On Sat, Dec 13, 2008 at 12:09:40PM -0500, Michael DeHaan wrote: > Anton Arapov wrote: > > On Sat, Dec 13, 2008 at 11:24:08AM -0500, Michael DeHaan wrote: > > > >> ... the following patch is working. SELinux will complaint > >> > >>> , but this does not prevent us of successful 'semanage' execution. > >>> So you can apply it, at least we will have working/booting LV > >>> images after system reboot, despite annoying selinux messsages. > >>> > >>> > >>> > >> Thanks alot...... I've asked this before, but if you are going to send > >> in a patch either send it as an attachment or send it from > >> git-format-patch/git-send-email. > >> Saves a lot of time and is also easier on you... > >> > > Okay, will be doing this way ... > > > > latest news, ... > > The .call(semanage) is safe itself, but it hits the problem, that very > > difficult to triage. There is a leak of file descriptor to child. > > Will try to find out this ... > > > > And I think you can drop the patch with semanage inside, unless we > > need it asap, and I guess - we don't. :) Anyway, I don't like it in > > the form it's here. > > > > > > -- Anton > > > > Sure. I'm not sure I understand why we need to be calling semanage, > anyway, are you saying that the LVM contexts applied with chcon are not > preserved across a reboot in LVM? yes, in order preserve the context you need to change the SELinux policy, and semanage is the tool for it.
> Referring to your comment: > > + # make the context for LVM partition permanent by > updating the policy > > args = "/usr/sbin/semanage fcontext -a -t %s %s" % (context, > partition_location) > + print "%s" % args > + permanent_context = sub_process.call(args, > shell=True) > > > So we're ok with just the chcon then? It's better then nothing atm. > I've already commited changes to git for moving the logfile to > /var/log/koan, as it should have been originally. Users will note that > this is only used currently for libvirt trivia, that /is/ useful in > debugging virt issues, but we don't yet log our activities with respect > to "--replace-self", primarily because if we replace successfully the > logfile will be blown away. However it does make sense that seeing we > use this for other things now (--update-files), in the future we'll want > to be increasing the amount of logging in koan in general. I'll open an > RFE on this one. looks good. :) --Anton. > --Michael > > > > > > > >>> == > >>> > >>> koan/app.py | 24 +++++++++++++++++------- > >>> 1 files changed, 17 insertions(+), 7 deletions(-) > >>> > >>> diff --git a/koan/app.py b/koan/app.py > >>> index 5031bed..1eae1dd 100755 > >>> --- a/koan/app.py > >>> +++ b/koan/app.py > >>> @@ -1420,13 +1420,23 @@ class Koan: > >>> args = "/usr/sbin/selinuxenabled" > >>> selinuxenabled = sub_process.call(args) > >>> if selinuxenabled == 0: > >>> - # permissive or enforcing or something else, and > >>> - # set appropriate security context for LVM partition > >>> - args = "/usr/bin/chcon -t virt_image_t %s" % > >>> partition_location > >>> - print "%s" % args > >>> - change_context = sub_process.call(args, shell=True) > >>> - if change_context != 0: > >>> - raise InfoException, "SELinux security context > >>> setting to LVM partition failed" > >>> + # permissive or enforcing or something else > >>> + context = "virt_image_t" > >>> + > >>> + # check the current context > >>> + args = "/bin/ls -Z %s" % partition_location > >>> + context_str = sub_process.Popen(args, > >>> stdout=sub_process.PIPE, shell=True).communicate()[0] > >>> + if context_str.find(context) == -1: > >>> + # set appropriate security context for LVM > >>> partition > >>> + args = "/usr/bin/chcon -t virt_image_t %s" % > >>> partition_location > >>> + print "%s" % args > >>> + change_context = sub_process.call(args, > >>> shell=True) > >>> + # make the context for LVM partition permanent > >>> by updating the policy > >>> + args = "/usr/sbin/semanage fcontext -a -t %s %s" > >>> % (context, partition_location) > >>> + print "%s" % args > >>> + permanent_context = sub_process.call(args, > >>> shell=True) > >>> + if change_context != 0 or permanent_context != 0: > >>> + raise InfoException, "SELinux security > >>> context setting to LVM partition failed" > >>> > >>> # return partition location > >>> return partition_location > >>> > > > > > > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler -- -Anton _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
