On Thu, Dec 11, 2008 at 09:50:34AM +0100, Anton Arapov wrote:
> On Wed, Dec 10, 2008 at 01:27:29PM -0500, Michael DeHaan wrote:
> > Anton Arapov wrote:
> > > On Wed, Dec 10, 2008 at 06:04:36PM +0100, Vreman, Peter - Acision wrote:
> > >>> -----Original Message-----
> > >>> From: [EMAIL PROTECTED] [mailto:cobbler-
> > >>> [EMAIL PROTECTED] On Behalf Of Michael DeHaan
> > >>> Sent: woensdag 10 december 2008 17:36
> > >>> To: Anton Arapov
> > >>> Cc: [email protected]
> > >>> Subject: Re: [KOAN 1.2.X PATCH] SELinux: set correct security context
> > >>> for
> > >>> lvm partitions
> > >>>
> > >>> Anton Arapov wrote:
> > >>>
> > >>>> Hello crew,
> > >>>>
> > >>>> On SELinux enabled system:
> > >>>> # cobbler system add --name vguest --profile F-10-x86_64 \
> > >>>> --virt-type qemu \
> > >>>> --virt-bridge virbr0 \
> > >>>> --virt-path vg
> > >>>> # koan --server 'host' --virt --system vguest2
> > >>>>
> > >>>> These will fail to run, because koan did not set the correct security
> > >>>>
> > >>> context
> > >>>
> > >>>> for created lvm partition.
> > >>>> It must execute something like:
> > >>>> # chcon -t virt_image_t /dev/mapper/%lvm_partition%
> > >>>>
> > >>>> Patch addressed to the ticket #321:
> > >>>> https://fedorahosted.org/cobbler/ticket/321
> > >>>>
> > >>>> I've added also some concerns, about already implemented in cobbler
> > >>>> selinux check. So please, read the ticket and leave feedback. :)
> > >>>>
> > >>>> Cheers!
> > >>>> ==
> [...cut...]
>
> > >>> Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler
> > >>> contains some code for similar things that uses getenforce. Earlier I
> > >>> thought this binary didn't exist on my box, but I /do/ have it on F9.
> > >>>
> > >>> Otherwise, looks fine, though I think we need to make sure this binary
> > >>> is available. We should also check to see if it /exists/ first, because
> > >>> long term we'll want koan to work on non-Fedora/Red-Hat based distros so
> > >>> we can also package it there.
> > >> The tool is available on RHEL 4.6:
> > > Great! So we can go with this patch. :)
> [...cut...]
>
> > FWIW, this patch does not apply -- possibly it was made against master
> > and not the devel branch.
> >
> > See https://fedorahosted.org/cobbler/wiki/PatchProcess and use
> > git-format-patch in the future and it makes things easier.
> >
> > This is trivial so I'll see about applying it manually.
arrgh ... incorrect one has been generated, drop it.
will rediff in a moment.
> there is path against koan git tree:
>
> koan/app.py | 9 +++++++++
> koan/utils.py | 7 +++++++
> 2 files changed, 16 insertions(+), 0 deletions(-)
>
> diff --git a/koan/app.py b/koan/app.py
> index f5f982f..5751de2 100755
> --- a/koan/app.py
> +++ b/koan/app.py
> @@ -1213,6 +1213,15 @@ class Koan:
> if lv_create != 0:
> raise InfoException, "LVM creation failed"
>
> + # SELinux enabled system?
> + if utils.is_selinux_enabled():
> + # set appropriate security context for LVM partition
> + args = "/usr/bin/chcon -t virt_image_t %s" %
> partition_location
> + print "%s" % args
> + change_context = sub_process.call(args, shell=True)
> + if change_context != 0:
> + raise InfoException, "SELinux security context
> setting to LVM partition failed"
> +
> # return partition location
> return "/dev/mapper/%s-%s" %
> (location,name.replace('-','--'))
> else:
> diff --git a/koan/utils.py b/koan/utils.py
> index 36ef75f..cfebce8 100644
> --- a/koan/utils.py
> +++ b/koan/utils.py
> @@ -156,6 +156,13 @@ def subprocess_call(cmd,ignore_rc=False):
> raise InfoException, "command failed (%s)" % rc
> return rc
>
> +def is_selinux_enabled():
> + args = "/usr/sbin/selinuxenabled"
> + selinuxenabled = sub_process.call(args)
> + if selinuxenabled == 0:
> + return True
> + else:
> + return False
>
> def input_string_or_hash(options,delim=None):
> """
> _______________________________________________
> cobbler mailing list
> [email protected]
> https://fedorahosted.org/mailman/listinfo/cobbler
--
-Anton
_______________________________________________
cobbler mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/cobbler
