[Fedora-livecd-list] ImageCreator "selinux --disable" problem

Tue, 19 Feb 2008 14:25:20 -0800 

I am trying to reproduce the install behavior of anaconda --noselinux,
where it installs a chroot without labels. [1]  I need this for LTSP due
to SELinux chroot limitations, and Dan Walsh confirms that this is my
best option given these current limitations.

First I discovered places in kickstart.py where it is supposed to be
checking that SELinux-from-kickstart file setting was always returning
true.  I believe the attached patch fixes this part, although it could
use some review.

To my dismay it continued to install with labels.  I then realized that
creator.py's ImageCreator mount() method unconditionally bind mounted
the system's /selinux directory, which is incorrect if "selinux
--disabled" is defined in the kickstart file.

Perhaps my understanding of python is not advanced, but it appears that
there is no good way to check kickstart's selinux setting from the
mount() method due to the way it is abstracted.

Any ideas what could be done here?

Warren Togami
[EMAIL PROTECTED]

[1]
OK, it really does have labels, but all the labels are the same.


diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index a7e0723..30156d8 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -370,7 +370,7 @@ class SelinuxConfig(KickstartConfig):
             f = file(path, "w+")
             os.chmod(path, 0644)
 
-        if not ksselinux.selinux:
+        if ksselinux.selinux == ksconstants.SELINUX_DISABLED:
             return
         if not os.path.exists(self.path("/sbin/restorecon")):
             return
@@ -381,9 +381,11 @@ class SelinuxConfig(KickstartConfig):
         if os.path.exists(self.path("/usr/sbin/lokkit")):
             args = ["/usr/sbin/lokkit", "-f", "--quiet", "--nostart"]
 
-            if ksselinux.selinux:
+            if ksselinux.selinux == ksconstants.SELINUX_ENFORCING:
                 args.append("--selinux=enforcing")
-            else:
+            if ksselinux.selinux == ksconstants.SELINUX_PERMISSIVE:
+                args.append("--selinux=permissive")
+            if ksselinux.selinux == ksconstants.SELINUX_DISABLED:
                 args.append("--selinux=disabled")
 
             self.call(args)
@@ -483,4 +485,4 @@ def get_post_scripts(ks):
     return scripts
 
 def selinux_enabled(ks):
-    return ks.handler.selinux.selinux
+    return ks.handler.selinux.selinux == ksconstants.SELINUX_ENFORCING


--
Fedora-livecd-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-livecd-list

Reply via email to