diff options
| author | Joe Stringer <joe@ovn.org> | 2016-09-22 17:25:46 -0700 |
|---|---|---|
| committer | Joe Stringer <joe@ovn.org> | 2016-09-23 10:12:23 -0700 |
| commit | 778b01a368d062772ef4006907eb12b35d96df49 (patch) | |
| tree | f7eb07137688983322247b14cc16ab430d1de7de /utilities | |
| parent | 6305e806de364921ac5ef215038bbbbdc2699944 (diff) | |
| download | openvswitch-778b01a368d062772ef4006907eb12b35d96df49.tar.gz | |
ovs-lib: Fix SELinux contexts for created dirs.
ovs-lib creates several directories directly from the script, but
doesn't make any attempt to ensure that the correct SELinux context is
applied to these directories. As a result, the created directories end
up with type var_run_t rather than openvswitch_var_run_t.
During reboot using a tmpfs for /var/run, startup scripts will invoke
ovs-lib to create these directories with the wrong context. If SELinux
is enabled, OVS will fail to start as it cannot write to this directory.
Fix the issue by sprinkling "restorecon" in each of the places where
directories are created. In practice, many of these should otherwise be
handled by packaging scripts but if they exist then we should ensure the
correct SELinux context is set.
On systems where 'restorecon' is unavailable, this should be a no-op.
VMware-BZ: #1732672
Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Ansis Atteka <aatteka@ovn.org>
Diffstat (limited to 'utilities')
| -rw-r--r-- | utilities/ovs-lib.in | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/utilities/ovs-lib.in b/utilities/ovs-lib.in index cbad85a36..4c0775053 100644 --- a/utilities/ovs-lib.in +++ b/utilities/ovs-lib.in @@ -148,6 +148,14 @@ version_geq() { }' } +install_dir () { + DIR="$1" + if test ! -d "$DIR"; then + install -d -m 755 -o root -g root "$DIR" + restorecon "$DIR" >/dev/null 2>&1 + fi +} + start_daemon () { priority=$1 wrapper=$2 @@ -156,16 +164,16 @@ start_daemon () { strace="" # drop core files in a sensible place - test -d "$DAEMON_CWD" || install -d -m 755 -o root -g root "$DAEMON_CWD" + install_dir "$DAEMON_CWD" set "$@" --no-chdir cd "$DAEMON_CWD" # log file - test -d "$logdir" || install -d -m 755 -o root -g root "$logdir" + install_dir "$logdir" set "$@" --log-file="$logdir/$daemon.log" # pidfile and monitoring - test -d "$rundir" || install -d -m 755 -o root -g root "$rundir" + install_dir "$rundir" set "$@" --pidfile="$rundir/$daemon.pid" set "$@" --detach test X"$MONITOR" = Xno || set "$@" --monitor @@ -380,7 +388,7 @@ upgrade_db () { schemaver=`ovsdb_tool schema-version "$DB_SCHEMA"` if test ! -e "$DB_FILE"; then log_warning_msg "$DB_FILE does not exist" - install -d -m 755 -o root -g root `dirname $DB_FILE` + install_dir `dirname $DB_FILE` create_db "$DB_FILE" "$DB_SCHEMA" elif test X"`ovsdb_tool needs-conversion "$DB_FILE" "$DB_SCHEMA"`" != Xno; then # Back up the old version. |