tag 682068 + patch
thanks
Le Wed, 30 Apr 2014 15:46:45 +0200,
Holger Levsen <hol...@layer-acht.org> a écrit :
> Hi,
>
> On Mittwoch, 30. April 2014, Laurent Bigonville wrote:
> > I'll try to cook something. But if you really want to remove the
> > support, wouldn't it be better to unconditionally switch to the new
> > path instead?
>
> as said a year ago, just changing pathes won't work, as detecting
> selinux needs to be updated too:
>
> On Samstag, 18. Mai 2013, Holger Levsen wrote:
> > tags 682068 + moreinfo
> > thanks
> >
> > Hi Laurent,
> >
> > piuparts is only trying to mount selinux mountpoints if
> > /usr/sbin/selinuxenabled ran successfully.
> >
> > I have two problems now:
> > - /usr/sbin/selinuxenabled doesn't even exist on my wheezy system
> > - isn't there some selinux tool to tell me the expected mountpoint?
> > I don't want to mess around with versions in piuparts.py source
> > code (be it "wheezy", "squeeze", 2.0.96-1 or 2.1.9-5) to decide
> > whether to mount /selinux or /sys/fs/selinux ?!!
> >
> > See below for actual related code. That's it, plus calls to them.
> >
> > def selinux_enabled(enabled_test="/usr/sbin/selinuxenabled"):
> > if os.access(enabled_test, os.X_OK):
> > retval, output = run([enabled_test], ignore_errors=True)
> > if retval == 0:
> > return True
> > else:
> > return False
> >
> > def mount_selinux(self):
> > if selinux_enabled():
> > run(["mkdir", "-p", self.relative("/selinux")])
> > run(["mount", "-t", "selinuxfs", "/selinux",
> > self.relative("/selinux")])
> > logging.info("SElinux mounted into chroot")
> >
> > def unmount_selinux(self):
> > if selinux_enabled():
> > run(["umount", self.relative("/selinux")])
> > logging.info("SElinux unmounted from chroot")
>
> I think I really either want a tested patch from someone using
> selinux or remove this code.
I've attached a patch that is implementing the change. If /selinux is
present, the selinuxfs will be mounted there. This directory was
shipped by libselinux package until wheezy (even if in wheezy it was
mounted already to the new location).
The patch is also changing the way the selinuxfs is mounted. The
selinuxfs is now bind mounted and then set to read only. This is needed
to make think the userspace that selinux is disabled, otherwise dpkg
will simply fail if the selinux policy is not installed in the chroot
(see: #734193)
I've also added a soft dependency against python-selinux to use the
python API to detect if selinux is enabled instead of using
selinuxenabled executable. If you don't agree with this, I can revert
this change.
Cheers,
Laurent Bigonville
diff -Nru piuparts-0.58/debian/control piuparts-0.58selinux1/debian/control
--- piuparts-0.58/debian/control 2014-05-01 00:25:32.000000000 +0200
+++ piuparts-0.58selinux1/debian/control 2014-05-01 13:50:56.000000000 +0200
@@ -38,7 +38,8 @@
${misc:Depends},
${python:Depends}
Recommends:
- adequate
+ adequate,
+ python-selinux
Suggests:
schroot
Description: .deb package installation, upgrading, and removal testing tool
diff -Nru piuparts-0.58/piuparts.py piuparts-0.58selinux1/piuparts.py
--- piuparts-0.58/piuparts.py 2014-05-01 00:25:32.000000000 +0200
+++ piuparts-0.58selinux1/piuparts.py 2014-05-01 16:04:56.000000000 +0200
@@ -57,6 +57,12 @@
except ImportError:
from debian_bundle import deb822
+try:
+ import selinux
+ selinux_enabled = selinux.is_selinux_enabled()
+except ImportError:
+ selinux_enabled = False
+
import piupartslib.conf
DISTRO_CONFIG_FILE = "/etc/piuparts/distros.conf"
@@ -1411,16 +1417,26 @@
def mount_selinux(self):
- if selinux_enabled():
- run(["mkdir", "-p", self.relative("/selinux")])
- run(["mount", "-t", "selinuxfs", "/selinux", self.relative("/selinux")])
+ if selinux_enabled:
+ run(["mkdir", "-p", self.selinuxfs_relative_path()])
+ run(["mount", "--bind", "/sys/fs/selinux", self.selinuxfs_relative_path()])
+ run(["mount", "-o", "remount,ro,bind", self.selinuxfs_relative_path()])
logging.info("SElinux mounted into chroot")
def unmount_selinux(self):
- if selinux_enabled():
- run(["umount", self.relative("/selinux")])
+ if selinux_enabled:
+ run(["umount", self.selinuxfs_relative_path()])
logging.info("SElinux unmounted from chroot")
+ # If /selinux is present, assume that this is the only supported
+ # location by libselinux. Otherwise use the new location.
+ # /selinux was shipped by the libselinux package until wheezy.
+ def selinuxfs_relative_path(self):
+ if os.path.isdir(self.relative('/selinux')):
+ return self.relative('/selinux')
+ else:
+ return self.relative('/sys/fs/selinux')
+
def mount_proc(self):
"""Mount /proc inside chroot."""
self.run(["mount", "-t", "proc", "proc", "/proc"])
@@ -1850,14 +1866,6 @@
def mount_proc(self): pass
def unmount_proc(self): pass
-def selinux_enabled(enabled_test="/usr/sbin/selinuxenabled"):
- if os.access(enabled_test, os.X_OK):
- retval, output = run([enabled_test], ignore_errors=True)
- if retval == 0:
- return True
- else:
- return False
-
def objects_are_different(pair1, pair2):
"""Are filesystem objects different based on their meta data?"""
(m1, target1) = pair1
