ifplugd and refpolicy fixes #1445
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/var/run is incorrect because of the config/file_contexts.subs_dist - the path should use /run. Without it, /var/run/resolv.conf gets labeled improperly as initrc_var_run_t. usbvm uses the default volatiles which symlinks /etc/resolv.conf -> /var/run/resolv.conf which causes this. Also, syncvm sync-cmd can't read the mis-labeled file. Signed-off-by: Jason Andryuk <[email protected]>
Boot shows 4 denials of xec_t using init_t fds. The vglass initscript uses xec to query gpu configuration over dbus. xec doesn't need to access the FDs, so quiet them with a dontaudit. Signed-off-by: Jason Andryuk <[email protected]>
Drop our customized version. Since we stopped BBMASK-ing meta-selinux's modifications of initscripts, we gained the restorecon calls at the end. Therefore, we don't need the xenclient-oe additions of restorecon in create_file and mk_dir. The creations have to be in a writeable place, so the restorecon at the end can take care of that. Build time link creation will get labeled at that time. By using the oe-core version, we gain some read-only root improvements. They better check the existance of files and links, which avoids messages like: touch: /var/log/boot: Read-only file system chown: /var/log/boot: Read-only file system Failed to set owner -root- for -/var/log/boot-. chmod: /var/log/boot: Read-only file system Failed to set mode -0644- for -/var/log/boot-. The oe-core version uses TMPROOT=/var/volatile/tmp, and the xenclient-oe used TMPROOT=/tmp. oe-core has a 00_core line to create its TMPROOT, but ours don't. Add a /var/volatile/tmp line to our 00_core. Without it, the image build silently fails to create the build-time symlinks in our read-only image. This then produces runtime errors like monit not starting because /var/lib/monit symlink doesn't exist. Signed-off-by: Jason Andryuk <[email protected]>
commit 0de2f2e "[OXT-1643] Removing legacy ifplugd recipe" removed the ifplugd package because busybox can provide it. However, busybox needs to be built with support for it, which we do not do. Turn that support back on. This is minimally useful on its own since we are still missing initscripts for this. Signed-off-by: Jason Andryuk <[email protected]>
commit 0de2f2e "[OXT-1643] Removing legacy ifplugd recipe" removed ifplugd. While busybox could replace ifplugd, it lacked the necessary initscripts and config to do so. The end result was just the removal of ifplugd from syncvm. Copy the ifplugd initscript, action script and conf file from the GPL-2 ifplugd into this package. They provide everything we already need. The initscript replaces /bin/bash with /bin/sh like we formerly patched. Some trailing whitespace was also removed from the initscript. Signed-off-by: Jason Andryuk <[email protected]>
-w (wait for fork) isn't supported in busybox, so drop it. Add -M (Monitor creation/destruction of interface) since the interface is dynamically created. Signed-off-by: Jason Andryuk <[email protected]>
This is needed for ifplugd to run ifup on the interface and actually start a dhcp client. While here, remove all the extraneous interfaces that aren't used in dom0. Signed-off-by: Jason Andryuk <[email protected]>
ifplugd leaks udp_socket FDs into spawned helpers, generating avc
denials like:
avc: denied { read write } for pid=1864 comm="ip" path="socket:[14690]" dev="sockfs" ino=14690 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifplugd_t:s0 tclass=udp_socket permissive=0
avc: denied { read write } for pid=1865 comm="udhcpc" path="socket:[14690]" dev="sockfs" ino=14690 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:ifplugd_t:s0 tclass=udp_socket permissive=0
Set the internal FDs as CLOEXEC to prevent their leakage.
Signed-off-by: Jason Andryuk <[email protected]>
We'll be using ifplugd, so enable the module. We have a few avs denials with ifplugd. ifup runs in ifplugd_t context and is the busybox implementation. It needs the same /run/ifstate.new labeling as was done in commit 6002426 "refpolicy: Fix /run/ifstate labeling" ifplugs tries modprobing for the network device. It will be autoloaded when a vif is detected, so it is unnecessary. Just dontaudit it. Signed-off-by: Jason Andryuk <[email protected]>
Restore ifplugd support back into the syncvm image. It was dropped inadvertantly. Signed-off-by: Jason Andryuk <[email protected]>
We'll use this to grab an IP for dom0. Signed-off-by: Jason Andryuk <[email protected]>
|
Goes with OpenXT/network#25 |
Merged
Merged
|
This has gone stale. I can rebase in new PRs. I think ifplugd getting restored for syncvm should be fine and uncontroversial. I think using ifplugd for dom0 eth0 if better than network-daemon launching udhcpc directly. Maybe ifplugd running should be tied into xenmgr enable-dom0-networking kinda like enable-ssh? i.e. ifplugd only runs when /config/system/dom0-networking-disabled isn't present. Are others okay with that? #1480 has some of the other pieces. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
commit 0de2f2e "OXT-1643 Removing legacy ifplugd recipe" removed
the ifplugd package because busybox can provide it. However, busybox
needs to be built with support for it, which we do not do. This turns it back on and makes it usable for syncvm.
It also uses ifplugd for dom0 networking and removes network-daemon launching udhcpc itself.
There are some refpolicy fixes. I started off fixing denials and then used ifplugd to avoid udhcpc denials from inherited FDs.