Daniel J Walsh wrote: > On 09/11/2009 04:47 PM, Jay Greguske wrote: > >> Hello, >> >> While using livecd-creator and poking around the code, I found a check >> that I don't understand the reason for. livecd-creator will bail out if >> the host has SELinux disabled and the kickstart file requests it be >> enabled. Why is that? I would think that if SELinux was disabled but you >> still had the policy available, that would be all you need to build a >> properly labeled image. >> >> Out of curiosity I made changes to the code just to see what would >> happen. I attached them to this mail for reference, NOT as proposed >> changes to be applied to the livecd-tools code. On an F10 system with >> SELinux disabled I was able to build a working livecd image that I could >> boot and play around in. SELinux was being enforced in the image too. I >> was able to do this with a RHEL 5 kernel as well, just to see if maybe >> something had changed with an earlier version of SELinux. >> >> Perhaps the failure condition is no longer necessary? >> >> Thanks in advance, >> - Jay >> > Yes I think that is no longer necessary. And it should definitely be > supported. > > Attached is a cleaner patch that removes the check and some other unnecessary code (thanks Dan). With this users should be able to build livecd images that have SELinux enabled on an SELinux-disabled host. I've tested this on an F10 system with an F10 and a RHEL 5 kernel. Both kernels I was able to build images with the SELinux enabled and disabled on the host (but always enabled in the kickstart file).
Let me know what you guys think! Thanks, - Jay
diff --git a/imgcreate/creator.py b/imgcreate/creator.py index 909f616..0db74fd 100644 --- a/imgcreate/creator.py +++ b/imgcreate/creator.py @@ -399,10 +399,6 @@ class ImageCreator(object): if not kickstart.get_repos(self.ks): raise CreatorError("No repositories specified") - if (kickstart.selinux_enabled(self.ks) and - not os.path.exists("/selinux/enforce")): - raise CreatorError("SELinux requested but not enabled on host") - def __write_fstab(self): fstab = open(self._instroot + "/etc/fstab", "w") fstab.write(self._get_fstab()) @@ -467,10 +463,6 @@ class ImageCreator(object): # label the fs like it is a root before the bind mounting arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot] subprocess.call(arglist, close_fds = True) - # these dumb things don't get magically fixed, so make the user generic - for f in ("/proc", "/sys", "/selinux"): - arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f] - subprocess.call(arglist, close_fds = True) def __destroy_selinuxfs(self): # if the system was running selinux clean up our lies @@ -726,7 +718,6 @@ class ImageCreator(object): kickstart.KeyboardConfig(self._instroot).apply(ksh.keyboard) kickstart.TimezoneConfig(self._instroot).apply(ksh.timezone) kickstart.AuthConfig(self._instroot).apply(ksh.authconfig) - kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux) kickstart.FirewallConfig(self._instroot).apply(ksh.firewall) kickstart.RootPasswordConfig(self._instroot).apply(ksh.rootpw) kickstart.ServicesConfig(self._instroot).apply(ksh.services) @@ -738,6 +729,9 @@ class ImageCreator(object): self.__run_post_scripts() + # selinux should always come last + kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux) + def launch_shell(self): """Launch a shell in the install root. diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py index 98db856..9d589bb 100644 --- a/imgcreate/kickstart.py +++ b/imgcreate/kickstart.py @@ -22,6 +22,7 @@ import shutil import subprocess import time import logging +import selinux import urlgrabber try: @@ -414,10 +415,10 @@ class SelinuxConfig(KickstartConfig): if ksselinux.selinux == ksconstants.SELINUX_DISABLED: return - if not os.path.exists(self.path("/sbin/restorecon")): + if not os.path.exists(self.path("/sbin/setfiles")): return - self.call(["/sbin/restorecon", "-l", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"]) + self.call(["/sbin/setfiles", selinux.selinux_file_context_path(), "/"]) def apply(self, ksselinux): if os.path.exists(self.path("/usr/sbin/lokkit")):
-- Fedora-livecd-list mailing list Fedora-livecd-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-livecd-list