Anton Arapov wrote:
> On Wed, Dec 10, 2008 at 01:27:29PM -0500, Michael DeHaan wrote:
>
>> Anton Arapov wrote:
>>
>>> On Wed, Dec 10, 2008 at 06:04:36PM +0100, Vreman, Peter - Acision wrote:
>>>
>>>>> -----Original Message-----
>>>>> From: [EMAIL PROTECTED] [mailto:cobbler-
>>>>> [EMAIL PROTECTED] On Behalf Of Michael DeHaan
>>>>> Sent: woensdag 10 december 2008 17:36
>>>>> To: Anton Arapov
>>>>> Cc: [email protected]
>>>>> Subject: Re: [KOAN 1.2.X PATCH] SELinux: set correct security context for
>>>>> lvm partitions
>>>>>
>>>>> Anton Arapov wrote:
>>>>>
>>>>>> Hello crew,
>>>>>>
>>>>>> On SELinux enabled system:
>>>>>> # cobbler system add --name vguest --profile F-10-x86_64 \
>>>>>> --virt-type qemu \
>>>>>> --virt-bridge virbr0 \
>>>>>> --virt-path vg
>>>>>> # koan --server 'host' --virt --system vguest2
>>>>>>
>>>>>> These will fail to run, because koan did not set the correct security
>>>>>> context
>>>>>> for created lvm partition.
>>>>>> It must execute something like:
>>>>>> # chcon -t virt_image_t /dev/mapper/%lvm_partition%
>>>>>>
>>>>>> Patch addressed to the ticket #321:
>>>>>> https://fedorahosted.org/cobbler/ticket/321
>>>>>>
>>>>>> I've added also some concerns, about already implemented in cobbler
>>>>>> selinux check. So please, read the ticket and leave feedback. :)
>>>>>>
>>>>>>
> [...cut...]
>
>
>>>>> Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler
>>>>> contains some code for similar things that uses getenforce. Earlier I
>>>>> thought this binary didn't exist on my box, but I /do/ have it on F9.
>>>>>
>>>>> Otherwise, looks fine, though I think we need to make sure this binary
>>>>> is available. We should also check to see if it /exists/ first, because
>>>>> long term we'll want koan to work on non-Fedora/Red-Hat based distros so
>>>>> we can also package it there.
>>>>>
>>>> The tool is available on RHEL 4.6:
>>>>
>>> Great! So we can go with this patch. :)
>>>
> [...cut...]
>
>
>> FWIW, this patch does not apply -- possibly it was made against master
>> and not the devel branch.
>>
>> See https://fedorahosted.org/cobbler/wiki/PatchProcess and use
>> git-format-patch in the future and it makes things easier.
>>
>> This is trivial so I'll see about applying it manually.
>>
>
> I figured out that cobbler from git devel branch already uses
> selinuxenabled util. So I did it in the way it is in cobbler:
>
Only because I copied from your patch yesterday :)
You should see that koan's devel branch already has your change applied,
so I believe we're good.
Thanks!
--Michael
> ==
>
> koan/app.py | 14 +++++++++++++-
> koan/utils.py | 7 +++++++
> 2 files changed, 20 insertions(+), 1 deletions(-)
>
> diff --git a/koan/app.py b/koan/app.py
> index f5f982f..879f8ed 100755
> --- a/koan/app.py
> +++ b/koan/app.py
> @@ -1213,8 +1213,20 @@ class Koan:
> if lv_create != 0:
> raise InfoException, "LVM creation failed"
>
> + # full path to LVM partition
> + partition_location = "/dev/mapper/%s-%s" %
> (location,name.replace('-','--'))
> +
> + # SELinux enabled system?
> + if utils.is_selinux_enabled():
> + # set appropriate security context for LVM partition
> + args = "/usr/bin/chcon -t virt_image_t %s" %
> partition_location
> + print "%s" % args
> + change_context = sub_process.call(args, shell=True)
> + if change_context != 0:
> + raise InfoException, "SELinux security context
> setting to LVM partition failed"
> +
> # return partition location
> - return "/dev/mapper/%s-%s" %
> (location,name.replace('-','--'))
> + return partition_location
> else:
> raise InfoException, "volume group needs %s GB free space."
> % virt_size
>
> diff --git a/koan/utils.py b/koan/utils.py
> index 36ef75f..cfebce8 100644
> --- a/koan/utils.py
> +++ b/koan/utils.py
> @@ -156,6 +156,13 @@ def subprocess_call(cmd,ignore_rc=False):
> raise InfoException, "command failed (%s)" % rc
> return rc
>
> +def is_selinux_enabled():
> + args = "/usr/sbin/selinuxenabled"
> + selinuxenabled = sub_process.call(args)
> + if selinuxenabled == 0:
> + return True
> + else:
> + return False
>
> def input_string_or_hash(options,delim=None):
> """
>
> _______________________________________________
> cobbler mailing list
> [email protected]
> https://fedorahosted.org/mailman/listinfo/cobbler
>
_______________________________________________
cobbler mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/cobbler
