On Wed, Dec 10, 2008 at 06:04:36PM +0100, Vreman, Peter - Acision
wrote:
>
>> -----Original Message-----
>> From: cobbler-bounces(a)lists.fedorahosted.org [mailto:cobbler-
>> bounces(a)lists.fedorahosted.org] On Behalf Of Michael DeHaan
>> Sent: woensdag 10 december 2008 17:36
>> To: Anton Arapov
>> Cc: cobbler(a)lists.fedorahosted.org
>> Subject: Re: [KOAN 1.2.X PATCH] SELinux: set correct security context for
>> lvm partitions
>>
>> Anton Arapov wrote:
>>
>>> Hello crew,
>>>
>>> On SELinux enabled system:
>>> # cobbler system add --name vguest --profile F-10-x86_64 \
>>> --virt-type qemu \
>>> --virt-bridge virbr0 \
>>> --virt-path vg
>>> # koan --server 'host' --virt --system vguest2
>>>
>>> These will fail to run, because koan did not set the correct security
>>>
>> context
>>
>>> for created lvm partition.
>>> It must execute something like:
>>> # chcon -t virt_image_t /dev/mapper/%lvm_partition%
>>>
>>> Patch addressed to the ticket #321:
>>>
https://fedorahosted.org/cobbler/ticket/321
>>>
>>> I've added also some concerns, about already implemented in cobbler
>>> selinux check. So please, read the ticket and leave feedback. :)
>>>
>>> Cheers!
>>> ==
>>> diff -urpN koan-1.2.6.orig/koan/app.py koan-1.2.6/koan/app.py
>>> --- koan-1.2.6.orig/koan/app.py 2008-12-10 09:04:12.082359000
>>>
>> +0100
>>
>>> +++ koan-1.2.6/koan/app.py 2008-12-10 09:18:59.765607726 +0100
>>> @@ -1213,8 +1213,23 @@ class Koan:
>>> if lv_create != 0:
>>> raise InfoException, "LVM creation
failed"
>>>
>>> + # partition location
>>> + partition_location = "/dev/mapper/%s-%s" %
>>>
>> (location,name.replace('-','--'))
>>
>>> +
>>> + # check whether we have SELinux enabled system
>>> + args = "/usr/sbin/selinuxenabled"
>>> + selinuxenabled = sub_process.call(args)
>>> + if selinuxenabled == 0:
>>> + # permissive or enforcing or something else, and
>>> + # set appropriate security context for LVM
>>>
>> partition
>>
>>> + args = "/usr/bin/chcon -t virt_image_t %s" %
>>>
>> partition_location
>>
>>> + print "%s" % args
>>> + change_context = sub_process.call(args, shell=True)
>>> + if change_context != 0:
>>> + raise InfoException, "SELinux security context
>>>
>> setting to LVM partition failed"
>>
>>> +
>>> # return partition location
>>> - return "/dev/mapper/%s-%s" %
(location,name.replace('-
>>>
>> ','--'))
>>
>>> + return partition_location
>>> else:
>>> raise InfoException, "volume group needs %s GB free
>>>
>> space." % virt_size
>>
>>>
>> Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler
>> contains some code for similar things that uses getenforce. Earlier I
>> thought this binary didn't exist on my box, but I /do/ have it on F9.
>>
>> Otherwise, looks fine, though I think we need to make sure this binary
>> is available. We should also check to see if it /exists/ first, because
>> long term we'll want koan to work on non-Fedora/Red-Hat based distros so
>> we can also package it there.
>>
> The tool is available on RHEL 4.6:
>
Great! So we can go with this patch. :)
-- Anton.
> tcsia12# cat /etc/redhat-release
> Red Hat Enterprise Linux AS release 4 (Nahant Update 6)
> tcsia12# rpm -ql libselinux-1.19.1-7.4 | grep enable
> /usr/sbin/selinuxenabled
> /usr/share/man/man8/selinuxenabled.8.gz
>
> On debian it is in selinux-utils, see
http://packages.debian.org/etch/i386/selinux-utils/filelist
>
>
> Peter
>
>
> This e-mail and any attachment is for authorised use by the intended recipient(s)
only. It may contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by, any other
party. If you are not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
>
>
> _______________________________________________
> cobbler mailing list
> cobbler(a)lists.fedorahosted.org
>
https://fedorahosted.org/mailman/listinfo/cobbler
>
FWIW, this patch does not apply -- possibly it was made against master
and not the devel branch.
See
and use
git-format-patch in the future and it makes things easier.
This is trivial so I'll see about applying it manually.
--Michael