Anton Arapov wrote: > On Wed, Dec 10, 2008 at 11:35:54AM -0500, Michael DeHaan wrote: > >> Anton Arapov wrote: >> >>> Hello crew, >>> >>> On SELinux enabled system: >>> # cobbler system add --name vguest --profile F-10-x86_64 \ >>> --virt-type qemu \ >>> --virt-bridge virbr0 \ >>> --virt-path vg >>> # koan --server 'host' --virt --system vguest2 >>> >>> These will fail to run, because koan did not set the correct security >>> context >>> for created lvm partition. >>> It must execute something like: # chcon -t virt_image_t >>> /dev/mapper/%lvm_partition% >>> >>> Patch addressed to the ticket #321: >>> https://fedorahosted.org/cobbler/ticket/321 >>> >>> I've added also some concerns, about already implemented in cobbler >>> selinux check. So please, read the ticket and leave feedback. :) >>> >>> Cheers! >>> == >>> diff -urpN koan-1.2.6.orig/koan/app.py koan-1.2.6/koan/app.py >>> --- koan-1.2.6.orig/koan/app.py 2008-12-10 09:04:12.082359000 +0100 >>> +++ koan-1.2.6/koan/app.py 2008-12-10 09:18:59.765607726 +0100 >>> @@ -1213,8 +1213,23 @@ class Koan: >>> if lv_create != 0: >>> raise InfoException, "LVM creation failed" >>> + # partition location >>> + partition_location = "/dev/mapper/%s-%s" % >>> (location,name.replace('-','--')) >>> + >>> + # check whether we have SELinux enabled system >>> + args = "/usr/sbin/selinuxenabled" >>> + selinuxenabled = sub_process.call(args) >>> + if selinuxenabled == 0: >>> + # permissive or enforcing or something else, and >>> + # set appropriate security context for LVM partition >>> + args = "/usr/bin/chcon -t virt_image_t %s" % >>> partition_location >>> + print "%s" % args >>> + change_context = sub_process.call(args, shell=True) >>> + if change_context != 0: >>> + raise InfoException, "SELinux security context >>> setting to LVM partition failed" >>> + >>> # return partition location >>> - return "/dev/mapper/%s-%s" % >>> (location,name.replace('-','--')) >>> + return partition_location >>> else: >>> raise InfoException, "volume group needs %s GB free >>> space." % virt_size >>> >>> >> Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler >> contains some code for similar things that uses getenforce. Earlier I >> thought this binary didn't exist on my box, but I /do/ have it on F9. >> >> Otherwise, looks fine, though I think we need to make sure this binary >> is available. We should also check to see if it /exists/ first, because >> long term we'll want koan to work on non-Fedora/Red-Hat based distros so >> we can also package it there. >> > > will check this in rhel4.6/4.7 and rhel5.2, and will let you know. I > guess, we do not care about rhel2/rhel3. ;-) > >
Excellent. koan does work on rhel2/3 for --replace-self, but this is for the virt code, so, no, we don't care :) --Michael >> --Michael >> >> >> _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
