On Wed, Dec 10, 2008 at 06:04:36PM +0100, Vreman, Peter - Acision wrote: > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:cobbler- > > [EMAIL PROTECTED] On Behalf Of Michael DeHaan > > Sent: woensdag 10 december 2008 17:36 > > To: Anton Arapov > > Cc: [email protected] > > Subject: Re: [KOAN 1.2.X PATCH] SELinux: set correct security context for > > lvm partitions > > > > Anton Arapov wrote: > > > Hello crew, > > > > > > On SELinux enabled system: > > > # cobbler system add --name vguest --profile F-10-x86_64 \ > > > --virt-type qemu \ > > > --virt-bridge virbr0 \ > > > --virt-path vg > > > # koan --server 'host' --virt --system vguest2 > > > > > > These will fail to run, because koan did not set the correct security > > context > > > for created lvm partition. > > > It must execute something like: > > > # chcon -t virt_image_t /dev/mapper/%lvm_partition% > > > > > > Patch addressed to the ticket #321: > > > https://fedorahosted.org/cobbler/ticket/321 > > > > > > I've added also some concerns, about already implemented in cobbler > > > selinux check. So please, read the ticket and leave feedback. :) > > > > > > Cheers! > > > == > > > diff -urpN koan-1.2.6.orig/koan/app.py koan-1.2.6/koan/app.py > > > --- koan-1.2.6.orig/koan/app.py 2008-12-10 09:04:12.082359000 > > +0100 > > > +++ koan-1.2.6/koan/app.py 2008-12-10 09:18:59.765607726 +0100 > > > @@ -1213,8 +1213,23 @@ class Koan: > > > if lv_create != 0: > > > raise InfoException, "LVM creation failed" > > > > > > + # partition location > > > + partition_location = "/dev/mapper/%s-%s" % > > (location,name.replace('-','--')) > > > + > > > + # check whether we have SELinux enabled system > > > + args = "/usr/sbin/selinuxenabled" > > > + selinuxenabled = sub_process.call(args) > > > + if selinuxenabled == 0: > > > + # permissive or enforcing or something else, and > > > + # set appropriate security context for LVM > > partition > > > + args = "/usr/bin/chcon -t virt_image_t %s" % > > partition_location > > > + print "%s" % args > > > + change_context = sub_process.call(args, shell=True) > > > + if change_context != 0: > > > + raise InfoException, "SELinux security context > > setting to LVM partition failed" > > > + > > > # return partition location > > > - return "/dev/mapper/%s-%s" % (location,name.replace('- > > ','--')) > > > + return partition_location > > > else: > > > raise InfoException, "volume group needs %s GB free > > space." % virt_size > > > > > > > > > > Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler > > contains some code for similar things that uses getenforce. Earlier I > > thought this binary didn't exist on my box, but I /do/ have it on F9. > > > > Otherwise, looks fine, though I think we need to make sure this binary > > is available. We should also check to see if it /exists/ first, because > > long term we'll want koan to work on non-Fedora/Red-Hat based distros so > > we can also package it there. > > The tool is available on RHEL 4.6: Great! So we can go with this patch. :)
-- Anton. > tcsia12# cat /etc/redhat-release > Red Hat Enterprise Linux AS release 4 (Nahant Update 6) > tcsia12# rpm -ql libselinux-1.19.1-7.4 | grep enable > /usr/sbin/selinuxenabled > /usr/share/man/man8/selinuxenabled.8.gz > > On debian it is in selinux-utils, see > http://packages.debian.org/etch/i386/selinux-utils/filelist > > > Peter > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be copied, > disclosed to, retained or used by, any other party. If you are not an > intended recipient then please promptly delete this e-mail and any attachment > and all copies and inform the sender. Thank you. > > > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler -- -Anton _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
