RE: [KOAN 1.2.X PATCH] SELinux: set correct security context for lvm partitions

-----Original Message----- From: cobbler-bounces(a)lists.fedorahosted.org [mailto:cobbler- bounces(a)lists.fedorahosted.org] On Behalf Of Michael DeHaan Sent: woensdag 10 december 2008 17:36 To: Anton Arapov Cc: cobbler(a)lists.fedorahosted.org Subject: Re: [KOAN 1.2.X PATCH] SELinux: set correct security context for lvm partitions Anton Arapov wrote: > Hello crew, > > On SELinux enabled system: > # cobbler system add --name vguest --profile F-10-x86_64 \ > --virt-type qemu \ > --virt-bridge virbr0 \ > --virt-path vg > # koan --server 'host' --virt --system vguest2 > > These will fail to run, because koan did not set the correct security context > for created lvm partition. > It must execute something like: > # chcon -t virt_image_t /dev/mapper/%lvm_partition% > > Patch addressed to the ticket #321: > https://fedorahosted.org/cobbler/ticket/321 > > I've added also some concerns, about already implemented in cobbler > selinux check. So please, read the ticket and leave feedback. :) > > Cheers! > == > diff -urpN koan-1.2.6.orig/koan/app.py koan-1.2.6/koan/app.py > --- koan-1.2.6.orig/koan/app.py 2008-12-10 09:04:12.082359000 +0100 > +++ koan-1.2.6/koan/app.py 2008-12-10 09:18:59.765607726 +0100 > @@ -1213,8 +1213,23 @@ class Koan: > if lv_create != 0: > raise InfoException, "LVM creation failed" > > + # partition location > + partition_location = "/dev/mapper/%s-%s" % (location,name.replace('-','--')) > + > + # check whether we have SELinux enabled system > + args = "/usr/sbin/selinuxenabled" > + selinuxenabled = sub_process.call(args) > + if selinuxenabled == 0: > + # permissive or enforcing or something else, and > + # set appropriate security context for LVM partition > + args = "/usr/bin/chcon -t virt_image_t %s" % partition_location > + print "%s" % args > + change_context = sub_process.call(args, shell=True) > + if change_context != 0: > + raise InfoException, "SELinux security context setting to LVM partition failed" > + > # return partition location > - return "/dev/mapper/%s-%s" % (location,name.replace('- ','--')) > + return partition_location > else: > raise InfoException, "volume group needs %s GB free space." % virt_size > > Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler contains some code for similar things that uses getenforce. Earlier I thought this binary didn't exist on my box, but I /do/ have it on F9. Otherwise, looks fine, though I think we need to make sure this binary is available. We should also check to see if it /exists/ first, because long term we'll want koan to work on non-Fedora/Red-Hat based distros so we can also package it there.