Unnecessary SELinux Failure Condition?

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Unnecessary SELinux Failure Condition?

Jay Greguske
Hello,

While using livecd-creator and poking around the code, I found a check
that I don't understand the reason for. livecd-creator will bail out if
the host has SELinux disabled and the kickstart file requests it be
enabled. Why is that? I would think that if SELinux was disabled but you
still had the policy available, that would be all you need to build a
properly labeled image.

Out of curiosity I made changes to the code just to see what would
happen. I attached them to this mail for reference, NOT as proposed
changes to be applied to the livecd-tools code. On an F10 system with
SELinux disabled I was able to build a working livecd image that I could
boot and play around in. SELinux was being enforced in the image too. I
was able to do this with a RHEL 5 kernel as well, just to see if maybe
something had changed with an earlier version of SELinux.

Perhaps the failure condition is no longer necessary?

Thanks in advance,
- Jay

>From d45ea3131f4c4d93b285a1903578526f5bf99913 Mon Sep 17 00:00:00 2001
From: Jay Greguske <[hidden email]>
Date: Fri, 11 Sep 2009 16:23:55 -0400
Subject: [PATCH] Dirty removal of selinux failure condition

---
 imgcreate/creator.py   |    6 +++---
 imgcreate/kickstart.py |    3 ++-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/imgcreate/creator.py b/imgcreate/creator.py
index 909f616..3c6440d 100644
--- a/imgcreate/creator.py
+++ b/imgcreate/creator.py
@@ -399,9 +399,9 @@ class ImageCreator(object):
         if not kickstart.get_repos(self.ks):
             raise CreatorError("No repositories specified")
 
-        if (kickstart.selinux_enabled(self.ks) and
-            not os.path.exists("/selinux/enforce")):
-            raise CreatorError("SELinux requested but not enabled on host")
+#        if (kickstart.selinux_enabled(self.ks) and
+#            not os.path.exists("/selinux/enforce")):
+#            raise CreatorError("SELinux requested but not enabled on host")
 
     def __write_fstab(self):
         fstab = open(self._instroot + "/etc/fstab", "w")
diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index 98db856..39e44e6 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -417,7 +417,8 @@ class SelinuxConfig(KickstartConfig):
         if not os.path.exists(self.path("/sbin/restorecon")):
             return
 
-        self.call(["/sbin/restorecon", "-l", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
+        # self.call(["/sbin/restorecon", "-l", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
+        self.call(["/sbin/setfiles", "/etc/selinux/targeted/contexts/files/file_contexts", "/"])
 
     def apply(self, ksselinux):
         if os.path.exists(self.path("/usr/sbin/lokkit")):
--
1.6.0.6


--
Fedora-livecd-list mailing list
[hidden email]
https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Reply | Threaded
Open this post in threaded view
|

Re: Unnecessary SELinux Failure Condition?

Jay Greguske
Daniel J Walsh wrote:

> On 09/11/2009 04:47 PM, Jay Greguske wrote:
>  
>> Hello,
>>
>> While using livecd-creator and poking around the code, I found a check
>> that I don't understand the reason for. livecd-creator will bail out if
>> the host has SELinux disabled and the kickstart file requests it be
>> enabled. Why is that? I would think that if SELinux was disabled but you
>> still had the policy available, that would be all you need to build a
>> properly labeled image.
>>
>> Out of curiosity I made changes to the code just to see what would
>> happen. I attached them to this mail for reference, NOT as proposed
>> changes to be applied to the livecd-tools code. On an F10 system with
>> SELinux disabled I was able to build a working livecd image that I could
>> boot and play around in. SELinux was being enforced in the image too. I
>> was able to do this with a RHEL 5 kernel as well, just to see if maybe
>> something had changed with an earlier version of SELinux.
>>
>> Perhaps the failure condition is no longer necessary?
>>
>> Thanks in advance,
>> - Jay
>>    
> Yes I think that is no longer necessary.  And it should definitely be supported.
>
>  
Attached is a cleaner patch that removes the check and some other
unnecessary code (thanks Dan). With this users should be able to build
livecd images that have SELinux enabled on an SELinux-disabled host.
I've tested this on an F10 system with an F10 and a RHEL 5 kernel. Both
kernels I was able to build images with the SELinux enabled and disabled
on the host (but always enabled in the kickstart file).

Let me know what you guys think!

Thanks,
- Jay

diff --git a/imgcreate/creator.py b/imgcreate/creator.py
index 909f616..0db74fd 100644
--- a/imgcreate/creator.py
+++ b/imgcreate/creator.py
@@ -399,10 +399,6 @@ class ImageCreator(object):
         if not kickstart.get_repos(self.ks):
             raise CreatorError("No repositories specified")
 
-        if (kickstart.selinux_enabled(self.ks) and
-            not os.path.exists("/selinux/enforce")):
-            raise CreatorError("SELinux requested but not enabled on host")
-
     def __write_fstab(self):
         fstab = open(self._instroot + "/etc/fstab", "w")
         fstab.write(self._get_fstab())
@@ -467,10 +463,6 @@ class ImageCreator(object):
             # label the fs like it is a root before the bind mounting
             arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot]
             subprocess.call(arglist, close_fds = True)
-            # these dumb things don't get magically fixed, so make the user generic
-            for f in ("/proc", "/sys", "/selinux"):
-                arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f]
-                subprocess.call(arglist, close_fds = True)
 
     def __destroy_selinuxfs(self):
         # if the system was running selinux clean up our lies
@@ -726,7 +718,6 @@ class ImageCreator(object):
         kickstart.KeyboardConfig(self._instroot).apply(ksh.keyboard)
         kickstart.TimezoneConfig(self._instroot).apply(ksh.timezone)
         kickstart.AuthConfig(self._instroot).apply(ksh.authconfig)
-        kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux)
         kickstart.FirewallConfig(self._instroot).apply(ksh.firewall)
         kickstart.RootPasswordConfig(self._instroot).apply(ksh.rootpw)
         kickstart.ServicesConfig(self._instroot).apply(ksh.services)
@@ -738,6 +729,9 @@ class ImageCreator(object):
 
         self.__run_post_scripts()
 
+        # selinux should always come last
+        kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux)
+
     def launch_shell(self):
         """Launch a shell in the install root.
 
diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index 98db856..9d589bb 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -22,6 +22,7 @@ import shutil
 import subprocess
 import time
 import logging
+import selinux
 import urlgrabber
 
 try:
@@ -414,10 +415,10 @@ class SelinuxConfig(KickstartConfig):
 
         if ksselinux.selinux == ksconstants.SELINUX_DISABLED:
             return
-        if not os.path.exists(self.path("/sbin/restorecon")):
+        if not os.path.exists(self.path("/sbin/setfiles")):
             return
 
-        self.call(["/sbin/restorecon", "-l", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
+        self.call(["/sbin/setfiles", selinux.selinux_file_context_path(), "/"])
 
     def apply(self, ksselinux):
         if os.path.exists(self.path("/usr/sbin/lokkit")):

--
Fedora-livecd-list mailing list
[hidden email]
https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Reply | Threaded
Open this post in threaded view
|

Re: Re: Unnecessary SELinux Failure Condition?

Jeremy Katz-3
On Fri, Sep 18, 2009 at 10:26 AM, Jay Greguske <[hidden email]> wrote:
> Daniel J Walsh wrote:
>> On 09/11/2009 04:47 PM, Jay Greguske wrote:
>>> While using livecd-creator and poking around the code, I found a check
>>> that I don't understand the reason for. livecd-creator will bail out if
>>> the host has SELinux disabled and the kickstart file requests it be
>>> enabled. Why is that? I would think that if SELinux was disabled but you
>>> still had the policy available, that would be all you need to build a
>>> properly labeled image.
[snip]

>>> Perhaps the failure condition is no longer necessary?
>>>
>> Yes I think that is no longer necessary.  And it should definitely be supported.
>>
> Attached is a cleaner patch that removes the check and some other
> unnecessary code (thanks Dan). With this users should be able to build
> livecd images that have SELinux enabled on an SELinux-disabled host.
> I've tested this on an F10 system with an F10 and a RHEL 5 kernel. Both
> kernels I was able to build images with the SELinux enabled and disabled
> on the host (but always enabled in the kickstart file).

There have been some problems more recently with the booleans stuff if
SELinux isn't enabled.  Does that all end up working correctly still?

I'm not fundamentally opposed to the patch; it's just historically
been something which didn't work.

- Jeremy

--
Fedora-livecd-list mailing list
[hidden email]
https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Reply | Threaded
Open this post in threaded view
|

Re: Re: Unnecessary SELinux Failure Condition?

Jay Greguske
Jeremy Katz wrote:

> On Fri, Sep 18, 2009 at 10:26 AM, Jay Greguske <[hidden email]> wrote:
>  
>> Daniel J Walsh wrote:
>>    
>>> On 09/11/2009 04:47 PM, Jay Greguske wrote:
>>>      
>>>> While using livecd-creator and poking around the code, I found a check
>>>> that I don't understand the reason for. livecd-creator will bail out if
>>>> the host has SELinux disabled and the kickstart file requests it be
>>>> enabled. Why is that? I would think that if SELinux was disabled but you
>>>> still had the policy available, that would be all you need to build a
>>>> properly labeled image.
>>>>        
> [snip]
>  
>>>> Perhaps the failure condition is no longer necessary?
>>>>
>>>>        
>>> Yes I think that is no longer necessary.  And it should definitely be supported.
>>>
>>>      
>> Attached is a cleaner patch that removes the check and some other
>> unnecessary code (thanks Dan). With this users should be able to build
>> livecd images that have SELinux enabled on an SELinux-disabled host.
>> I've tested this on an F10 system with an F10 and a RHEL 5 kernel. Both
>> kernels I was able to build images with the SELinux enabled and disabled
>> on the host (but always enabled in the kickstart file).
>>    
>
> There have been some problems more recently with the booleans stuff if
> SELinux isn't enabled.  Does that all end up working correctly still?
>
> I'm not fundamentally opposed to the patch; it's just historically
> been something which didn't work.
>
> - Jeremy
>  
I'll look into it. Are there any you have in mind specifically?

- Jay

--
Fedora-livecd-list mailing list
[hidden email]
https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Reply | Threaded
Open this post in threaded view
|

Re: Re: Unnecessary SELinux Failure Condition?

Jeremy Katz-3
On Fri, Sep 25, 2009 at 8:59 AM, Jay Greguske <[hidden email]> wrote:
> Jeremy Katz wrote:
>> There have been some problems more recently with the booleans stuff if
>> SELinux isn't enabled.  Does that all end up working correctly still?
>>
> I'll look into it. Are there any you have in mind specifically?

Dan might remember better than I -- I vaguely remember that a lot of
the home directory bits and also some of the xguest stuff requires
working booleans

- Jeremy

--
Fedora-livecd-list mailing list
[hidden email]
https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Reply | Threaded
Open this post in threaded view
|

Re: Re: Unnecessary SELinux Failure Condition?

Jay Greguske
Jeremy Katz wrote:

> On Fri, Sep 25, 2009 at 8:59 AM, Jay Greguske <[hidden email]> wrote:
>  
>> Jeremy Katz wrote:
>>    
>>> There have been some problems more recently with the booleans stuff if
>>> SELinux isn't enabled.  Does that all end up working correctly still?
>>>
>>>      
>> I'll look into it. Are there any you have in mind specifically?
>>    
>
> Dan might remember better than I -- I vaguely remember that a lot of
> the home directory bits and also some of the xguest stuff requires
> working booleans
>
> - Jeremy
>  
I installed xguest to a running livecd (desktop ks file) and played with
two booleans related to it: browser_write_xguest_data, and
xguest_connect_network. With the former turned off the Guest account
could not download files from random internet sites, and with the latter
it couldn't connect at all, so I'd say they were functioning as
expected. I'm pretty confident SELinux booleans are working correctly
with these changes. If you have other tests to suggest I'd be happy to
try them out.

Thanks,
- Jay

--
Fedora-livecd-list mailing list
[hidden email]
https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Reply | Threaded
Open this post in threaded view
|

Re: Re: Unnecessary SELinux Failure Condition?

Jay Greguske
Daniel J Walsh wrote:

> On 09/29/2009 03:45 PM, Jay Greguske wrote:
>  
>> Jeremy Katz wrote:
>>    
>>> On Fri, Sep 25, 2009 at 8:59 AM, Jay Greguske <[hidden email]> wrote:
>>>  
>>>      
>>>> Jeremy Katz wrote:
>>>>    
>>>>        
>>>>> There have been some problems more recently with the booleans stuff if
>>>>> SELinux isn't enabled.  Does that all end up working correctly still?
>>>>>
>>>>>      
>>>>>          
>>>> I'll look into it. Are there any you have in mind specifically?
>>>>    
>>>>        
>>> Dan might remember better than I -- I vaguely remember that a lot of
>>> the home directory bits and also some of the xguest stuff requires
>>> working booleans
>>>
>>> - Jeremy
>>>  
>>>      
>> I installed xguest to a running livecd (desktop ks file) and played with
>> two booleans related to it: browser_write_xguest_data, and
>> xguest_connect_network. With the former turned off the Guest account
>> could not download files from random internet sites, and with the latter
>> it couldn't connect at all, so I'd say they were functioning as
>> expected. I'm pretty confident SELinux booleans are working correctly
>> with these changes. If you have other tests to suggest I'd be happy to
>> try them out.
>>
>> Thanks,
>> - Jay
>>    
> How much work would it be to create a livecd with only an xguest login.  
> Random Root password and no user accounts.
>
> So the cd could only run xguest.  I know if you can boot the cd you can beat the system, but it might be a cool demo.
>  

Should be pretty easy: you just need the right kickstart configuration
file. While things are quiet this week I'll see if I can produce that
for you.

--
Fedora-livecd-list mailing list
[hidden email]
https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Reply | Threaded
Open this post in threaded view
|

Re: Re: Unnecessary SELinux Failure Condition?

Bruno Wolff III
On Tue, Sep 29, 2009 at 16:32:24 -0400,
  Jay Greguske <[hidden email]> wrote:

> Daniel J Walsh wrote:
> > How much work would it be to create a livecd with only an xguest login.  
> > Random Root password and no user accounts.
> >
> > So the cd could only run xguest.  I know if you can boot the cd you can beat the system, but it might be a cool demo.
> >  
>
> Should be pretty easy: you just need the right kickstart configuration
> file. While things are quiet this week I'll see if I can produce that
> for you.

I haven't seen a fix for https://bugzilla.redhat.com/show_bug.cgi?id=524421
pushed out yet. So you might need to tweak gdm-password to get this to
work right now.

--
Fedora-livecd-list mailing list
[hidden email]
https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Reply | Threaded
Open this post in threaded view
|

Re: Re: Unnecessary SELinux Failure Condition?

Jay Greguske
In reply to this post by Jay Greguske
Jay Greguske wrote:

> Jeremy Katz wrote:
>  
>> On Fri, Sep 25, 2009 at 8:59 AM, Jay Greguske <[hidden email]> wrote:
>>  
>>    
>>> Jeremy Katz wrote:
>>>    
>>>      
>>>> There have been some problems more recently with the booleans stuff if
>>>> SELinux isn't enabled.  Does that all end up working correctly still?
>>>>
>>>>      
>>>>        
>>> I'll look into it. Are there any you have in mind specifically?
>>>    
>>>      
>> Dan might remember better than I -- I vaguely remember that a lot of
>> the home directory bits and also some of the xguest stuff requires
>> working booleans
>>
>> - Jeremy
>>  
>>    
> I installed xguest to a running livecd (desktop ks file) and played with
> two booleans related to it: browser_write_xguest_data, and
> xguest_connect_network. With the former turned off the Guest account
> could not download files from random internet sites, and with the latter
> it couldn't connect at all, so I'd say they were functioning as
> expected. I'm pretty confident SELinux booleans are working correctly
> with these changes. If you have other tests to suggest I'd be happy to
> try them out.
>
> Thanks,
> - Jay
>
> --
> Fedora-livecd-list mailing list
> [hidden email]
> https://www.redhat.com/mailman/listinfo/fedora-livecd-list
>
>  
Is there anything more I can do to scoot these changes along? I don't
want them to fall off radar...

- Jay

diff --git a/imgcreate/creator.py b/imgcreate/creator.py
index 909f616..0db74fd 100644
--- a/imgcreate/creator.py
+++ b/imgcreate/creator.py
@@ -399,10 +399,6 @@ class ImageCreator(object):
         if not kickstart.get_repos(self.ks):
             raise CreatorError("No repositories specified")
 
-        if (kickstart.selinux_enabled(self.ks) and
-            not os.path.exists("/selinux/enforce")):
-            raise CreatorError("SELinux requested but not enabled on host")
-
     def __write_fstab(self):
         fstab = open(self._instroot + "/etc/fstab", "w")
         fstab.write(self._get_fstab())
@@ -467,10 +463,6 @@ class ImageCreator(object):
             # label the fs like it is a root before the bind mounting
             arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot]
             subprocess.call(arglist, close_fds = True)
-            # these dumb things don't get magically fixed, so make the user generic
-            for f in ("/proc", "/sys", "/selinux"):
-                arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f]
-                subprocess.call(arglist, close_fds = True)
 
     def __destroy_selinuxfs(self):
         # if the system was running selinux clean up our lies
@@ -726,7 +718,6 @@ class ImageCreator(object):
         kickstart.KeyboardConfig(self._instroot).apply(ksh.keyboard)
         kickstart.TimezoneConfig(self._instroot).apply(ksh.timezone)
         kickstart.AuthConfig(self._instroot).apply(ksh.authconfig)
-        kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux)
         kickstart.FirewallConfig(self._instroot).apply(ksh.firewall)
         kickstart.RootPasswordConfig(self._instroot).apply(ksh.rootpw)
         kickstart.ServicesConfig(self._instroot).apply(ksh.services)
@@ -738,6 +729,9 @@ class ImageCreator(object):
 
         self.__run_post_scripts()
 
+        # selinux should always come last
+        kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux)
+
     def launch_shell(self):
         """Launch a shell in the install root.
 
diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index 98db856..9d589bb 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -22,6 +22,7 @@ import shutil
 import subprocess
 import time
 import logging
+import selinux
 import urlgrabber
 
 try:
@@ -414,10 +415,10 @@ class SelinuxConfig(KickstartConfig):
 
         if ksselinux.selinux == ksconstants.SELINUX_DISABLED:
             return
-        if not os.path.exists(self.path("/sbin/restorecon")):
+        if not os.path.exists(self.path("/sbin/setfiles")):
             return
 
-        self.call(["/sbin/restorecon", "-l", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
+        self.call(["/sbin/setfiles", selinux.selinux_file_context_path(), "/"])
 
     def apply(self, ksselinux):
         if os.path.exists(self.path("/usr/sbin/lokkit")):

--
Fedora-livecd-list mailing list
[hidden email]
https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Reply | Threaded
Open this post in threaded view
|

Re: Re: Unnecessary SELinux Failure Condition?

Alan Pevec-2
On Thu, Oct 22, 2009 at 10:42 PM, Jay Greguske <[hidden email]> wrote:

> Jay Greguske wrote:
>> Jeremy Katz wrote:
>>
>>> On Fri, Sep 25, 2009 at 8:59 AM, Jay Greguske <[hidden email]> wrote:
>>>
>>>
>>>> Jeremy Katz wrote:
>>>>
>>>>
>>>>> There have been some problems more recently with the booleans stuff if
>>>>> SELinux isn't enabled.  Does that all end up working correctly still?
>>>>>
>>>>>
>>>>>
>>>> I'll look into it. Are there any you have in mind specifically?
>>>>
>>>>
>>> Dan might remember better than I -- I vaguely remember that a lot of
>>> the home directory bits and also some of the xguest stuff requires
>>> working booleans
>>>
>>> - Jeremy
>>>
>>>
>> I installed xguest to a running livecd (desktop ks file) and played with
>> two booleans related to it: browser_write_xguest_data, and
>> xguest_connect_network. With the former turned off the Guest account
>> could not download files from random internet sites, and with the latter
>> it couldn't connect at all, so I'd say they were functioning as
>> expected. I'm pretty confident SELinux booleans are working correctly
>> with these changes. If you have other tests to suggest I'd be happy to
>> try them out.
>>
>> Thanks,
>> - Jay
>>
>> --
>> Fedora-livecd-list mailing list
>> [hidden email]
>> https://www.redhat.com/mailman/listinfo/fedora-livecd-list
>>
>>
> Is there anything more I can do to scoot these changes along? I don't
> want them to fall off radar...
>

We definitely need this patch - I got few files with unlabeled_t in
the image created with F12 livecd-tools (ovirt-node-image.ks)
I guess setfiles replacing restorecon in your patch is what fixes it.

--
Fedora-livecd-list mailing list
[hidden email]
https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Reply | Threaded
Open this post in threaded view
|

Re: Re: Unnecessary SELinux Failure Condition?

Alan Pevec-2
I've just found one issue with the patch:
@@ -722,7 +714,6 @@ class ImageCreator(object):
         kickstart.KeyboardConfig(self._instroot).apply(ksh.keyboard)
         kickstart.TimezoneConfig(self._instroot).apply(ksh.timezone)
         kickstart.AuthConfig(self._instroot).apply(ksh.authconfig)
-        kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux)
         kickstart.FirewallConfig(self._instroot).apply(ksh.firewall)
         kickstart.RootPasswordConfig(self._instroot).apply(ksh.rootpw)
         kickstart.ServicesConfig(self._instroot).apply(ksh.services)
@@ -734,6 +725,9 @@ class ImageCreator(object):
 
         self.__run_post_scripts()
 
+        # selinux should always come last
+        kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux)
+
     def launch_shell(self):
         """Launch a shell in the install root.
 
This reverts
http://git.fedorahosted.org/git/?p=livecd;a=commitdiff;h=d8c25944dde2de95a38c08fbb8e890295290ab21

Other issue is that pykickstart "selinux" command doesn't have --type option to specify the policy and lokkit. assumes "targeted" if --selinuxtype=<type>  is not specified. SelinuxConfig should not touch SELINUXTYPE already set in /etc/selinux/config by %post script.
To avoid lokkit side-effects, I'll amend the patch to use Augeas to modify /etc/selinux/config

Alan


--
Fedora-livecd-list mailing list
[hidden email]
https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Reply | Threaded
Open this post in threaded view
|

Re: Re: Unnecessary SELinux Failure Condition?

Jeremy Katz-3
On Wed, Dec 16, 2009 at 12:03 AM, Alan Pevec <[hidden email]> wrote:

> I've just found one issue with the patch:
> @@ -734,6 +725,9 @@ class ImageCreator(object):
>
>          self.__run_post_scripts()
>
> +        # selinux should always come last
> +        kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux)
> +
>      def launch_shell(self):
>          """Launch a shell in the install root.

NAK.  Nothing *EVER* can come after running %post scripts.  It breaks
one of the very few things that have to always be held true for
kickstart scripts that came about after a few years of flip-flopping
things around for various reasons that seemed good at the time.

> Other issue is that pykickstart "selinux" command doesn't have --type option
> to specify the policy and lokkit. assumes "targeted" if
> --selinuxtype=<type>  is not specified. SelinuxConfig should not touch
> SELINUXTYPE already set in /etc/selinux/config by %post script.
> To avoid lokkit side-effects, I'll amend the patch to use Augeas to modify
> /etc/selinux/config

I'd rather not have a dependency on augeas here.  If it's important
that people be able to specify the policy type in the kickstart
config, then we should push that support in via pykickstart and
lokkit, not change to a whole new toolset.

- Jeremy

--
Fedora-livecd-list mailing list
[hidden email]
https://www.redhat.com/mailman/listinfo/fedora-livecd-list