-----Original Message-----
From: cobbler-bounces(a)lists.fedorahosted.org [mailto:cobbler-
bounces(a)lists.fedorahosted.org] On Behalf Of Michael DeHaan
Sent: woensdag 10 december 2008 17:36
To: Anton Arapov
Cc: cobbler(a)lists.fedorahosted.org
Subject: Re: [KOAN 1.2.X PATCH] SELinux: set correct security context for
lvm partitions
Anton Arapov wrote:
> Hello crew,
>
> On SELinux enabled system:
> # cobbler system add --name vguest --profile F-10-x86_64 \
> --virt-type qemu \
> --virt-bridge virbr0 \
> --virt-path vg
> # koan --server 'host' --virt --system vguest2
>
> These will fail to run, because koan did not set the correct security
context
> for created lvm partition.
> It must execute something like:
> # chcon -t virt_image_t /dev/mapper/%lvm_partition%
>
> Patch addressed to the ticket #321:
>
https://fedorahosted.org/cobbler/ticket/321
>
> I've added also some concerns, about already implemented in cobbler
> selinux check. So please, read the ticket and leave feedback. :)
>
> Cheers!
> ==
> diff -urpN koan-1.2.6.orig/koan/app.py koan-1.2.6/koan/app.py
> --- koan-1.2.6.orig/koan/app.py 2008-12-10 09:04:12.082359000
+0100
> +++ koan-1.2.6/koan/app.py 2008-12-10 09:18:59.765607726 +0100
> @@ -1213,8 +1213,23 @@ class Koan:
> if lv_create != 0:
> raise InfoException, "LVM creation failed"
>
> + # partition location
> + partition_location = "/dev/mapper/%s-%s" %
(location,name.replace('-','--'))
> +
> + # check whether we have SELinux enabled system
> + args = "/usr/sbin/selinuxenabled"
> + selinuxenabled = sub_process.call(args)
> + if selinuxenabled == 0:
> + # permissive or enforcing or something else, and
> + # set appropriate security context for LVM
partition
> + args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
> + print "%s" % args
> + change_context = sub_process.call(args, shell=True)
> + if change_context != 0:
> + raise InfoException, "SELinux security context
setting to LVM partition failed"
> +
> # return partition location
> - return "/dev/mapper/%s-%s" %
(location,name.replace('-
','--'))
> + return partition_location
> else:
> raise InfoException, "volume group needs %s GB free
space." % virt_size
>
>
Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler
contains some code for similar things that uses getenforce. Earlier I
thought this binary didn't exist on my box, but I /do/ have it on F9.
Otherwise, looks fine, though I think we need to make sure this binary
is available. We should also check to see if it /exists/ first, because
long term we'll want koan to work on non-Fedora/Red-Hat based distros so
we can also package it there.
The tool is available on RHEL 4.6:
tcsia12# cat /etc/redhat-release
Red Hat Enterprise Linux AS release 4 (Nahant Update 6)
tcsia12# rpm -ql libselinux-1.19.1-7.4 | grep enable
/usr/sbin/selinuxenabled
/usr/share/man/man8/selinuxenabled.8.gz
On debian it is in selinux-utils, see
Peter
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It
may contain proprietary material, confidential information and/or be subject to legal
privilege. It should not be copied, disclosed to, retained or used by, any other party. If
you are not an intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.