Dima Kuznetsov has posted comments on this change.
Change subject: caps: Add selinux enforcement reporting.
......................................................................
Patch Set 4:
(3 comments)
http://gerrit.ovirt.org/#/c/26951/4/lib/vdsm/utils.py
File lib/vdsm/utils.py:
Line 1270: def prependDefer(self, func, *args, **kwargs):
Line 1271: self._finally.insert(0, (func, args, kwargs))
Line 1272:
Line 1273:
Line 1274: def getSELinuxEnforceMode():
vdsm.utils is intended for general-purpose utility funcitons, that
are expe
Ok, will move back to caps.
Line 1275: """
Line 1276: Returns the SELinux mode as reported by kernel.
Line 1277:
Line 1278: 1 = enforcing - SELinux security policy is enforced.
http://gerrit.ovirt.org/#/c/26951/4/vdsm/caps.py
File vdsm/caps.py:
Line 391:
Line 392:
Line 393: def _getSELinux():
Line 394: selinux = dict()
Line 395: selinux['mode'] = str(utils.getSELinuxEnforceMode())
why not report it as an int?
All the int values that are part
of the response are converted to string:
340 caps['cpuThreads'] = str(cpuTopology.threads())
341 caps['cpuSockets'] = str(cpuTopology.sockets())
Line 396:
Line 397: return selinux
Line 398:
Line 399:
Line 393: def _getSELinux():
Line 394: selinux = dict()
Line 395: selinux['mode'] = str(utils.getSELinuxEnforceMode())
Line 396:
Line 397: return selinux
Why are you using another level of a dictionary? Do you have plans to
repot
I think additional level is a good idea because it'd allows us to add more
SELinux info later. And mode is pretty standard name for enforcement mode, sestatus
reports is just as 'mode':
$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
About future plans, some of these have no use being reported like the mount-point, but
maybe some day engine would like to know if there is a difference between configured and
actual mode, or the current policy running.
Line 398:
Line 399:
Line 400: def get():
Line 401: targetArch = getTargetArch()
--
To view, visit
http://gerrit.ovirt.org/26951
To unsubscribe, visit
http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I98e0fcb71e831a76c4584bca46dc58fc4298180f
Gerrit-PatchSet: 4
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Dima Kuznetsov <dkuznets(a)redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Dima Kuznetsov <dkuznets(a)redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland(a)redhat.com>
Gerrit-Reviewer: Yaniv Bronhaim <ybronhei(a)redhat.com>
Gerrit-Reviewer: automation(a)ovirt.org
Gerrit-Reviewer: oVirt Jenkins CI Server
Gerrit-HasComments: Yes