Re: [Fedora-livecd-list] Re: Unnecessary SELinux Failure Condition?
On Wed, Dec 16, 2009 at 12:03 AM, Alan Pevec ape...@gmail.com wrote: I've just found one issue with the patch: @@ -734,6 +725,9 @@ class ImageCreator(object): self.__run_post_scripts() + # selinux should always come last + kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux) + def launch_shell(self): Launch a shell in the install root. NAK. Nothing *EVER* can come after running %post scripts. It breaks one of the very few things that have to always be held true for kickstart scripts that came about after a few years of flip-flopping things around for various reasons that seemed good at the time. Other issue is that pykickstart selinux command doesn't have --type option to specify the policy and lokkit. assumes targeted if --selinuxtype=type is not specified. SelinuxConfig should not touch SELINUXTYPE already set in /etc/selinux/config by %post script. To avoid lokkit side-effects, I'll amend the patch to use Augeas to modify /etc/selinux/config I'd rather not have a dependency on augeas here. If it's important that people be able to specify the policy type in the kickstart config, then we should push that support in via pykickstart and lokkit, not change to a whole new toolset. - Jeremy -- Fedora-livecd-list mailing list Fedora-livecd-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Re: [Fedora-livecd-list] Re: Unnecessary SELinux Failure Condition?
On Thu, Oct 22, 2009 at 10:42 PM, Jay Greguske jgreg...@redhat.com wrote: Jay Greguske wrote: Jeremy Katz wrote: On Fri, Sep 25, 2009 at 8:59 AM, Jay Greguske jgreg...@redhat.com wrote: Jeremy Katz wrote: There have been some problems more recently with the booleans stuff if SELinux isn't enabled. Does that all end up working correctly still? I'll look into it. Are there any you have in mind specifically? Dan might remember better than I -- I vaguely remember that a lot of the home directory bits and also some of the xguest stuff requires working booleans - Jeremy I installed xguest to a running livecd (desktop ks file) and played with two booleans related to it: browser_write_xguest_data, and xguest_connect_network. With the former turned off the Guest account could not download files from random internet sites, and with the latter it couldn't connect at all, so I'd say they were functioning as expected. I'm pretty confident SELinux booleans are working correctly with these changes. If you have other tests to suggest I'd be happy to try them out. Thanks, - Jay -- Fedora-livecd-list mailing list Fedora-livecd-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-livecd-list Is there anything more I can do to scoot these changes along? I don't want them to fall off radar... We definitely need this patch - I got few files with unlabeled_t in the image created with F12 livecd-tools (ovirt-node-image.ks) I guess setfiles replacing restorecon in your patch is what fixes it. -- Fedora-livecd-list mailing list Fedora-livecd-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Re: [Fedora-livecd-list] Re: Unnecessary SELinux Failure Condition?
Jay Greguske wrote: Jeremy Katz wrote: On Fri, Sep 25, 2009 at 8:59 AM, Jay Greguske jgreg...@redhat.com wrote: Jeremy Katz wrote: There have been some problems more recently with the booleans stuff if SELinux isn't enabled. Does that all end up working correctly still? I'll look into it. Are there any you have in mind specifically? Dan might remember better than I -- I vaguely remember that a lot of the home directory bits and also some of the xguest stuff requires working booleans - Jeremy I installed xguest to a running livecd (desktop ks file) and played with two booleans related to it: browser_write_xguest_data, and xguest_connect_network. With the former turned off the Guest account could not download files from random internet sites, and with the latter it couldn't connect at all, so I'd say they were functioning as expected. I'm pretty confident SELinux booleans are working correctly with these changes. If you have other tests to suggest I'd be happy to try them out. Thanks, - Jay -- Fedora-livecd-list mailing list Fedora-livecd-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-livecd-list Is there anything more I can do to scoot these changes along? I don't want them to fall off radar... - Jay diff --git a/imgcreate/creator.py b/imgcreate/creator.py index 909f616..0db74fd 100644 --- a/imgcreate/creator.py +++ b/imgcreate/creator.py @@ -399,10 +399,6 @@ class ImageCreator(object): if not kickstart.get_repos(self.ks): raise CreatorError(No repositories specified) -if (kickstart.selinux_enabled(self.ks) and -not os.path.exists(/selinux/enforce)): -raise CreatorError(SELinux requested but not enabled on host) - def __write_fstab(self): fstab = open(self._instroot + /etc/fstab, w) fstab.write(self._get_fstab()) @@ -467,10 +463,6 @@ class ImageCreator(object): # label the fs like it is a root before the bind mounting arglist = [/sbin/setfiles, -F, -r, self._instroot, selinux.selinux_file_context_path(), self._instroot] subprocess.call(arglist, close_fds = True) -# these dumb things don't get magically fixed, so make the user generic -for f in (/proc, /sys, /selinux): -arglist = [/usr/bin/chcon, -u, system_u, self._instroot + f] -subprocess.call(arglist, close_fds = True) def __destroy_selinuxfs(self): # if the system was running selinux clean up our lies @@ -726,7 +718,6 @@ class ImageCreator(object): kickstart.KeyboardConfig(self._instroot).apply(ksh.keyboard) kickstart.TimezoneConfig(self._instroot).apply(ksh.timezone) kickstart.AuthConfig(self._instroot).apply(ksh.authconfig) -kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux) kickstart.FirewallConfig(self._instroot).apply(ksh.firewall) kickstart.RootPasswordConfig(self._instroot).apply(ksh.rootpw) kickstart.ServicesConfig(self._instroot).apply(ksh.services) @@ -738,6 +729,9 @@ class ImageCreator(object): self.__run_post_scripts() +# selinux should always come last +kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux) + def launch_shell(self): Launch a shell in the install root. diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py index 98db856..9d589bb 100644 --- a/imgcreate/kickstart.py +++ b/imgcreate/kickstart.py @@ -22,6 +22,7 @@ import shutil import subprocess import time import logging +import selinux import urlgrabber try: @@ -414,10 +415,10 @@ class SelinuxConfig(KickstartConfig): if ksselinux.selinux == ksconstants.SELINUX_DISABLED: return -if not os.path.exists(self.path(/sbin/restorecon)): +if not os.path.exists(self.path(/sbin/setfiles)): return -self.call([/sbin/restorecon, -l, -r, -F, -e, /proc, -e, /sys, -e, /dev, -e, /selinux, /]) +self.call([/sbin/setfiles, selinux.selinux_file_context_path(), /]) def apply(self, ksselinux): if os.path.exists(self.path(/usr/sbin/lokkit)): -- Fedora-livecd-list mailing list Fedora-livecd-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Re: [Fedora-livecd-list] Re: Unnecessary SELinux Failure Condition?
On Tue, Sep 29, 2009 at 16:32:24 -0400, Jay Greguske jgreg...@redhat.com wrote: Daniel J Walsh wrote: How much work would it be to create a livecd with only an xguest login. Random Root password and no user accounts. So the cd could only run xguest. I know if you can boot the cd you can beat the system, but it might be a cool demo. Should be pretty easy: you just need the right kickstart configuration file. While things are quiet this week I'll see if I can produce that for you. I haven't seen a fix for https://bugzilla.redhat.com/show_bug.cgi?id=524421 pushed out yet. So you might need to tweak gdm-password to get this to work right now. -- Fedora-livecd-list mailing list Fedora-livecd-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Re: [Fedora-livecd-list] Re: Unnecessary SELinux Failure Condition?
Jeremy Katz wrote: On Fri, Sep 25, 2009 at 8:59 AM, Jay Greguske jgreg...@redhat.com wrote: Jeremy Katz wrote: There have been some problems more recently with the booleans stuff if SELinux isn't enabled. Does that all end up working correctly still? I'll look into it. Are there any you have in mind specifically? Dan might remember better than I -- I vaguely remember that a lot of the home directory bits and also some of the xguest stuff requires working booleans - Jeremy I installed xguest to a running livecd (desktop ks file) and played with two booleans related to it: browser_write_xguest_data, and xguest_connect_network. With the former turned off the Guest account could not download files from random internet sites, and with the latter it couldn't connect at all, so I'd say they were functioning as expected. I'm pretty confident SELinux booleans are working correctly with these changes. If you have other tests to suggest I'd be happy to try them out. Thanks, - Jay -- Fedora-livecd-list mailing list Fedora-livecd-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Re: [Fedora-livecd-list] Re: Unnecessary SELinux Failure Condition?
Daniel J Walsh wrote: On 09/29/2009 03:45 PM, Jay Greguske wrote: Jeremy Katz wrote: On Fri, Sep 25, 2009 at 8:59 AM, Jay Greguske jgreg...@redhat.com wrote: Jeremy Katz wrote: There have been some problems more recently with the booleans stuff if SELinux isn't enabled. Does that all end up working correctly still? I'll look into it. Are there any you have in mind specifically? Dan might remember better than I -- I vaguely remember that a lot of the home directory bits and also some of the xguest stuff requires working booleans - Jeremy I installed xguest to a running livecd (desktop ks file) and played with two booleans related to it: browser_write_xguest_data, and xguest_connect_network. With the former turned off the Guest account could not download files from random internet sites, and with the latter it couldn't connect at all, so I'd say they were functioning as expected. I'm pretty confident SELinux booleans are working correctly with these changes. If you have other tests to suggest I'd be happy to try them out. Thanks, - Jay How much work would it be to create a livecd with only an xguest login. Random Root password and no user accounts. So the cd could only run xguest. I know if you can boot the cd you can beat the system, but it might be a cool demo. Should be pretty easy: you just need the right kickstart configuration file. While things are quiet this week I'll see if I can produce that for you. -- Fedora-livecd-list mailing list Fedora-livecd-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Re: [Fedora-livecd-list] Re: Unnecessary SELinux Failure Condition?
Jeremy Katz wrote: On Fri, Sep 18, 2009 at 10:26 AM, Jay Greguske jgreg...@redhat.com wrote: Daniel J Walsh wrote: On 09/11/2009 04:47 PM, Jay Greguske wrote: While using livecd-creator and poking around the code, I found a check that I don't understand the reason for. livecd-creator will bail out if the host has SELinux disabled and the kickstart file requests it be enabled. Why is that? I would think that if SELinux was disabled but you still had the policy available, that would be all you need to build a properly labeled image. [snip] Perhaps the failure condition is no longer necessary? Yes I think that is no longer necessary. And it should definitely be supported. Attached is a cleaner patch that removes the check and some other unnecessary code (thanks Dan). With this users should be able to build livecd images that have SELinux enabled on an SELinux-disabled host. I've tested this on an F10 system with an F10 and a RHEL 5 kernel. Both kernels I was able to build images with the SELinux enabled and disabled on the host (but always enabled in the kickstart file). There have been some problems more recently with the booleans stuff if SELinux isn't enabled. Does that all end up working correctly still? I'm not fundamentally opposed to the patch; it's just historically been something which didn't work. - Jeremy I'll look into it. Are there any you have in mind specifically? - Jay -- Fedora-livecd-list mailing list Fedora-livecd-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Re: [Fedora-livecd-list] Re: Unnecessary SELinux Failure Condition?
On Fri, Sep 18, 2009 at 10:26 AM, Jay Greguske jgreg...@redhat.com wrote: Daniel J Walsh wrote: On 09/11/2009 04:47 PM, Jay Greguske wrote: While using livecd-creator and poking around the code, I found a check that I don't understand the reason for. livecd-creator will bail out if the host has SELinux disabled and the kickstart file requests it be enabled. Why is that? I would think that if SELinux was disabled but you still had the policy available, that would be all you need to build a properly labeled image. [snip] Perhaps the failure condition is no longer necessary? Yes I think that is no longer necessary. And it should definitely be supported. Attached is a cleaner patch that removes the check and some other unnecessary code (thanks Dan). With this users should be able to build livecd images that have SELinux enabled on an SELinux-disabled host. I've tested this on an F10 system with an F10 and a RHEL 5 kernel. Both kernels I was able to build images with the SELinux enabled and disabled on the host (but always enabled in the kickstart file). There have been some problems more recently with the booleans stuff if SELinux isn't enabled. Does that all end up working correctly still? I'm not fundamentally opposed to the patch; it's just historically been something which didn't work. - Jeremy -- Fedora-livecd-list mailing list Fedora-livecd-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-livecd-list
[Fedora-livecd-list] Re: Unnecessary SELinux Failure Condition?
Daniel J Walsh wrote: On 09/11/2009 04:47 PM, Jay Greguske wrote: Hello, While using livecd-creator and poking around the code, I found a check that I don't understand the reason for. livecd-creator will bail out if the host has SELinux disabled and the kickstart file requests it be enabled. Why is that? I would think that if SELinux was disabled but you still had the policy available, that would be all you need to build a properly labeled image. Out of curiosity I made changes to the code just to see what would happen. I attached them to this mail for reference, NOT as proposed changes to be applied to the livecd-tools code. On an F10 system with SELinux disabled I was able to build a working livecd image that I could boot and play around in. SELinux was being enforced in the image too. I was able to do this with a RHEL 5 kernel as well, just to see if maybe something had changed with an earlier version of SELinux. Perhaps the failure condition is no longer necessary? Thanks in advance, - Jay Yes I think that is no longer necessary. And it should definitely be supported. Attached is a cleaner patch that removes the check and some other unnecessary code (thanks Dan). With this users should be able to build livecd images that have SELinux enabled on an SELinux-disabled host. I've tested this on an F10 system with an F10 and a RHEL 5 kernel. Both kernels I was able to build images with the SELinux enabled and disabled on the host (but always enabled in the kickstart file). Let me know what you guys think! Thanks, - Jay diff --git a/imgcreate/creator.py b/imgcreate/creator.py index 909f616..0db74fd 100644 --- a/imgcreate/creator.py +++ b/imgcreate/creator.py @@ -399,10 +399,6 @@ class ImageCreator(object): if not kickstart.get_repos(self.ks): raise CreatorError(No repositories specified) -if (kickstart.selinux_enabled(self.ks) and -not os.path.exists(/selinux/enforce)): -raise CreatorError(SELinux requested but not enabled on host) - def __write_fstab(self): fstab = open(self._instroot + /etc/fstab, w) fstab.write(self._get_fstab()) @@ -467,10 +463,6 @@ class ImageCreator(object): # label the fs like it is a root before the bind mounting arglist = [/sbin/setfiles, -F, -r, self._instroot, selinux.selinux_file_context_path(), self._instroot] subprocess.call(arglist, close_fds = True) -# these dumb things don't get magically fixed, so make the user generic -for f in (/proc, /sys, /selinux): -arglist = [/usr/bin/chcon, -u, system_u, self._instroot + f] -subprocess.call(arglist, close_fds = True) def __destroy_selinuxfs(self): # if the system was running selinux clean up our lies @@ -726,7 +718,6 @@ class ImageCreator(object): kickstart.KeyboardConfig(self._instroot).apply(ksh.keyboard) kickstart.TimezoneConfig(self._instroot).apply(ksh.timezone) kickstart.AuthConfig(self._instroot).apply(ksh.authconfig) -kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux) kickstart.FirewallConfig(self._instroot).apply(ksh.firewall) kickstart.RootPasswordConfig(self._instroot).apply(ksh.rootpw) kickstart.ServicesConfig(self._instroot).apply(ksh.services) @@ -738,6 +729,9 @@ class ImageCreator(object): self.__run_post_scripts() +# selinux should always come last +kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux) + def launch_shell(self): Launch a shell in the install root. diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py index 98db856..9d589bb 100644 --- a/imgcreate/kickstart.py +++ b/imgcreate/kickstart.py @@ -22,6 +22,7 @@ import shutil import subprocess import time import logging +import selinux import urlgrabber try: @@ -414,10 +415,10 @@ class SelinuxConfig(KickstartConfig): if ksselinux.selinux == ksconstants.SELINUX_DISABLED: return -if not os.path.exists(self.path(/sbin/restorecon)): +if not os.path.exists(self.path(/sbin/setfiles)): return -self.call([/sbin/restorecon, -l, -r, -F, -e, /proc, -e, /sys, -e, /dev, -e, /selinux, /]) +self.call([/sbin/setfiles, selinux.selinux_file_context_path(), /]) def apply(self, ksselinux): if os.path.exists(self.path(/usr/sbin/lokkit)): -- Fedora-livecd-list mailing list Fedora-livecd-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-livecd-list