Skip to content

Commit

Permalink
ovs-lib: Fix SELinux contexts for created dirs.
Browse files Browse the repository at this point in the history 
ovs-lib creates several directories directly from the script, but
doesn't make any attempt to ensure that the correct SELinux context is
applied to these directories. As a result, the created directories end
up with type var_run_t rather than openvswitch_var_run_t.

During reboot using a tmpfs for /var/run, startup scripts will invoke
ovs-lib to create these directories with the wrong context. If SELinux
is enabled, OVS will fail to start as it cannot write to this directory.

Fix the issue by sprinkling "restorecon" in each of the places where
directories are created. In practice, many of these should otherwise be
handled by packaging scripts but if they exist then we should ensure the
correct SELinux context is set.

On systems where 'restorecon' is unavailable, this should be a no-op.

VMware-BZ: #1732672

Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Ansis Atteka <aatteka@ovn.org>
  • Loading branch information
@joestringer
joestringer committed Sep 23, 2016
1 parent 6305e80 commit 778b01a
Showing 1 changed file with 12 additions and 4 deletions.
16 changes: 12 additions & 4 deletions utilities/ovs-lib.in
View file
Expand Up @@ -148,6 +148,14 @@ version_geq() {
}'
}

install_dir () {
DIR="$1"
if test ! -d "$DIR"; then
install -d -m 755 -o root -g root "$DIR"
restorecon "$DIR" >/dev/null 2>&1
fi
}

start_daemon () {
priority=$1
wrapper=$2
Expand All @@ -156,16 +164,16 @@ start_daemon () {
strace=""

# drop core files in a sensible place
test -d "$DAEMON_CWD" || install -d -m 755 -o root -g root "$DAEMON_CWD"
install_dir "$DAEMON_CWD"
set "$@" --no-chdir
cd "$DAEMON_CWD"

# log file
test -d "$logdir" || install -d -m 755 -o root -g root "$logdir"
install_dir "$logdir"
set "$@" --log-file="$logdir/$daemon.log"

# pidfile and monitoring
test -d "$rundir" || install -d -m 755 -o root -g root "$rundir"
install_dir "$rundir"
set "$@" --pidfile="$rundir/$daemon.pid"
set "$@" --detach
test X"$MONITOR" = Xno || set "$@" --monitor
Expand Down Expand Up @@ -380,7 +388,7 @@ upgrade_db () {
schemaver=`ovsdb_tool schema-version "$DB_SCHEMA"`
if test ! -e "$DB_FILE"; then
log_warning_msg "$DB_FILE does not exist"
install -d -m 755 -o root -g root `dirname $DB_FILE`
install_dir `dirname $DB_FILE`
create_db "$DB_FILE" "$DB_SCHEMA"
elif test X"`ovsdb_tool needs-conversion "$DB_FILE" "$DB_SCHEMA"`" != Xno; then
# Back up the old version.
Expand Down

0 comments on commit 778b01a

Please sign in to comment.