[Fedora-livecd-list] SELinux Enabled Images on SELinux Disabled Hosts

Mon, 03 May 2010 11:00:42 -0700 

Hi,

I finally got an opportunity to look at this issue again. Today livecd-tools 
refuses to build an SELinux enabled LiveCD on an SELinux disabled host, so I've 
reworked some of the logic and SELinux commands used by livecd-tools to allow 
this. This patch still lets the %post scripts complete last; it happens after 
the SELinux configuration step.

I gave this a try with F13 (beta) repos on an F12 host. In my testing I tried 
all permutations of host and LiveCD SELinux enablement. The results are 
summarized below:

Host/LiveCD: Description
 - On/On: SELinux enforcing and functioning as expected
 - Off/On: SELinux enforcing and functioning as expected
 - On/Off: File system is partially labelled due to Yum/RPM labelling the files 
during installation. I figured this was OK because SELinux is disabled so they 
shouldn't cause a problem (disk space usage is trivial)
 - Off/Off: SELinux disabled and the FS is unlabelled as expected.

Please let me know what you think!

Thanks,
- Jay
>From d31e1322bd18998e58782c2308e2b1e87ee72097 Mon Sep 17 00:00:00 2001
From: Jay Greguske <[email protected]>
Date: Mon, 3 May 2010 13:00:34 -0400
Subject: [PATCH] build selinux-enabled images on disabled hosts

---
 imgcreate/creator.py   |   21 +++++++--------------
 imgcreate/kickstart.py |    6 +++---
 2 files changed, 10 insertions(+), 17 deletions(-)

diff --git a/imgcreate/creator.py b/imgcreate/creator.py
index 909f616..7d27fdc 100644
--- a/imgcreate/creator.py
+++ b/imgcreate/creator.py
@@ -399,10 +399,6 @@ class ImageCreator(object):
         if not kickstart.get_repos(self.ks):
             raise CreatorError("No repositories specified")
 
-        if (kickstart.selinux_enabled(self.ks) and
-            not os.path.exists("/selinux/enforce")):
-            raise CreatorError("SELinux requested but not enabled on host")
-
     def __write_fstab(self):
         fstab = open(self._instroot + "/etc/fstab", "w")
         fstab.write(self._get_fstab())
@@ -441,17 +437,20 @@ class ImageCreator(object):
         return booleans
 
     def __create_selinuxfs(self):
-        # if selinux exists on the host we need to lie to the chroot
-        if os.path.exists("/selinux/enforce"):
+        # if selinux is on in ks file we need to lie to the chroot
+        if kickstart.selinux_enabled(self.ks):
             selinux_dir = self._instroot + "/selinux"
 
             # enforce=0 tells the chroot selinux is not enforcing
             # policyvers=999 tell the chroot to make the highest version of policy it can
 
+            mls = selinux.is_selinux_mls_enabled()
+            if mls < 0: mls = 1
+
             files = [('/enforce', '0'),
                      ('/policyvers', '999'),
                      ('/commit_pending_bools', ''),
-                     ('/mls', str(selinux.is_selinux_mls_enabled()))]
+                     ('/mls', str(mls))]
 
             for (file, value) in files + self.__getbooleans():
                 fd = os.open(selinux_dir + file, os.O_WRONLY | os.O_TRUNC | os.O_CREAT)
@@ -462,15 +461,9 @@ class ImageCreator(object):
             # make /load -> /dev/null so chroot policy loads don't hurt anything
             os.mknod(selinux_dir + "/load", 0666 | stat.S_IFCHR, os.makedev(1, 3))
 
-        # selinux is on in the kickstart, so clean up as best we can to start
-        if kickstart.selinux_enabled(self.ks):
             # label the fs like it is a root before the bind mounting
             arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot]
             subprocess.call(arglist, close_fds = True)
-            # these dumb things don't get magically fixed, so make the user generic
-            for f in ("/proc", "/sys", "/selinux"):
-                arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f]
-                subprocess.call(arglist, close_fds = True)
 
     def __destroy_selinuxfs(self):
         # if the system was running selinux clean up our lies
@@ -726,13 +719,13 @@ class ImageCreator(object):
         kickstart.KeyboardConfig(self._instroot).apply(ksh.keyboard)
         kickstart.TimezoneConfig(self._instroot).apply(ksh.timezone)
         kickstart.AuthConfig(self._instroot).apply(ksh.authconfig)
-        kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux)
         kickstart.FirewallConfig(self._instroot).apply(ksh.firewall)
         kickstart.RootPasswordConfig(self._instroot).apply(ksh.rootpw)
         kickstart.ServicesConfig(self._instroot).apply(ksh.services)
         kickstart.XConfig(self._instroot).apply(ksh.xconfig)
         kickstart.NetworkConfig(self._instroot).apply(ksh.network)
         kickstart.RPMMacroConfig(self._instroot).apply(self.ks)
+        kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux)
 
         self._create_bootconfig()
 
diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index 328043c..82d86aa 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -22,6 +22,7 @@ import shutil
 import subprocess
 import time
 import logging
+import selinux
 import urlgrabber
 
 try:
@@ -414,10 +415,9 @@ class SelinuxConfig(KickstartConfig):
 
         if ksselinux.selinux == ksconstants.SELINUX_DISABLED:
             return
-        if not os.path.exists(self.path("/sbin/restorecon")):
+        if not os.path.exists(self.path("/sbin/setfiles")):
             return
-
-        self.call(["/sbin/restorecon", "-l", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
+        self.call(["/sbin/setfiles", selinux.selinux_file_context_path(), "/"])
 
     def apply(self, ksselinux):
         if os.path.exists(self.path("/usr/sbin/lokkit")):
-- 
1.6.6.1


--
livecd mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/livecd

Reply via email to