Daniel J Walsh wrote:
> On 09/11/2009 04:47 PM, Jay Greguske wrote:
>
>> Hello,
>>
>> While using livecd-creator and poking around the code, I found a check
>> that I don't understand the reason for. livecd-creator will bail out if
>> the host has SELinux disabled and the kickstart file requests it be
>> enabled. Why is that? I would think that if SELinux was disabled but you
>> still had the policy available, that would be all you need to build a
>> properly labeled image.
>>
>> Out of curiosity I made changes to the code just to see what would
>> happen. I attached them to this mail for reference, NOT as proposed
>> changes to be applied to the livecd-tools code. On an F10 system with
>> SELinux disabled I was able to build a working livecd image that I could
>> boot and play around in. SELinux was being enforced in the image too. I
>> was able to do this with a RHEL 5 kernel as well, just to see if maybe
>> something had changed with an earlier version of SELinux.
>>
>> Perhaps the failure condition is no longer necessary?
>>
>> Thanks in advance,
>> - Jay
>>
> Yes I think that is no longer necessary. And it should definitely be
> supported.
>
>
Attached is a cleaner patch that removes the check and some other
unnecessary code (thanks Dan). With this users should be able to build
livecd images that have SELinux enabled on an SELinux-disabled host.
I've tested this on an F10 system with an F10 and a RHEL 5 kernel. Both
kernels I was able to build images with the SELinux enabled and disabled
on the host (but always enabled in the kickstart file).
Let me know what you guys think!
Thanks,
- Jay
diff --git a/imgcreate/creator.py b/imgcreate/creator.py
index 909f616..0db74fd 100644
--- a/imgcreate/creator.py
+++ b/imgcreate/creator.py
@@ -399,10 +399,6 @@ class ImageCreator(object):
if not kickstart.get_repos(self.ks):
raise CreatorError("No repositories specified")
- if (kickstart.selinux_enabled(self.ks) and
- not os.path.exists("/selinux/enforce")):
- raise CreatorError("SELinux requested but not enabled on host")
-
def __write_fstab(self):
fstab = open(self._instroot + "/etc/fstab", "w")
fstab.write(self._get_fstab())
@@ -467,10 +463,6 @@ class ImageCreator(object):
# label the fs like it is a root before the bind mounting
arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot]
subprocess.call(arglist, close_fds = True)
- # these dumb things don't get magically fixed, so make the user generic
- for f in ("/proc", "/sys", "/selinux"):
- arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f]
- subprocess.call(arglist, close_fds = True)
def __destroy_selinuxfs(self):
# if the system was running selinux clean up our lies
@@ -726,7 +718,6 @@ class ImageCreator(object):
kickstart.KeyboardConfig(self._instroot).apply(ksh.keyboard)
kickstart.TimezoneConfig(self._instroot).apply(ksh.timezone)
kickstart.AuthConfig(self._instroot).apply(ksh.authconfig)
- kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux)
kickstart.FirewallConfig(self._instroot).apply(ksh.firewall)
kickstart.RootPasswordConfig(self._instroot).apply(ksh.rootpw)
kickstart.ServicesConfig(self._instroot).apply(ksh.services)
@@ -738,6 +729,9 @@ class ImageCreator(object):
self.__run_post_scripts()
+ # selinux should always come last
+ kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux)
+
def launch_shell(self):
"""Launch a shell in the install root.
diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index 98db856..9d589bb 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -22,6 +22,7 @@ import shutil
import subprocess
import time
import logging
+import selinux
import urlgrabber
try:
@@ -414,10 +415,10 @@ class SelinuxConfig(KickstartConfig):
if ksselinux.selinux == ksconstants.SELINUX_DISABLED:
return
- if not os.path.exists(self.path("/sbin/restorecon")):
+ if not os.path.exists(self.path("/sbin/setfiles")):
return
- self.call(["/sbin/restorecon", "-l", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
+ self.call(["/sbin/setfiles", selinux.selinux_file_context_path(), "/"])
def apply(self, ksselinux):
if os.path.exists(self.path("/usr/sbin/lokkit")):
--
Fedora-livecd-list mailing list
Fedora-livecd-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-livecd-list
