On Wed, Dec 10, 2008 at 11:35:54AM -0500, Michael DeHaan wrote: > Anton Arapov wrote: >> Hello crew, >> >> On SELinux enabled system: >> # cobbler system add --name vguest --profile F-10-x86_64 \ >> --virt-type qemu \ >> --virt-bridge virbr0 \ >> --virt-path vg >> # koan --server 'host' --virt --system vguest2 >> >> These will fail to run, because koan did not set the correct security >> context >> for created lvm partition. >> It must execute something like: # chcon -t virt_image_t >> /dev/mapper/%lvm_partition% >> >> Patch addressed to the ticket #321: >> https://fedorahosted.org/cobbler/ticket/321 >> >> I've added also some concerns, about already implemented in cobbler >> selinux check. So please, read the ticket and leave feedback. :) >> >> Cheers! >> == >> diff -urpN koan-1.2.6.orig/koan/app.py koan-1.2.6/koan/app.py >> --- koan-1.2.6.orig/koan/app.py 2008-12-10 09:04:12.082359000 +0100 >> +++ koan-1.2.6/koan/app.py 2008-12-10 09:18:59.765607726 +0100 >> @@ -1213,8 +1213,23 @@ class Koan: >> if lv_create != 0: >> raise InfoException, "LVM creation failed" >> + # partition location >> + partition_location = "/dev/mapper/%s-%s" % >> (location,name.replace('-','--')) >> + >> + # check whether we have SELinux enabled system >> + args = "/usr/sbin/selinuxenabled" >> + selinuxenabled = sub_process.call(args) >> + if selinuxenabled == 0: >> + # permissive or enforcing or something else, and >> + # set appropriate security context for LVM partition >> + args = "/usr/bin/chcon -t virt_image_t %s" % >> partition_location >> + print "%s" % args >> + change_context = sub_process.call(args, shell=True) >> + if change_context != 0: >> + raise InfoException, "SELinux security context >> setting to LVM partition failed" >> + >> # return partition location >> - return "/dev/mapper/%s-%s" % >> (location,name.replace('-','--')) >> + return partition_location >> else: >> raise InfoException, "volume group needs %s GB free space." >> % virt_size >> > > Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler > contains some code for similar things that uses getenforce. Earlier I > thought this binary didn't exist on my box, but I /do/ have it on F9. > > Otherwise, looks fine, though I think we need to make sure this binary > is available. We should also check to see if it /exists/ first, because > long term we'll want koan to work on non-Fedora/Red-Hat based distros so > we can also package it there.
will check this in rhel4.6/4.7 and rhel5.2, and will let you know. I guess, we do not care about rhel2/rhel3. ;-) > --Michael > > -- -Anton _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
