From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ian Jackson <Ian.Jackson@eu.citrix.com>
Subject: Re: [PATCH 7/7] tools/hotplug: add wrapper to start
	xenstored
Date: Wed, 7 Jan 2015 15:27:15 +0000
Message-ID: <21677.20563.58876.918037@mariner.uk.xensource.com>
References: <1418988333-5404-1-git-send-email-olaf@aepfle.de>
	<1418988333-5404-8-git-send-email-olaf@aepfle.de>
	<1420544515.28863.148.camel@citrix.com>
	<20150107094006.GC12049@aepfle.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <20150107094006.GC12049@aepfle.de>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Olaf Hering <olaf@aepfle.de>
Cc: Wei Liu <wei.liu2@citrix.com>, Ian Campbell <Ian.Campbell@citrix.com>, Stefano Stabellini <stefano.stabellini@eu.citrix.com>, xen-devel@lists.xen.org, m.a.young@durham.ac.uk
List-Id: xen-devel@lists.xenproject.org

Olaf Hering writes ("Re: [PATCH 7/7] tools/hotplug: add wrapper to start xenstored"):
> If I recall correctly the point of the current 'sh -c "exec ..."' stunt
> was to expand the XENSTORE variable from the sysconfig file. But this
> approach leads to failures with SELinux because the socket passing does
> not work this way. Up to now I have not seen a success report for
> selinux+systemd+xenstored. Maybe its already somewhere in the other
> unread mails.

The selinux policy should follow the actual code, not vice versa.

That is, if the approach which we select (based on all the other
criteria) is not compatible with existing selinux policies, this
should be fixed by changing the selinux policies.

Since the selinux policies are not in xen.git, and are not maintained
as part of the Xen Project, there is no reason to delay introducing
changes in xen.git#master which are known to be incompatible with some
selinux policies.

My conclusion therefore is that selinux policies are an irrelevant
consideration when deciding what the scripts, systemd integration,
etc. should look like in xen.git#master.

(And what applies to xen.git#master applies to the as-yet-unreleased
xen.git#staging-4.5 too.)

> Hopefully someone with access to a SELinux enabled system will report
> which approach actually works.

I have concluded that the right approach is to disregard selinux.
Developers of selinux-enforcing setups should update the selinux
policies to support what the upstream Xen Project code does.

Thanks,
Ian.