[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Ovirt-devel] [PATCH node-image] add ovirt semodule in Node



Alan Pevec wrote:
For now, it is only to allow qemu to access disk partitions directly,
required in order to use iSCSI storage pools with SELinux enabled.

ACK since it fixes the immediate problem.  But, longer term...

Should this selinux policy be a part of ovirt-node installation instead of in ovirt-node-image kickstart?

We'll want to install ovirt-node on baremetal Fedora hosts and on those hosts we'll want to be able to use iSCSI storage. We can always tell the administrator to 'make it work' but since we require it anyhow I think it would make sense to have this policy set in ovirt-node RPM.

Even longer term... Shouldn't this be a part of libvirt install and not in oVirt at all?

Perry

Signed-off-by: Alan Pevec <apevec redhat com>
---
 common-post.ks |   16 +++++++++++++++-
 1 files changed, 15 insertions(+), 1 deletions(-)

diff --git a/common-post.ks b/common-post.ks
index a4f5858..d44324c 100644
--- a/common-post.ks
+++ b/common-post.ks
@@ -43,12 +43,26 @@ cat > /etc/sysconfig/iptables << \EOF
 COMMIT
 EOF
+# make disks available to VMs
+cat > /tmp/ovirt.te <<EOF
+module ovirt 1.0.0;
+require {
+    type fixed_disk_device_t;
+    type qemu_t;
+    class blk_file { ioctl getattr setattr read write };
+}
+allow qemu_t fixed_disk_device_t:blk_file { ioctl getattr setattr read write };
+EOF
+checkmodule -M -m -o /tmp/ovirt.mod /tmp/ovirt.te
+semodule_package -o /tmp/ovirt.pp -m /tmp/ovirt.mod
+semodule -i /tmp/ovirt.pp
+
 echo "Removing excess RPMs"
RPM="rpm -v -e --nodeps" # kernel pulls in mkinitrd which pulls in isomd5sum which pulls in python,
-# and livecd-tools needs lokkit to disable SELinux.
+# and livecd-tools needs lokkit to configure SELinux.
 # However, this is just an install-time dependency; we can remove
 # it afterwards, which we do here
 $RPM -e system-config-firewall-tui system-config-network-tui rhpl \

--
|=-        Red Hat, Engineering, Emerging Technologies, Boston        -=|
|=-                     Email: pmyers redhat com                      -=|
|=-         Office: +1 412 474 3552   Mobile: +1 703 362 9622         -=|
|=- GnuPG: E65E4F3D 88F9 F1C9 C2F3 1303 01FE 817C C5D2 8B91 E65E 4F3D -=|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]