On Thu, Dec 11, 2008 at 11:40:25AM -0500, Michael DeHaan wrote:
> Anton Arapov wrote:
> > On Wed, Dec 10, 2008 at 01:27:29PM -0500, Michael DeHaan wrote:
> >
> >> Anton Arapov wrote:
> >>
> >>> On Wed, Dec 10, 2008 at 06:04:36PM +0100, Vreman, Peter - Acision wrote:
> >>>
> >>>>> -----Original Message-----
> >>>>> From: [EMAIL PROTECTED] [mailto:cobbler-
> >>>>> [EMAIL PROTECTED] On Behalf Of Michael DeHaan
> >>>>> Sent: woensdag 10 december 2008 17:36
> >>>>> To: Anton Arapov
> >>>>> Cc: [email protected]
> >>>>> Subject: Re: [KOAN 1.2.X PATCH] SELinux: set correct security context
> >>>>> for
> >>>>> lvm partitions
> >>>>>
> >>>>> Anton Arapov wrote:
> >>>>>
> >>>>>> Hello crew,
> >>>>>>
> >>>>>> On SELinux enabled system:
> >>>>>> # cobbler system add --name vguest --profile F-10-x86_64 \
> >>>>>> --virt-type qemu \
> >>>>>> --virt-bridge virbr0 \
> >>>>>> --virt-path vg
> >>>>>> # koan --server 'host' --virt --system vguest2
> >>>>>>
> >>>>>> These will fail to run, because koan did not set the correct
> >>>>>> security context
> >>>>>> for created lvm partition.
> >>>>>> It must execute something like:
> >>>>>> # chcon -t virt_image_t /dev/mapper/%lvm_partition%
> >>>>>>
> >>>>>> Patch addressed to the ticket #321:
> >>>>>> https://fedorahosted.org/cobbler/ticket/321
> >>>>>>
> >>>>>> I've added also some concerns, about already implemented in cobbler
> >>>>>> selinux check. So please, read the ticket and leave feedback. :)
> >>>>>>
> >>>>>>
> > [...cut...]
> >
> >
> >>>>> Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler
> >>>>> contains some code for similar things that uses getenforce. Earlier I
> >>>>> thought this binary didn't exist on my box, but I /do/ have it on F9.
> >>>>>
> >>>>> Otherwise, looks fine, though I think we need to make sure this binary
> >>>>> is available. We should also check to see if it /exists/ first, because
> >>>>> long term we'll want koan to work on non-Fedora/Red-Hat based distros so
> >>>>> we can also package it there.
> >>>>>
> >>>> The tool is available on RHEL 4.6:
> >>>>
> >>> Great! So we can go with this patch. :)
> >>>
> > [...cut...]
> >
> >
> >> FWIW, this patch does not apply -- possibly it was made against master
> >> and not the devel branch.
> >>
> >> See https://fedorahosted.org/cobbler/wiki/PatchProcess and use
> >> git-format-patch in the future and it makes things easier.
> >>
> >> This is trivial so I'll see about applying it manually.
> >>
> >
> > I figured out that cobbler from git devel branch already uses
> > selinuxenabled util. So I did it in the way it is in cobbler:
> >
>
> Only because I copied from your patch yesterday :)
>
> You should see that koan's devel branch already has your change applied,
> so I believe we're good.
Aha! ... Didn't notice that we have 'devel' branch in koan's git as
well .... :) I see it now.
> Thanks!
>
> --Michael
>
> > ==
> >
> > koan/app.py | 14 +++++++++++++-
> > koan/utils.py | 7 +++++++
> > 2 files changed, 20 insertions(+), 1 deletions(-)
> >
> > diff --git a/koan/app.py b/koan/app.py
> > index f5f982f..879f8ed 100755
> > --- a/koan/app.py
> > +++ b/koan/app.py
> > @@ -1213,8 +1213,20 @@ class Koan:
> > if lv_create != 0:
> > raise InfoException, "LVM creation failed"
> >
> > + # full path to LVM partition
> > + partition_location = "/dev/mapper/%s-%s" %
> > (location,name.replace('-','--'))
> > +
> > + # SELinux enabled system?
> > + if utils.is_selinux_enabled():
> > + # set appropriate security context for LVM partition
> > + args = "/usr/bin/chcon -t virt_image_t %s" %
> > partition_location
> > + print "%s" % args
> > + change_context = sub_process.call(args, shell=True)
> > + if change_context != 0:
> > + raise InfoException, "SELinux security context
> > setting to LVM partition failed"
> > +
> > # return partition location
> > - return "/dev/mapper/%s-%s" %
> > (location,name.replace('-','--'))
> > + return partition_location
> > else:
> > raise InfoException, "volume group needs %s GB free
> > space." % virt_size
> >
> > diff --git a/koan/utils.py b/koan/utils.py
> > index 36ef75f..cfebce8 100644
> > --- a/koan/utils.py
> > +++ b/koan/utils.py
> > @@ -156,6 +156,13 @@ def subprocess_call(cmd,ignore_rc=False):
> > raise InfoException, "command failed (%s)" % rc
> > return rc
> >
> > +def is_selinux_enabled():
> > + args = "/usr/sbin/selinuxenabled"
> > + selinuxenabled = sub_process.call(args)
> > + if selinuxenabled == 0:
> > + return True
> > + else:
> > + return False
> >
> > def input_string_or_hash(options,delim=None):
> > """
> >
> > _______________________________________________
> > cobbler mailing list
> > [email protected]
> > https://fedorahosted.org/mailman/listinfo/cobbler
> >
>
> _______________________________________________
> cobbler mailing list
> [email protected]
> https://fedorahosted.org/mailman/listinfo/cobbler
--
-Anton
_______________________________________________
cobbler mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/cobbler
