-utils-common: please label all created directories for SE Linux Date: Sun, 24 Jun 2012 10:33:23 +1000 Size: 12496 URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20120817/ab245d2b/attachment.mht> -------------- next part -------------- An embedded message was scrubbed... From: Bastian Blank <waldi at debian.org> Subject: Re: [Pkg-xen-devel] Bug#678719: xen-utils-common: please label all created directories for SE Linux Date: Fri, 17 Aug 2012 11:06:07 +0200 Size: 1967 URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20120817/ab245d2b/attachment-0001.mht>
Possibly Parallel Threads
- Bug#742397: xen-utils-common: /etc/init.d/dom0weight is hardcoded to use xm
- Bug#764912: xen-utils-common: needs to apply SE Linux labels after creating directories in start script
- Bug#597403: xen-utils-common: need to run restorecon in /etc/init.d/xend on SE Linux systems
- Bug#770456: Bug#770456: Please start a qemu process in domain 0.
- Ubuntu delta against 4.5.0-1 in experimental for disussion