Re: [KOAN 1.2.X PATCH] SELinux: set correct security context for lvm partitions

[Michael DeHaan]

Anton Arapov wrote:
> Hello crew,
>
> On SELinux enabled system:
> # cobbler system add --name vguest --profile F-10-x86_64 \
>                      --virt-type qemu \
>                      --virt-bridge virbr0 \
>                      --virt-path vg
> # koan --server 'host' --virt --system vguest2
>
>   These will fail to run, because koan did not set the correct security 
> context
> for created lvm partition.
>   It must execute something like: 
> # chcon -t virt_image_t /dev/mapper/%lvm_partition%
>
>   Patch addressed to the ticket #321: 
>   https://fedorahosted.org/cobbler/ticket/321
>
>   I've added also some concerns, about already implemented in cobbler
> selinux check. So please, read the ticket and leave feedback. :)
>
> Cheers!
> ==
> diff -urpN koan-1.2.6.orig/koan/app.py koan-1.2.6/koan/app.py
> --- koan-1.2.6.orig/koan/app.py       2008-12-10 09:04:12.082359000 +0100
> +++ koan-1.2.6/koan/app.py    2008-12-10 09:18:59.765607726 +0100
> @@ -1213,8 +1213,23 @@ class Koan:
>                      if lv_create != 0:
>                          raise InfoException, "LVM creation failed"
>  
> +                # partition location
> +                partition_location = "/dev/mapper/%s-%s" % 
> (location,name.replace('-','--'))
> +
> +                # check whether we have SELinux enabled system
> +                args = "/usr/sbin/selinuxenabled"
> +                selinuxenabled = sub_process.call(args)
> +                if selinuxenabled == 0:
> +                    # permissive or enforcing or something else, and
> +                    # set appropriate security context for LVM partition
> +                    args = "/usr/bin/chcon -t virt_image_t %s" % 
> partition_location
> +                    print "%s" % args
> +                    change_context = sub_process.call(args, shell=True)
> +                    if change_context != 0:
> +                        raise InfoException, "SELinux security context 
> setting to LVM partition failed"
> +
>                  # return partition location
> -                return "/dev/mapper/%s-%s" % 
> (location,name.replace('-','--'))
> +                return partition_location
>              else:
>                  raise InfoException, "volume group needs %s GB free space." 
> % virt_size
>  
>   

Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler 
contains some code for similar things that uses getenforce. Earlier I 
thought this binary didn't exist on my box, but I /do/ have it on F9.

Otherwise, looks fine, though I think we need to make sure this binary 
is available. We should also check to see if it /exists/ first, because 
long term we'll want koan to work on non-Fedora/Red-Hat based distros so 
we can also package it there.

--Michael


_______________________________________________
cobbler mailing list
cobbler@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler