On Wed, Dec 10, 2008 at 01:27:29PM -0500, Michael DeHaan wrote: > Anton Arapov wrote: > > On Wed, Dec 10, 2008 at 06:04:36PM +0100, Vreman, Peter - Acision wrote: > >>> -----Original Message----- > >>> From: [EMAIL PROTECTED] [mailto:cobbler- > >>> [EMAIL PROTECTED] On Behalf Of Michael DeHaan > >>> Sent: woensdag 10 december 2008 17:36 > >>> To: Anton Arapov > >>> Cc: [email protected] > >>> Subject: Re: [KOAN 1.2.X PATCH] SELinux: set correct security context for > >>> lvm partitions > >>> > >>> Anton Arapov wrote: > >>>> Hello crew, > >>>> > >>>> On SELinux enabled system: > >>>> # cobbler system add --name vguest --profile F-10-x86_64 \ > >>>> --virt-type qemu \ > >>>> --virt-bridge virbr0 \ > >>>> --virt-path vg > >>>> # koan --server 'host' --virt --system vguest2 > >>>> > >>>> These will fail to run, because koan did not set the correct security > >>>> context > >>>> for created lvm partition. > >>>> It must execute something like: > >>>> # chcon -t virt_image_t /dev/mapper/%lvm_partition% > >>>> > >>>> Patch addressed to the ticket #321: > >>>> https://fedorahosted.org/cobbler/ticket/321 > >>>> > >>>> I've added also some concerns, about already implemented in cobbler > >>>> selinux check. So please, read the ticket and leave feedback. :) > >>>> [...cut...]
> >>> Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler > >>> contains some code for similar things that uses getenforce. Earlier I > >>> thought this binary didn't exist on my box, but I /do/ have it on F9. > >>> > >>> Otherwise, looks fine, though I think we need to make sure this binary > >>> is available. We should also check to see if it /exists/ first, because > >>> long term we'll want koan to work on non-Fedora/Red-Hat based distros so > >>> we can also package it there. > >> The tool is available on RHEL 4.6: > > Great! So we can go with this patch. :) [...cut...] > FWIW, this patch does not apply -- possibly it was made against master > and not the devel branch. > > See https://fedorahosted.org/cobbler/wiki/PatchProcess and use > git-format-patch in the future and it makes things easier. > > This is trivial so I'll see about applying it manually. I figured out that cobbler from git devel branch already uses selinuxenabled util. So I did it in the way it is in cobbler: == koan/app.py | 14 +++++++++++++- koan/utils.py | 7 +++++++ 2 files changed, 20 insertions(+), 1 deletions(-) diff --git a/koan/app.py b/koan/app.py index f5f982f..879f8ed 100755 --- a/koan/app.py +++ b/koan/app.py @@ -1213,8 +1213,20 @@ class Koan: if lv_create != 0: raise InfoException, "LVM creation failed" + # full path to LVM partition + partition_location = "/dev/mapper/%s-%s" % (location,name.replace('-','--')) + + # SELinux enabled system? + if utils.is_selinux_enabled(): + # set appropriate security context for LVM partition + args = "/usr/bin/chcon -t virt_image_t %s" % partition_location + print "%s" % args + change_context = sub_process.call(args, shell=True) + if change_context != 0: + raise InfoException, "SELinux security context setting to LVM partition failed" + # return partition location - return "/dev/mapper/%s-%s" % (location,name.replace('-','--')) + return partition_location else: raise InfoException, "volume group needs %s GB free space." % virt_size diff --git a/koan/utils.py b/koan/utils.py index 36ef75f..cfebce8 100644 --- a/koan/utils.py +++ b/koan/utils.py @@ -156,6 +156,13 @@ def subprocess_call(cmd,ignore_rc=False): raise InfoException, "command failed (%s)" % rc return rc +def is_selinux_enabled(): + args = "/usr/sbin/selinuxenabled" + selinuxenabled = sub_process.call(args) + if selinuxenabled == 0: + return True + else: + return False def input_string_or_hash(options,delim=None): """ _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
