diff options
| author | Markos Chandras <mchandras@suse.de> | 2018-08-08 17:27:25 +0300 |
|---|---|---|
| committer | Ben Pfaff <blp@ovn.org> | 2018-08-08 10:58:05 -0700 |
| commit | b096fa42ddc2ed69fa86b60a501bd3c34e767b7f (patch) | |
| tree | 1057dfa231354cb640e822fdc754c430925f2a2a /rhel | |
| parent | 52e20a3d6c8bc36b9edde6669739132523eaa7b6 (diff) | |
| download | openvswitch-b096fa42ddc2ed69fa86b60a501bd3c34e767b7f.tar.gz | |
rhel: Use correct user in the logrotate configuration file
The /var/log/openvswitch directory is owned by the openvswitch user but
logrotate could be running as root or as another user. As a result of
which, rpmlint prints the following warning when building the spec file
on SUSE Linux Enterprise:
openvswitch.x86_64: W: suse-logrotate-user-writable-log-dir /var/log/openvswitch openvswitch:openvswitch 0750
The log directory is writable by unprivileged users. Please fix the
permissions so only root can write there or add the 'su' option
to your logrotate config
In order to fix that, we should run the logrotate script as the same
user which runs the various Open vSwitch daemons. If this is a new
installation, then this user is the 'openvswitch' one, but if we are
upgrading from an older release, then the user is normally 'root'.
As such, we set the initial user to 'root' and we fix this up in the
%post scriptlet.
Cc: Aaron Conole <aconole@redhat.com>
Cc: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Markos Chandras <mchandras@suse.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Timothy Redaelli <tredaelli@redhat.com>
Diffstat (limited to 'rhel')
| -rw-r--r-- | rhel/etc_logrotate.d_openvswitch | 1 | ||||
| -rw-r--r-- | rhel/openvswitch-fedora.spec.in | 4 | ||||
| -rw-r--r-- | rhel/usr_lib_systemd_system_ovsdb-server.service | 2 |
3 files changed, 5 insertions, 2 deletions
diff --git a/rhel/etc_logrotate.d_openvswitch b/rhel/etc_logrotate.d_openvswitch index ed7d733c9..f4302ffbc 100644 --- a/rhel/etc_logrotate.d_openvswitch +++ b/rhel/etc_logrotate.d_openvswitch @@ -6,6 +6,7 @@ # without warranty of any kind. /var/log/openvswitch/*.log { + su root root daily compress sharedscripts diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index 9f8664e95..c2d3200e1 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -405,6 +405,7 @@ exit 0 %post if [ $1 -eq 1 ]; then sed -i 's:^#OVS_USER_ID=:OVS_USER_ID=:' /etc/sysconfig/openvswitch + sed -i 's:\(.*su\).*:\1 openvswitch openvswitch:' %{_sysconfdir}/logrotate.d/openvswitch %if %{with dpdk} sed -i \ @@ -414,6 +415,7 @@ if [ $1 -eq 1 ]; then # In the case of upgrade, this is not needed. chown -R openvswitch:openvswitch /etc/openvswitch + chown -R openvswitch:openvswitch /var/log/openvswitch fi %if 0%{?systemd_post:1} @@ -601,7 +603,7 @@ fi %endif %doc NOTICE README.rst NEWS rhel/README.RHEL.rst /var/lib/openvswitch -%attr(750,openvswitch,openvswitch) /var/log/openvswitch +%attr(750,root,root) /var/log/openvswitch %ghost %attr(755,root,root) %{_rundir}/openvswitch %files ovn-docker diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service b/rhel/usr_lib_systemd_system_ovsdb-server.service index 0fa57a925..70da1ec95 100644 --- a/rhel/usr_lib_systemd_system_ovsdb-server.service +++ b/rhel/usr_lib_systemd_system_ovsdb-server.service @@ -10,7 +10,7 @@ Type=forking Restart=on-failure EnvironmentFile=/etc/openvswitch/default.conf EnvironmentFile=-/etc/sysconfig/openvswitch -ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch +ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch /var/log/openvswitch ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch/useropts; if [ "$${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch/useropts; fi' EnvironmentFile=-/run/openvswitch/useropts ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ |