Anton Arapov wrote: > On Sat, Dec 13, 2008 at 11:24:08AM -0500, Michael DeHaan wrote: > >> ... the following patch is working. SELinux will complaint >> >>> , but this does not prevent us of successful 'semanage' execution. >>> So you can apply it, at least we will have working/booting LV >>> images after system reboot, despite annoying selinux messsages. >>> >>> >>> >> Thanks alot...... I've asked this before, but if you are going to send >> in a patch either send it as an attachment or send it from >> git-format-patch/git-send-email. >> Saves a lot of time and is also easier on you... >> > Okay, will be doing this way ... > > latest news, ... > The .call(semanage) is safe itself, but it hits the problem, that very > difficult to triage. There is a leak of file descriptor to child. > Will try to find out this ... > > And I think you can drop the patch with semanage inside, unless we > need it asap, and I guess - we don't. :) Anyway, I don't like it in > the form it's here. > > > -- Anton >
Sure. I'm not sure I understand why we need to be calling semanage, anyway, are you saying that the LVM contexts applied with chcon are not preserved across a reboot in LVM? Referring to your comment: + # make the context for LVM partition permanent by updating the policy args = "/usr/sbin/semanage fcontext -a -t %s %s" % (context, partition_location) + print "%s" % args + permanent_context = sub_process.call(args, shell=True) So we're ok with just the chcon then? I've already commited changes to git for moving the logfile to /var/log/koan, as it should have been originally. Users will note that this is only used currently for libvirt trivia, that /is/ useful in debugging virt issues, but we don't yet log our activities with respect to "--replace-self", primarily because if we replace successfully the logfile will be blown away. However it does make sense that seeing we use this for other things now (--update-files), in the future we'll want to be increasing the amount of logging in koan in general. I'll open an RFE on this one. --Michael > > >>> == >>> >>> koan/app.py | 24 +++++++++++++++++------- >>> 1 files changed, 17 insertions(+), 7 deletions(-) >>> >>> diff --git a/koan/app.py b/koan/app.py >>> index 5031bed..1eae1dd 100755 >>> --- a/koan/app.py >>> +++ b/koan/app.py >>> @@ -1420,13 +1420,23 @@ class Koan: >>> args = "/usr/sbin/selinuxenabled" >>> selinuxenabled = sub_process.call(args) >>> if selinuxenabled == 0: >>> - # permissive or enforcing or something else, and >>> - # set appropriate security context for LVM partition >>> - args = "/usr/bin/chcon -t virt_image_t %s" % >>> partition_location >>> - print "%s" % args >>> - change_context = sub_process.call(args, shell=True) >>> - if change_context != 0: >>> - raise InfoException, "SELinux security context >>> setting to LVM partition failed" >>> + # permissive or enforcing or something else >>> + context = "virt_image_t" >>> + >>> + # check the current context >>> + args = "/bin/ls -Z %s" % partition_location >>> + context_str = sub_process.Popen(args, >>> stdout=sub_process.PIPE, shell=True).communicate()[0] >>> + if context_str.find(context) == -1: >>> + # set appropriate security context for LVM >>> partition >>> + args = "/usr/bin/chcon -t virt_image_t %s" % >>> partition_location >>> + print "%s" % args >>> + change_context = sub_process.call(args, shell=True) >>> + # make the context for LVM partition permanent by >>> updating the policy >>> + args = "/usr/sbin/semanage fcontext -a -t %s %s" % >>> (context, partition_location) >>> + print "%s" % args >>> + permanent_context = sub_process.call(args, >>> shell=True) >>> + if change_context != 0 or permanent_context != 0: >>> + raise InfoException, "SELinux security context >>> setting to LVM partition failed" >>> >>> # return partition location >>> return partition_location >>> > > _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
