Pkg xen devel - Oct 2014 - Bug#764912: xen-utils-common: needs to apply SE Linux labels after creating directories in start script

Package: xen-utils-common
Version: 4.4.1-2
Severity: normal

For correct operation under SE Linux the start script needs to assign correct
security labels to firectories it creates.  Note that restorcon doesn't
cause
any problems if run twice.  If it's executable then you can safely run it.

Below is a patch that demonstrates how to solve this problem.

--- xen.old	2014-10-12 17:49:11.348923959 +1100
+++ xen	2014-10-12 17:50:49.257694941 +1100
@@ -66,6 +66,7 @@
 	[ -d /run/xen ] && return 0
 
 	mkdir -m 700 /run/xen
+	[ -x /sbin/restorecon ] && /sbin/restorecon /run/xen
 }
 
 xend_start()
@@ -189,6 +190,7 @@
 	start-stop-daemon --start --quiet --pidfile "$XENSTORED_PIDFILE"
--exec "$XENSTORED" --test > /dev/null \
 		|| return 1
 	[ -d "$XENSTORED_DIR" ] || mkdir -p "$XENSTORED_DIR"
+	[ -x /sbin/restorecon ] && /sbin/restorecon "$XENSTORED_DIR"
 	export XENSTORED_ROOTDIR="$XENSTORED_DIR"
 	start-stop-daemon --start --quiet --pidfile "$XENSTORED_PIDFILE"
--exec "$XENSTORED" -- \
 		$XENSTORED_ARGS --pid-file="$XENSTORED_PIDFILE" \

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500,
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages xen-utils-common depends on:
ii  lsb-base        4.1+Debian8+deb7u1
ii  python          2.7.8-1
ii  ucf             3.0025+nmu3
ii  udev            175-7.2
ii  xenstore-utils  4.1.4-3+deb7u3

xen-utils-common recommends no packages.

xen-utils-common suggests no packages.

-- Configuration Files:
/etc/init.d/xen changed:
.. /lib/init/vars.sh
.. /lib/lsb/init-functions
XENSTORED_DIR="/var/run/xenstored"
[ -r /etc/default/xen ] && . /etc/default/xen
[ -r /etc/default/xend ] && . /etc/default/xend
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DESC="Xen daemons"
ROOT=$(/usr/lib/xen-common/bin/xen-dir 2>/dev/null)
if [ $? -ne 0 ]; then
	log_warning_msg "Not running within Xen or no compatible utils"
	exit 0
fi
TOOLSTACK=$(/usr/lib/xen-common/bin/xen-toolstack 2>/dev/null)
if [ $? -ne 0 ]; then
	log_warning_msg "No usable Xen toolstack selected"
	exit 0
fi
[ -e "$ROOT"/bin/xend ] && XEND="$ROOT"/bin/xend
XENCONSOLED="$ROOT"/bin/xenconsoled
XENCONSOLED_PIDFILE="/var/run/xenconsoled.pid"
XENSTORED="$ROOT"/bin/xenstored
XENSTORED_PIDFILE="/var/run/xenstore.pid"
modules_setup()
{
	modprobe xenfs 2>/dev/null
	modprobe xen-evtchn 2>/dev/null
	modprobe xen-gntdev 2>/dev/null
}
xenfs_setup()
{
	[ -e "/proc/xen/capabilities" ] && return 0
	log_progress_msg "xenfs"
	[ -d "/proc/xen" ] || return 1
	mount -t xenfs xenfs /proc/xen || return 1
	return 0
}
capability_check()
{
	[ -e "/proc/xen/capabilities" ] || return 1
	grep -q "control_d" /proc/xen/capabilities || return 1
	return 0
}
env_setup()
{
	[ -d /run/xen ] && return 0
	mkdir -m 700 /run/xen
	[ -x /sbin/restorecon ] && /sbin/restorecon /run/xen
}
xend_start()
{
	if [ -z "$XEND" ] || [ "$(basename "$TOOLSTACK")"
!= xm ]; then
		return 0
	fi
	log_progress_msg "xend"
	xend_start_real
	return $?
}
xend_stop()
{
	if [ -z "$XEND" ] || [ "$(basename "$TOOLSTACK")"
!= xm ]; then
		return 0
	fi
	log_progress_msg "xend"
	xend_stop_real
	return $?
}
xend_restart()
{
	if [ -z "$XEND" ] || [ "$(basename "$TOOLSTACK")"
!= xm ]; then
		return 0
	fi
	log_progress_msg "xend"
	xend_stop_real
	case "$?" in
		0|1)
		xend_start_real
		case "$?" in
			0) ;;
			*) return 2 ;;
		esac
		;;
		*) return 2 ;;
	esac
	return 0
}
xend_start_real()
{
	$XEND status && return 1
	$XEND start || return 2
	i=0
	while [ $i -lt 10 ]; do
		$XEND status && return 0 || true
		i=$(($i + 1))
		sleep 1
	done
	return 2
}
xend_stop_real()
{
	log_progress_msg "xend"
	$XEND status || return 0
	$XEND stop || return 1
}
xenconsoled_start()
{
	log_progress_msg "xenconsoled"
	xenconsoled_start_real
	return $?
}
xenconsoled_stop()
{
	log_progress_msg "xenconsoled"
	xenconsoled_stop_real
	return $?
}
xenconsoled_restart()
{
	log_progress_msg "xenconsoled"
	xenconsoled_stop_real
	case "$?" in
		0|1)
		xenconsoled_start_real
		case "$?" in
			0) ;;
			*) return 2 ;;
		esac
		;;
		*) return 2 ;;
	esac
	return 0
}
xenconsoled_start_real()
{
	start-stop-daemon --start --quiet --pidfile "$XENCONSOLED_PIDFILE"
--exec "$XENCONSOLED" --test > /dev/null \
		|| return 1
	start-stop-daemon --start --quiet --pidfile "$XENCONSOLED_PIDFILE"
--exec "$XENCONSOLED" -- \
		$XENCONSOLED_ARGS --pid-file="$XENCONSOLED_PIDFILE" \
		|| return 2
}
xenconsoled_stop_real()
{
	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile
"$XENCONSOLED_PIDFILE" --name xenconsoled
	RETVAL="$?"
	[ "$RETVAL" = 2 ] && return 2
	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec
"$XENCONSOLED"
	[ "$?" = 2 ] && return 2
	rm -f $PIDFILE
	return "$RETVAL"
}
xenstored_start()
{
	log_progress_msg "xenstored"
	start-stop-daemon --start --quiet --pidfile "$XENSTORED_PIDFILE"
--exec "$XENSTORED" --test > /dev/null \
		|| return 1
	[ -d "$XENSTORED_DIR" ] || mkdir -p "$XENSTORED_DIR"
	[ -x /sbin/restorecon ] && /sbin/restorecon "$XENSTORED_DIR"
	export XENSTORED_ROOTDIR="$XENSTORED_DIR"
	start-stop-daemon --start --quiet --pidfile "$XENSTORED_PIDFILE"
--exec "$XENSTORED" -- \
		$XENSTORED_ARGS --pid-file="$XENSTORED_PIDFILE" \
		|| return 2
	xenstore-write "/local/domain/0/name" "Domain-0"
	xenstore-write "/local/domain/0/domid" "0"
}
case "$1" in
  start)
	log_daemon_msg "Starting $DESC"
	modules_setup
	xenfs_setup
	case "$?" in
		0) ;;
		*) log_end_msg 1; exit ;;
	esac
	capability_check
	case "$?" in
		0) ;;
		*) log_end_msg 255; exit ;;
	esac
	env_setup
	xenstored_start
	case "$?" in
		0|1) ;;
		*) log_end_msg 1; exit ;;
	esac
	xenconsoled_start
	case "$?" in
		0|1) ;;
		*) log_end_msg 1; exit ;;
	esac
	xend_start
	case "$?" in
		0|1) ;;
		*) log_end_msg 1; exit ;;
	esac
	log_end_msg 0
	;;
  stop)
	capability_check
	case "$?" in
		0) ;;
		*) exit ;;
	esac
	log_daemon_msg "Stopping $DESC"
	ret=0
	xend_stop
	case "$?" in
		0|1) ;;
		*) ret=1 ;;
	esac
	xenconsoled_stop
	case "$?" in
		0|1) ;;
		*) ret=1 ;;
	esac
	log_end_msg $ret
	;;
  restart|force-reload)
	capability_check
	case "$?" in
		0) ;;
		*) exit ;;
	esac
	log_daemon_msg "Restarting $DESC"
	ret=0
	xend_restart
	case "$?" in
		0|1) ;;
		*) ret=1 ;;
	esac
	xenconsoled_restart
	case "$?" in
		0|1) ;;
		*) ret=1 ;;
	esac
	log_end_msg $ret
	;;
  *)
	echo "Usage: $0 {start|stop|restart|force-reload}" >&2
	exit 3
	;;
esac
exit 0


-- no debconf information

Processing control commands:
> tag -1 +patch
Bug #764912 [xen-utils-common] xen-utils-common: needs to apply SE Linux labels
after creating directories in start script
Added tag(s) patch.

-- 
764912: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764912
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems

Your message dated Thu, 22 Dec 2016 18:49:44 +0000
with message-id <E1cK8Qy-0003my-D6 at fasolo.debian.org>
and subject line Bug#764912: fixed in xen 4.8.0-1
has caused the Debian Bug report #764912,
regarding xen-utils-common: needs to apply SE Linux labels after creating
directories in start script
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
764912: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764912
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: Russell Coker <russell at coker.com.au>
Subject: xen-utils-common: needs to apply SE Linux labels after creating
directories in start script
Date: Sun, 12 Oct 2014 17:55:52 +1100
Size: 8331
URL:
<http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20161222/0fece6e4/attachment-0002.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: Ian Jackson <ian.jackson at eu.citrix.com>
Subject: Bug#764912: fixed in xen 4.8.0-1
Date: Thu, 22 Dec 2016 18:49:44 +0000
Size: 11303
URL:
<http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20161222/0fece6e4/attachment-0003.mht>