On Thu, Dec 11, 2008 at 09:03:44PM +0100, Anton Arapov wrote:
> On Thu, Dec 11, 2008 at 02:58:07PM -0500, Michael DeHaan wrote:
> > Anton Arapov wrote:
> >> Oh, well...
> >>
> >> It turns out that just to do 'chcon -t context /dev/mapper/volume'
> >> is not enough, the security context will be reset to default one at
> >> the next reboot.
> >> To make it permanent we need to use:
> >> # semanage fcontext -a -t virt_image_t /dev/mapper/volume
> >>
> >> But, at the moment it is impossible to put it to the sub_process.call()
> >> just because the execution of semanage tool will be prohibited be
> >> SELinux rules. The script, that executes semanage should have the
> >> appropriate context='semanage_t' as well... Futhermore, because of
> >> implementation, selinux wants this context on %HOME%/.koan and/or
> >> %HOME%/.koan/koan.log that means crap,....
> >>
> >> Ohh .... does this ring the bell to anybody? Will try to invent
> >> something ...
> >>
> >> But, anyway, we must to let users of selinux systems know, that
> >> making the context to LVM partition is necessary, by semanage tool.
> >>
> >> -- Anton
> >>
> >>
> > What OS are you running on? The SELinux policy rules did not used to be
> > so strict.
> Stock F10. :)
>
> > Can't koan just remain unconfined?
> I'd like to ...
>
> // just a cut from audit.log:
>
> type=AVC msg=audit(1229025747.953:199): avc: denied { append } for
> pid=6333 comm="semanage" path="/root/.koan/koan.log" dev=dm-0 ino=6171
> scontext=unconfined_u:unconfined_r:semanage_t:s0
> tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
>
> type=AVC msg=audit(1229025747.953:199): avc: denied { read write } for
> pid=6333 comm="semanage" path="socket:[46575]" dev=sockfs ino=46575
> scontext=unconfined_u:unconfined_r:semanage_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=tcp_socket
>
> type=SYSCALL msg=audit(1229025747.953:199): arch=c000003e syscall=59
> success=yes exit=0 a0=1e84a00 a1=1e84810 a2=1e82ee0 a3=386616da70 items=0
> ppid=6312 pid=6333 auid=675 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts3 ses=1 comm="semanage" exe="/usr/bin/python"
> subj=unconfined_u:unconfined_r:semanage_t:s0 key=(null)
> // ENDofCUT
and this is audit.log for modified app.py:
koan/app.py | 24 +++++++++++++++++-------
1 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/koan/app.py b/koan/app.py
index 5031bed..1eae1dd 100755
--- a/koan/app.py
+++ b/koan/app.py
@@ -1420,13 +1420,23 @@ class Koan:
args = "/usr/sbin/selinuxenabled"
selinuxenabled = sub_process.call(args)
if selinuxenabled == 0:
- # permissive or enforcing or something else, and
- # set appropriate security context for LVM partition
- args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
- print "%s" % args
- change_context = sub_process.call(args, shell=True)
- if change_context != 0:
- raise InfoException, "SELinux security context setting
to LVM partition failed"
+ # permissive or enforcing or something else
+ context = "virt_image_t"
+
+ # check the current context
+ args = "/bin/ls -Z %s" % partition_location
+ context_str = sub_process.Popen(args,
stdout=sub_process.PIPE, shell=True).communicate()[0]
+ if context_str.find(context) == -1:
+ # set appropriate security context for LVM partition
+ args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
+ print "%s" % args
+ change_context = sub_process.call(args, shell=True)
+ # make the context for LVM partition permanent by
updating the policy
+ args = "/usr/sbin/semanage fcontext -a -t %s %s" %
(context, partition_location)
+ print "%s" % args
+ permanent_context = sub_process.call(args, shell=True)
+ if change_context != 0 or permanent_context != 0:
+ raise InfoException, "SELinux security context
setting to LVM partition failed"
# return partition location
return partition_location
So we can't go with:
+ args = "/usr/sbin/semanage fcontext -a -t %s %s" %
(context, partition_location)
just because it's prohibited to call from anything that has no semanage_t
context...
...fscking SELinux...
Anton.
_______________________________________________
cobbler mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/cobbler
