Re: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions

[Michael DeHaan]

>
> In order to eliminate the problem with logging, we need to set
> appropriate context to ~/.koan/koan.log or log everything to /var/log
> for example, var_log_t:
>    # chcon -v -t var_log_t /root/.koan/koan.log
>   

Moving everything properly to /var/log was on my list anyway, this is 
normal.

I can change this.

>
> And the last one:
>   node=bandura.englab.brq.redhat.com type=AVC msg=audit(1229121538.953:228):
>   avc: denied { read write } for pid=22082 comm="semanage" 
> path="socket:[96400]" dev=sockfs ino=96400
>   scontext=unconfined_u:unconfined_r:semanage_t:s0
>   tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=tcp_socket 
> , have no idea ... this hits just by adding .call(semanage). I tried to 
> reproduce
> it in test script, and everything works just fine.
>
> Usually, such things solved by:
>   fcntl(socket, F_SETFD, FD_CLOEXEC),
> but it's python, and I do not see any sockets using,... evenmore, I do not see
> why we need 'import socket' in app.py and utils.py, I think they could be
> easily removed. ...
>
>   

xmlrpclib uses sockets. No suggestions from setroubleshoot on this one?

As for the import, you are correct, but it's not hurting anything 
either. We used to use socket.gethostname() and such.

> [START] // This code works as expected without selinux somplaint:
> #!/bin/env python
>
> import sys
> import sub_process
> import exceptions
>
> class InfoException(exceptions.Exception):
>       """
>       Custom exception for tracking of fatal errors.
>       """
>       def __init__(self,value,**args):
>               self.value = value % args
>               self.from_koan = 1
>       def __str__(self):
>               return repr(self.value)
> #=======================================================
>
> if __name__ == '__main__':
>
>       context = "virt_image_t"
>       partition_location = "/dev/mapper/vg-kvm_f10--disk0"
>
>       args = "/usr/sbin/semanage fcontext -a -t %s %s" % (context, 
> partition_location)
>       print "%s" % args
>       permanent_context = sub_process.call(args, shell=True)
>       print permanent_context
>       if permanent_context != 0:
>               raise InfoException, "SELinux security context setting to LVM 
> partition failed"
>
>       sys.exit(0)
> [END]
>
>
>
> ... the following patch is working. SELinux will complaint
> , but this does not prevent us of successful 'semanage' execution.
> So you can apply it, at least we will have working/booting LV
> images after system reboot, despite annoying selinux messsages.
>
>   

Thanks alot...... I've asked this before, but if you are going to send 
in a patch either send it as an attachment or send it from 
git-format-patch/git-send-email.
Saves a lot of time and is also easier on you...


> ==
>
>  koan/app.py |   24 +++++++++++++++++-------
>  1 files changed, 17 insertions(+), 7 deletions(-)
>
> diff --git a/koan/app.py b/koan/app.py
> index 5031bed..1eae1dd 100755
> --- a/koan/app.py
> +++ b/koan/app.py
> @@ -1420,13 +1420,23 @@ class Koan:
>                  args = "/usr/sbin/selinuxenabled"
>                  selinuxenabled = sub_process.call(args)
>                  if selinuxenabled == 0:
> -                    # permissive or enforcing or something else, and
> -                    # set appropriate security context for LVM partition
> -                    args = "/usr/bin/chcon -t virt_image_t %s" % 
> partition_location
> -                    print "%s" % args
> -                    change_context = sub_process.call(args, shell=True)
> -                    if change_context != 0:
> -                        raise InfoException, "SELinux security context 
> setting to LVM partition failed"
> +                    # permissive or enforcing or something else
> +                    context = "virt_image_t"
> +
> +                    # check the current context
> +                    args = "/bin/ls -Z %s" % partition_location
> +                    context_str = sub_process.Popen(args, 
> stdout=sub_process.PIPE, shell=True).communicate()[0]
> +                    if context_str.find(context) == -1:
> +                        # set appropriate security context for LVM partition
> +                        args = "/usr/bin/chcon -t virt_image_t %s" % 
> partition_location
> +                        print "%s" % args
> +                        change_context = sub_process.call(args, shell=True)
> +                        # make the context for LVM partition permanent by 
> updating the policy 
> +                        args = "/usr/sbin/semanage fcontext -a -t %s %s" % 
> (context, partition_location)
> +                        print "%s" % args
> +                        permanent_context = sub_process.call(args, 
> shell=True)
> +                        if change_context != 0 or permanent_context != 0:
> +                            raise InfoException, "SELinux security context 
> setting to LVM partition failed"
>  
>                  # return partition location
>                  return partition_location
>
>   

_______________________________________________
cobbler mailing list
cobbler@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler