[Pacemaker] [RFC] working selinux policy module for pacemaker

Andrew Beekhof andrew at beekhof.net
Fri Feb 22 11:04:54 UTC 2013


On Fri, Feb 22, 2013 at 8:39 PM, Vladislav Bogdanov
<bubble at hoster-ok.com> wrote:
> 22.02.2013 10:45, Andrew Beekhof wrote:
>> On Fri, Feb 22, 2013 at 4:55 PM, Vladislav Bogdanov
>> <bubble at hoster-ok.com> wrote:
>>> 04.01.2013 13:56, Andrew Beekhof wrote:
>>>> On Fri, Jan 4, 2013 at 4:27 PM, Vladislav Bogdanov <bubble at hoster-ok.com> wrote:
>>>>> 04.01.2013 06:07, Andrew Beekhof wrote:
>>>>>> On Wed, Dec 19, 2012 at 7:33 PM, Vladislav Bogdanov
>>>>>> <bubble at hoster-ok.com> wrote:
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I'd like to share my successful attempt to confine pacemaker.
>>>>>>>
>>>>>>> I took pacemaker module barebone found in latest fedora's selinux-policy (3.11.1-64.fc18) and
>>>>>>> extended it a bit, so now I have pacemaker and some pacemaker-managed services
>>>>>>> running confined.
>>>>>>
>>>>>> Sweet. I've passed your amendments on to Milos who is looking after
>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=801493
>>>>>
>>>>> I've extended it a bit more to run stonithd in fenced_t domain, so now
>>>>> everything I can imagine runs fine (verified on two clusters, including
>>>>> one with libvirt/qemu virtualization).
>>>>
>>>> Nice work :)
>>>>
>>>>> Where is the best place to follow up with that?
>>>>
>>>> Probably the redhat bug.
>>>
>>> I'm afraid no.
>>>
>>> It was just closed, and, looking at the errata package, I do not see any
>>> way to run any confined service with that.
>>>
>>> I saw your question about possibility to run resources there in a
>>> bug-report, but unfortunately I'm not allowed to see replies. Is it
>>> answered at all?
>>
>> grumble.
>> /me goes off to kick somebody
>
> You forgot to add "working tested" between "create" and "policy" in a
> bug subject.
>
> Anyways, such bug resolution is absolutely counter-productive imho.

It looks like a bot did it (since it was against 6.3 and 6.4 just
became available).
But yes, not helpful.




More information about the Pacemaker mailing list