Re: [Ovirt-devel] [PATCH node-image] add ovirt semodule in Node

Alan Pevec wrote:
For now, it is only to allow qemu to access disk partitions directly,
required in order to use iSCSI storage pools with SELinux enabled.

ACK since it fixes the immediate problem.  But, longer term...

Should this selinux policy be a part of ovirt-node installation instead of in ovirt-node-image kickstart?

We'll want to install ovirt-node on baremetal Fedora hosts and on those hosts we'll want to be able to use iSCSI storage. We can always tell the administrator to 'make it work' but since we require it anyhow I think it would make sense to have this policy set in ovirt-node RPM.

Even longer term... Shouldn't this be a part of libvirt install and not in oVirt at all?


Signed-off-by: Alan Pevec <apevec redhat com>
 common-post.ks |   16 +++++++++++++++-
 1 files changed, 15 insertions(+), 1 deletions(-)

diff --git a/common-post.ks b/common-post.ks
index a4f5858..d44324c 100644
--- a/common-post.ks
+++ b/common-post.ks
@@ -43,12 +43,26 @@ cat > /etc/sysconfig/iptables << \EOF
+# make disks available to VMs
+cat > /tmp/ovirt.te <<EOF
+module ovirt 1.0.0;
+require {
+    type fixed_disk_device_t;
+    type qemu_t;
+    class blk_file { ioctl getattr setattr read write };
+allow qemu_t fixed_disk_device_t:blk_file { ioctl getattr setattr read write };
+checkmodule -M -m -o /tmp/ovirt.mod /tmp/ovirt.te
+semodule_package -o /tmp/ovirt.pp -m /tmp/ovirt.mod
+semodule -i /tmp/ovirt.pp
 echo "Removing excess RPMs"
RPM="rpm -v -e --nodeps" # kernel pulls in mkinitrd which pulls in isomd5sum which pulls in python,
-# and livecd-tools needs lokkit to disable SELinux.
+# and livecd-tools needs lokkit to configure SELinux.
 # However, this is just an install-time dependency; we can remove
 # it afterwards, which we do here
 $RPM -e system-config-firewall-tui system-config-network-tui rhpl \

