On Fri, Dec 12, 2008 at 10:06:43PM +0100, Anton Arapov wrote:
> On Fri, Dec 12, 2008 at 10:33:44AM -0500, Michael DeHaan wrote:
> > Anton Arapov wrote:
> > > On Thu, Dec 11, 2008 at 11:40:25AM -0500, Michael DeHaan wrote:
> > >
> > >> Anton Arapov wrote:
> > >>
> > >>
> >
> > Anton,
> >
> > I'm pretty sure it's fine for applications to be ensuring that contexts
> > are set right, so the earlier things seem fine to me, though it also
> > seems that we would be better served having a SELinux policy written for
> > koan, and having that shipped with koan (and possibly installed by the
> > RPM -- or providing instructions for it do so). Perhaps we can follow
> > that tactic instead?
> >
> > This would have the benefit of also being able to move koan out of being
> > unconfined, which may actually /improve/ security in a few regards
> > (except of course koan's there to reinstall your system if you use
> > --replace-self so it's a bit illusory to assume that's why we're doing
> > it). The policy would need to be very open ended because koan can
> > install files with it's --update-files feature and also manipulate grub?
> >
> > Does that make sense?
>
> Michael,
>
> I did some investigations today, and have had a chance to speak
> to Dan Walsh, our selinux guru. And the concern is that we have
> mentioned by me selinux restrictions with semanage just because of
> tricky implementation of the logging(how we log things to
> ~/.koan/koan.log) and another one, seems we have problem in
> sub_process, it leaves filedescriptor open....
>
> I will dive into it this weeked and will come up with solution.
> If there will be the neeed of setting some context to the koan script,
> probably..... but I do not think so. :)
>
> -- Anton
>
I'm afraid, I will not have a time to work futher on this next week,
so sharing what I have:
In order to eliminate the problem with logging, we need to set
appropriate context to ~/.koan/koan.log or log everything to /var/log
for example, var_log_t:
# chcon -v -t var_log_t /root/.koan/koan.log
And if we really care about it, it will be better to create some
koan's context, may be koan_log_t, and use it. Do we need this?
Might be we will use /var/log/* in the future?
And the last one:
node=bandura.englab.brq.redhat.com type=AVC msg=audit(1229121538.953:228):
avc: denied { read write } for pid=22082 comm="semanage"
path="socket:[96400]" dev=sockfs ino=96400
scontext=unconfined_u:unconfined_r:semanage_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=tcp_socket
, have no idea ... this hits just by adding .call(semanage). I tried to
reproduce
it in test script, and everything works just fine.
Usually, such things solved by:
fcntl(socket, F_SETFD, FD_CLOEXEC),
but it's python, and I do not see any sockets using,... evenmore, I do not see
why we need 'import socket' in app.py and utils.py, I think they could be
easily removed. ...
[START] // This code works as expected without selinux somplaint:
#!/bin/env python
import sys
import sub_process
import exceptions
class InfoException(exceptions.Exception):
"""
Custom exception for tracking of fatal errors.
"""
def __init__(self,value,**args):
self.value = value % args
self.from_koan = 1
def __str__(self):
return repr(self.value)
#=======================================================
if __name__ == '__main__':
context = "virt_image_t"
partition_location = "/dev/mapper/vg-kvm_f10--disk0"
args = "/usr/sbin/semanage fcontext -a -t %s %s" % (context,
partition_location)
print "%s" % args
permanent_context = sub_process.call(args, shell=True)
print permanent_context
if permanent_context != 0:
raise InfoException, "SELinux security context setting to LVM
partition failed"
sys.exit(0)
[END]
... the following patch is working. SELinux will complaint
, but this does not prevent us of successful 'semanage' execution.
So you can apply it, at least we will have working/booting LV
images after system reboot, despite annoying selinux messsages.
==
koan/app.py | 24 +++++++++++++++++-------
1 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/koan/app.py b/koan/app.py
index 5031bed..1eae1dd 100755
--- a/koan/app.py
+++ b/koan/app.py
@@ -1420,13 +1420,23 @@ class Koan:
args = "/usr/sbin/selinuxenabled"
selinuxenabled = sub_process.call(args)
if selinuxenabled == 0:
- # permissive or enforcing or something else, and
- # set appropriate security context for LVM partition
- args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
- print "%s" % args
- change_context = sub_process.call(args, shell=True)
- if change_context != 0:
- raise InfoException, "SELinux security context setting
to LVM partition failed"
+ # permissive or enforcing or something else
+ context = "virt_image_t"
+
+ # check the current context
+ args = "/bin/ls -Z %s" % partition_location
+ context_str = sub_process.Popen(args,
stdout=sub_process.PIPE, shell=True).communicate()[0]
+ if context_str.find(context) == -1:
+ # set appropriate security context for LVM partition
+ args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
+ print "%s" % args
+ change_context = sub_process.call(args, shell=True)
+ # make the context for LVM partition permanent by
updating the policy
+ args = "/usr/sbin/semanage fcontext -a -t %s %s" %
(context, partition_location)
+ print "%s" % args
+ permanent_context = sub_process.call(args, shell=True)
+ if change_context != 0 or permanent_context != 0:
+ raise InfoException, "SELinux security context
setting to LVM partition failed"
# return partition location
return partition_location
--
-Anton
_______________________________________________
cobbler mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/cobbler
