[Cluster-devel] [PATCH] resource-agents: Fix nfs mount contexts

[Fabio M. Di Nitto]

Hi Lon,

2 small bits here..

in nfsserver.sh, we also call restorecon.

IMHO execution of selinux tools should be conditional to selinux being
enabled and tools available.

To make this a generic upstream patch, we can do (at the beginning of
the agent):

selinuxon=""
[ -n "$(which selinuxenabled)" ] && selinuxenabled && selinuxon=1

this is mostly paranoia and to cache the result for later use. invoking
selinuxenabled is cheap.

.....

[ -n "$selinuxon" ] && [ -n "$(which restorecon)" ] && restorecon...

.....

[ -n "$selinuxon" ] && [ -n "$(which chcon)" ] && chcon -R....

chcon -R works recursively, so one invocation should be sufficient.

The main motivator behind this approach is to guarantee that we don't
need resource-agents to Requires those tools at packaging level and
enforce them on a system.

Fabio

On 04/14/2011 09:57 PM, Lon Hohberger wrote:
> Resolves: rhbz#635828
> 
> Signed-off-by: Lon Hohberger <lhh at redhat.com>
> Tested-by: Corey Marthaler <cmarthal at redhat.com>
> ---
>  rgmanager/src/resources/nfsserver.sh |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/rgmanager/src/resources/nfsserver.sh b/rgmanager/src/resources/nfsserver.sh
> index 17f472d..bb2632e 100644
> --- a/rgmanager/src/resources/nfsserver.sh
> +++ b/rgmanager/src/resources/nfsserver.sh
> @@ -222,6 +222,9 @@ create_tree()
>  	[ -f "$fp/xtab" ] || touch "$fp/xtab"
>  	[ -f "$fp/rmtab" ] || touch "$fp/rmtab"
>  
> +	chcon -R system_u:object_r:var_lib_nfs_t:s0 "$fp"
> +	chcon -R system_u:object_r:var_lib_nfs_t:s0 "$fp/*"
> +
>          #
>          # Generate a random state file.  If this ends up being what a client
>          # already has in its list, that's bad, but the chances of this