[Fedora-livecd-list] [PATCH] selinux --disabled fixes

Wed, 20 Feb 2008 11:40:09 -0800

The attached patch seems to fix "selinux --disabled" and other parts related to selinux. I have only tested it with chroot-creator with the "selinux --disabled" case in kickstart. Existing users might want to verify that it doesn't change their behavior because this makes changes to the base classes. 

Warren Togami
[EMAIL PROTECTED]

diff --git a/imgcreate/creator.py b/imgcreate/creator.py
index f686ce7..bb8904a 100644
--- a/imgcreate/creator.py
+++ b/imgcreate/creator.py
@@ -435,10 +435,14 @@ class ImageCreator(object):
 
         # bind mount system directories into _instroot
         for (f, dest) in [("/sys", None), ("/proc", None), ("/dev", None),
-                          ("/dev/pts", None), ("/selinux", None),
+                          ("/dev/pts", None),
                           (cachesrc, "/var/cache/yum")]:
             self.__bindmounts.append(BindChrootMount(f, self._instroot, dest))
 
+        # /selinux should only be mounted if selinux is enabled (enforcing or permissive)
+        if kickstart.selinux_enabled(self.ks):
+            self.__bindmounts.append(BindChrootMount("/selinux", self._instroot, None))
+
         self._do_bindmounts()
 
         os.symlink("../proc/mounts", self._instroot + "/etc/mtab")
@@ -551,6 +555,8 @@ class ImageCreator(object):
 
         if kickstart.exclude_docs(self.ks):
             rpm.addMacro("_excludedocs", "1")
+        if not kickstart.selinux_enabled(self.ks):
+            rpm.addMacro("__file_context_path", "%{nil}")
 
         try:
             self.__select_packages(ayum)
diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index a7e0723..30156d8 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -370,7 +370,7 @@ class SelinuxConfig(KickstartConfig):
             f = file(path, "w+")
             os.chmod(path, 0644)
 
-        if not ksselinux.selinux:
+        if ksselinux.selinux == ksconstants.SELINUX_DISABLED:
             return
         if not os.path.exists(self.path("/sbin/restorecon")):
             return
@@ -381,9 +381,11 @@ class SelinuxConfig(KickstartConfig):
         if os.path.exists(self.path("/usr/sbin/lokkit")):
             args = ["/usr/sbin/lokkit", "-f", "--quiet", "--nostart"]
 
-            if ksselinux.selinux:
+            if ksselinux.selinux == ksconstants.SELINUX_ENFORCING:
                 args.append("--selinux=enforcing")
-            else:
+            if ksselinux.selinux == ksconstants.SELINUX_PERMISSIVE:
+                args.append("--selinux=permissive")
+            if ksselinux.selinux == ksconstants.SELINUX_DISABLED:
                 args.append("--selinux=disabled")
 
             self.call(args)
@@ -483,4 +485,4 @@ def get_post_scripts(ks):
     return scripts
 
 def selinux_enabled(ks):
-    return ks.handler.selinux.selinux
+    return ks.handler.selinux.selinux == ksconstants.SELINUX_ENFORCING

--
Fedora-livecd-list mailing list
Fedora-livecd-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-livecd-list






















					Reply via email to