Anton Arapov wrote: > On Wed, Dec 10, 2008 at 06:04:36PM +0100, Vreman, Peter - Acision wrote: > >> >>> -----Original Message----- >>> From: [EMAIL PROTECTED] [mailto:cobbler- >>> [EMAIL PROTECTED] On Behalf Of Michael DeHaan >>> Sent: woensdag 10 december 2008 17:36 >>> To: Anton Arapov >>> Cc: [email protected] >>> Subject: Re: [KOAN 1.2.X PATCH] SELinux: set correct security context for >>> lvm partitions >>> >>> Anton Arapov wrote: >>> >>>> Hello crew, >>>> >>>> On SELinux enabled system: >>>> # cobbler system add --name vguest --profile F-10-x86_64 \ >>>> --virt-type qemu \ >>>> --virt-bridge virbr0 \ >>>> --virt-path vg >>>> # koan --server 'host' --virt --system vguest2 >>>> >>>> These will fail to run, because koan did not set the correct security >>>> >>> context >>> >>>> for created lvm partition. >>>> It must execute something like: >>>> # chcon -t virt_image_t /dev/mapper/%lvm_partition% >>>> >>>> Patch addressed to the ticket #321: >>>> https://fedorahosted.org/cobbler/ticket/321 >>>> >>>> I've added also some concerns, about already implemented in cobbler >>>> selinux check. So please, read the ticket and leave feedback. :) >>>> >>>> Cheers! >>>> == >>>> diff -urpN koan-1.2.6.orig/koan/app.py koan-1.2.6/koan/app.py >>>> --- koan-1.2.6.orig/koan/app.py 2008-12-10 09:04:12.082359000 >>>> >>> +0100 >>> >>>> +++ koan-1.2.6/koan/app.py 2008-12-10 09:18:59.765607726 +0100 >>>> @@ -1213,8 +1213,23 @@ class Koan: >>>> if lv_create != 0: >>>> raise InfoException, "LVM creation failed" >>>> >>>> + # partition location >>>> + partition_location = "/dev/mapper/%s-%s" % >>>> >>> (location,name.replace('-','--')) >>> >>>> + >>>> + # check whether we have SELinux enabled system >>>> + args = "/usr/sbin/selinuxenabled" >>>> + selinuxenabled = sub_process.call(args) >>>> + if selinuxenabled == 0: >>>> + # permissive or enforcing or something else, and >>>> + # set appropriate security context for LVM >>>> >>> partition >>> >>>> + args = "/usr/bin/chcon -t virt_image_t %s" % >>>> >>> partition_location >>> >>>> + print "%s" % args >>>> + change_context = sub_process.call(args, shell=True) >>>> + if change_context != 0: >>>> + raise InfoException, "SELinux security context >>>> >>> setting to LVM partition failed" >>> >>>> + >>>> # return partition location >>>> - return "/dev/mapper/%s-%s" % (location,name.replace('- >>>> >>> ','--')) >>> >>>> + return partition_location >>>> else: >>>> raise InfoException, "volume group needs %s GB free >>>> >>> space." % virt_size >>> >>>> >>> Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler >>> contains some code for similar things that uses getenforce. Earlier I >>> thought this binary didn't exist on my box, but I /do/ have it on F9. >>> >>> Otherwise, looks fine, though I think we need to make sure this binary >>> is available. We should also check to see if it /exists/ first, because >>> long term we'll want koan to work on non-Fedora/Red-Hat based distros so >>> we can also package it there. >>> >> The tool is available on RHEL 4.6: >> > Great! So we can go with this patch. :) > > -- Anton. > > >> tcsia12# cat /etc/redhat-release >> Red Hat Enterprise Linux AS release 4 (Nahant Update 6) >> tcsia12# rpm -ql libselinux-1.19.1-7.4 | grep enable >> /usr/sbin/selinuxenabled >> /usr/share/man/man8/selinuxenabled.8.gz >> >> On debian it is in selinux-utils, see >> http://packages.debian.org/etch/i386/selinux-utils/filelist >> >> >> Peter >> >> >> This e-mail and any attachment is for authorised use by the intended >> recipient(s) only. It may contain proprietary material, confidential >> information and/or be subject to legal privilege. It should not be copied, >> disclosed to, retained or used by, any other party. If you are not an >> intended recipient then please promptly delete this e-mail and any >> attachment and all copies and inform the sender. Thank you. >> >> >> _______________________________________________ >> cobbler mailing list >> [email protected] >> https://fedorahosted.org/mailman/listinfo/cobbler >> > >
FWIW, this patch does not apply -- possibly it was made against master and not the devel branch. See https://fedorahosted.org/cobbler/wiki/PatchProcess and use git-format-patch in the future and it makes things easier. This is trivial so I'll see about applying it manually. --Michael _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
