[Pacemaker] [RFC] working selinux policy module for pacemaker

Vladislav Bogdanov bubble at hoster-ok.com
Fri Feb 22 09:39:48 UTC 2013


22.02.2013 10:45, Andrew Beekhof wrote:
> On Fri, Feb 22, 2013 at 4:55 PM, Vladislav Bogdanov
> <bubble at hoster-ok.com> wrote:
>> 04.01.2013 13:56, Andrew Beekhof wrote:
>>> On Fri, Jan 4, 2013 at 4:27 PM, Vladislav Bogdanov <bubble at hoster-ok.com> wrote:
>>>> 04.01.2013 06:07, Andrew Beekhof wrote:
>>>>> On Wed, Dec 19, 2012 at 7:33 PM, Vladislav Bogdanov
>>>>> <bubble at hoster-ok.com> wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> I'd like to share my successful attempt to confine pacemaker.
>>>>>>
>>>>>> I took pacemaker module barebone found in latest fedora's selinux-policy (3.11.1-64.fc18) and
>>>>>> extended it a bit, so now I have pacemaker and some pacemaker-managed services
>>>>>> running confined.
>>>>>
>>>>> Sweet. I've passed your amendments on to Milos who is looking after
>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=801493
>>>>
>>>> I've extended it a bit more to run stonithd in fenced_t domain, so now
>>>> everything I can imagine runs fine (verified on two clusters, including
>>>> one with libvirt/qemu virtualization).
>>>
>>> Nice work :)
>>>
>>>> Where is the best place to follow up with that?
>>>
>>> Probably the redhat bug.
>>
>> I'm afraid no.
>>
>> It was just closed, and, looking at the errata package, I do not see any
>> way to run any confined service with that.
>>
>> I saw your question about possibility to run resources there in a
>> bug-report, but unfortunately I'm not allowed to see replies. Is it
>> answered at all?
> 
> grumble.
> /me goes off to kick somebody

You forgot to add "working tested" between "create" and "policy" in a
bug subject.

Anyways, such bug resolution is absolutely counter-productive imho.





More information about the Pacemaker mailing list