Dima Kuznetsov has posted comments on this change.
Change subject: caps: Add selinux enforcement reporting. ......................................................................
Patch Set 4:
(3 comments)
http://gerrit.ovirt.org/#/c/26951/4/lib/vdsm/utils.py File lib/vdsm/utils.py:
Line 1270: def prependDefer(self, func, *args, **kwargs): Line 1271: self._finally.insert(0, (func, args, kwargs)) Line 1272: Line 1273: Line 1274: def getSELinuxEnforceMode():
vdsm.utils is intended for general-purpose utility funcitons, that are expe
Ok, will move back to caps. Line 1275: """ Line 1276: Returns the SELinux mode as reported by kernel. Line 1277: Line 1278: 1 = enforcing - SELinux security policy is enforced.
http://gerrit.ovirt.org/#/c/26951/4/vdsm/caps.py File vdsm/caps.py:
Line 391: Line 392: Line 393: def _getSELinux(): Line 394: selinux = dict() Line 395: selinux['mode'] = str(utils.getSELinuxEnforceMode())
why not report it as an int?
All the int values that are part of the response are converted to string:
340 caps['cpuThreads'] = str(cpuTopology.threads()) 341 caps['cpuSockets'] = str(cpuTopology.sockets()) Line 396: Line 397: return selinux Line 398: Line 399:
Line 393: def _getSELinux(): Line 394: selinux = dict() Line 395: selinux['mode'] = str(utils.getSELinuxEnforceMode()) Line 396: Line 397: return selinux
Why are you using another level of a dictionary? Do you have plans to repot
I think additional level is a good idea because it'd allows us to add more SELinux info later. And mode is pretty standard name for enforcement mode, sestatus reports is just as 'mode':
$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
About future plans, some of these have no use being reported like the mount-point, but maybe some day engine would like to know if there is a difference between configured and actual mode, or the current policy running. Line 398: Line 399: Line 400: def get(): Line 401: targetArch = getTargetArch()