Jay Greguske wrote:
> Jeremy Katz wrote:
>
>> On Fri, Sep 25, 2009 at 8:59 AM, Jay Greguske <jgreg...@redhat.com> wrote:
>>
>>
>>> Jeremy Katz wrote:
>>>
>>>
>>>> There have been some problems more recently with the booleans stuff if
>>>> SELinux isn't enabled. Does that all end up working correctly still?
>>>>
>>>>
>>>>
>>> I'll look into it. Are there any you have in mind specifically?
>>>
>>>
>> Dan might remember better than I -- I vaguely remember that a lot of
>> the home directory bits and also some of the xguest stuff requires
>> working booleans
>>
>> - Jeremy
>>
>>
> I installed xguest to a running livecd (desktop ks file) and played with
> two booleans related to it: browser_write_xguest_data, and
> xguest_connect_network. With the former turned off the Guest account
> could not download files from random internet sites, and with the latter
> it couldn't connect at all, so I'd say they were functioning as
> expected. I'm pretty confident SELinux booleans are working correctly
> with these changes. If you have other tests to suggest I'd be happy to
> try them out.
>
> Thanks,
> - Jay
>
> --
> Fedora-livecd-list mailing list
> Fedora-livecd-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-livecd-list
>
>
Is there anything more I can do to scoot these changes along? I don't
want them to fall off radar...
- Jay
diff --git a/imgcreate/creator.py b/imgcreate/creator.py
index 909f616..0db74fd 100644
--- a/imgcreate/creator.py
+++ b/imgcreate/creator.py
@@ -399,10 +399,6 @@ class ImageCreator(object):
if not kickstart.get_repos(self.ks):
raise CreatorError("No repositories specified")
- if (kickstart.selinux_enabled(self.ks) and
- not os.path.exists("/selinux/enforce")):
- raise CreatorError("SELinux requested but not enabled on host")
-
def __write_fstab(self):
fstab = open(self._instroot + "/etc/fstab", "w")
fstab.write(self._get_fstab())
@@ -467,10 +463,6 @@ class ImageCreator(object):
# label the fs like it is a root before the bind mounting
arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot]
subprocess.call(arglist, close_fds = True)
- # these dumb things don't get magically fixed, so make the user generic
- for f in ("/proc", "/sys", "/selinux"):
- arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f]
- subprocess.call(arglist, close_fds = True)
def __destroy_selinuxfs(self):
# if the system was running selinux clean up our lies
@@ -726,7 +718,6 @@ class ImageCreator(object):
kickstart.KeyboardConfig(self._instroot).apply(ksh.keyboard)
kickstart.TimezoneConfig(self._instroot).apply(ksh.timezone)
kickstart.AuthConfig(self._instroot).apply(ksh.authconfig)
- kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux)
kickstart.FirewallConfig(self._instroot).apply(ksh.firewall)
kickstart.RootPasswordConfig(self._instroot).apply(ksh.rootpw)
kickstart.ServicesConfig(self._instroot).apply(ksh.services)
@@ -738,6 +729,9 @@ class ImageCreator(object):
self.__run_post_scripts()
+ # selinux should always come last
+ kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux)
+
def launch_shell(self):
"""Launch a shell in the install root.
diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index 98db856..9d589bb 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -22,6 +22,7 @@ import shutil
import subprocess
import time
import logging
+import selinux
import urlgrabber
try:
@@ -414,10 +415,10 @@ class SelinuxConfig(KickstartConfig):
if ksselinux.selinux == ksconstants.SELINUX_DISABLED:
return
- if not os.path.exists(self.path("/sbin/restorecon")):
+ if not os.path.exists(self.path("/sbin/setfiles")):
return
- self.call(["/sbin/restorecon", "-l", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
+ self.call(["/sbin/setfiles", selinux.selinux_file_context_path(), "/"])
def apply(self, ksselinux):
if os.path.exists(self.path("/usr/sbin/lokkit")):
--
Fedora-livecd-list mailing list
Fedora-livecd-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-livecd-list
