On 05/29/2013 12:33 PM, Jan Safranek wrote:
I got a quick info how to start writing policy for OpenLMI providers, see below. Please try so for you providers and send AVCs to Mirek Grepl.
I can only add: 0.1: Install necessary packages # yum install selinux-policy-devel
0.2: read /usr/share/doc/tog-pegasus-2.12.1/README.RedHat.Security
0.3: based on the document above: # cp /usr/share/doc/tog-pegasus-2.12.1/cmpiOSBase_OperatingSystemProvider-cimprovagt.example /usr/libexec/pegasus/<yourprovider>-cimprovagt (and package the file)
# chmod 755 /usr/libexec/pegasus/<yourprovider>-cimprovagt
Umm, OpenLMI storage and software providers are written in python, which means they both use 'pyCmpiProvider' as the provider name and thus should share their SELinux policy.
Of course, that's not what we want, we want separate policies for these providers.
One option would be to change cimprovagt and Pegasus CIMOM to include also some other identifier (e.g. PG_ProviderModule.Name) on cimprovagt command line, thus our cimprovagt wrapper knows, which real cimprovagt to run. But this would require changes in Pegasus.
Alternatively, we can create libpyCmpiLMI_Software.so and libpyCmpiLMI_Storage.so as symlinks to libpyCmpiProvider.so. In this case, we just need to change our registration files and package the new symlinks. Is it acceptable solution?
Jan