Hi!
I am looking into the problems we're having with selinux. And it's not going well ...
Compiling and installing additional selinux policies in RPMs is *REALLY* obscure (in my opinion). The problem is that tcpdump doesn't have the right context to write to /var/log. We would have to allow it by creating a policy derived from netutils_t and var_log_t (I am not even sure I understand it properly at the moment).
I have seen some API for changing contexts of processes. Unfortunately, it is C and python bindings are not included in Fedora.
I think that the best option for us is to just store the dump files elsewhere. When I thought about it there are multiple reasons for this.
1. Problems with SELinux
2. The pcap dumps have a potential to grow very rapidly. At the moment, we don't do any cleanup of the logs at all. Permanently storing such a big files on slave machines in a seriously used pool would lead to a full disk after a while anyway.
I think it will be better to write them to /tmp on slaves and discard them when the recipe is over and they've been transfered to the controller.
What do you think?
Radek
Thu, Nov 29, 2012 at 01:01:41PM CET, rpazdera@redhat.com wrote:
Hi!
I am looking into the problems we're having with selinux. And it's not going well ...
Compiling and installing additional selinux policies in RPMs is *REALLY* obscure (in my opinion). The problem is that tcpdump doesn't have the right context to write to /var/log. We would have to allow it by creating a policy derived from netutils_t and var_log_t (I am not even sure I understand it properly at the moment).
I have seen some API for changing contexts of processes. Unfortunately, it is C and python bindings are not included in Fedora.
I think that the best option for us is to just store the dump files elsewhere. When I thought about it there are multiple reasons for this.
Problems with SELinux
The pcap dumps have a potential to grow very rapidly. At the moment,
we don't do any cleanup of the logs at all. Permanently storing such a big files on slave machines in a seriously used pool would lead to a full disk after a while anyway.
I think it will be better to write them to /tmp on slaves and discard them when the recipe is over and they've been transfered to the controller.
Acked-by: Jiri Pirko jpirko@redhat.com
What do you think?
Radek _______________________________________________ LNST-developers mailing list LNST-developers@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/lnst-developers
lnst-developers@lists.fedorahosted.org
-
Jiri Pirko -
Radek Pazdera