2:49 a.m.
Hello crew,
On SELinux enabled system:
# cobbler system add --name vguest --profile F-10-x86_64 \
--virt-type qemu \
--virt-bridge virbr0 \
--virt-path vg
# koan --server 'host' --virt --system vguest2
These will fail to run, because koan did not set the correct security context
for created lvm partition.
It must execute something like:
# chcon -t virt_image_t /dev/mapper/%lvm_partition%
Patch addressed to the ticket #321:
https://fedorahosted.org/cobbler/ticket/321
I've added also some concerns, about already implemented in cobbler
selinux check. So please, read the ticket and leave feedback. :)
Cheers!
==
diff -urpN koan-1.2.6.orig/koan/app.py koan-1.2.6/koan/app.py
--- koan-1.2.6.orig/koan/app.py 2008-12-10 09:04:12.082359000 +0100
+++ koan-1.2.6/koan/app.py 2008-12-10 09:18:59.765607726 +0100
@@ -1213,8 +1213,23 @@ class Koan:
if lv_create != 0:
raise InfoException, "LVM creation failed"
+ # partition location
+ partition_location = "/dev/mapper/%s-%s" %
(location,name.replace('-','--'))
+
+ # check whether we have SELinux enabled system
+ args = "/usr/sbin/selinuxenabled"
+ selinuxenabled = sub_process.call(args)
+ if selinuxenabled == 0:
+ # permissive or enforcing or something else, and
+ # set appropriate security context for LVM partition
+ args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
+ print "%s" % args
+ change_context = sub_process.call(args, shell=True)
+ if change_context != 0:
+ raise InfoException, "SELinux security context setting to
LVM partition failed"
+
# return partition location
- return "/dev/mapper/%s-%s" %
(location,name.replace('-','--'))
+ return partition_location
else:
raise InfoException, "volume group needs %s GB free space." %
virt_size
10:35 a.m.
New subject: [KOAN 1.2.X PATCH] SELinux: set correct security context for lvm partitions
Anton Arapov wrote:
Hello crew,
On SELinux enabled system:
# cobbler system add --name vguest --profile F-10-x86_64 \
--virt-type qemu \
--virt-bridge virbr0 \
--virt-path vg
# koan --server 'host' --virt --system vguest2
These will fail to run, because koan did not set the correct security context
for created lvm partition.
It must execute something like:
# chcon -t virt_image_t /dev/mapper/%lvm_partition%
Patch addressed to the ticket #321:
https://fedorahosted.org/cobbler/ticket/321
I've added also some concerns, about already implemented in cobbler
selinux check. So please, read the ticket and leave feedback. :)
Cheers!
==
diff -urpN koan-1.2.6.orig/koan/app.py koan-1.2.6/koan/app.py
--- koan-1.2.6.orig/koan/app.py 2008-12-10 09:04:12.082359000 +0100
+++ koan-1.2.6/koan/app.py 2008-12-10 09:18:59.765607726 +0100
@@ -1213,8 +1213,23 @@ class Koan:
if lv_create != 0:
raise InfoException, "LVM creation failed"
+ # partition location
+ partition_location = "/dev/mapper/%s-%s" %
(location,name.replace('-','--'))
+
+ # check whether we have SELinux enabled system
+ args = "/usr/sbin/selinuxenabled"
+ selinuxenabled = sub_process.call(args)
+ if selinuxenabled == 0:
+ # permissive or enforcing or something else, and
+ # set appropriate security context for LVM partition
+ args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
+ print "%s" % args
+ change_context = sub_process.call(args, shell=True)
+ if change_context != 0:
+ raise InfoException, "SELinux security context setting to
LVM partition failed"
+
# return partition location
- return "/dev/mapper/%s-%s" %
(location,name.replace('-','--'))
+ return partition_location
else:
raise InfoException, "volume group needs %s GB free space." %
virt_size
Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler
contains some code for similar things that uses getenforce. Earlier I
thought this binary didn't exist on my box, but I /do/ have it on F9.
Otherwise, looks fine, though I think we need to make sure this binary
is available. We should also check to see if it /exists/ first, because
long term we'll want koan to work on non-Fedora/Red-Hat based distros so
we can also package it there.
--Michael
11:04 a.m.
New subject: [KOAN 1.2.X PATCH] SELinux: set correct security context for lvm partitions
-----Original Message-----
From: cobbler-bounces(a)lists.fedorahosted.org [mailto:cobbler-
bounces(a)lists.fedorahosted.org] On Behalf Of Michael DeHaan
Sent: woensdag 10 december 2008 17:36
To: Anton Arapov
Cc: cobbler(a)lists.fedorahosted.org
Subject: Re: [KOAN 1.2.X PATCH] SELinux: set correct security context for
lvm partitions
Anton Arapov wrote:
> Hello crew,
>
> On SELinux enabled system:
> # cobbler system add --name vguest --profile F-10-x86_64 \
> --virt-type qemu \
> --virt-bridge virbr0 \
> --virt-path vg
> # koan --server 'host' --virt --system vguest2
>
> These will fail to run, because koan did not set the correct security
context
> for created lvm partition.
> It must execute something like:
> # chcon -t virt_image_t /dev/mapper/%lvm_partition%
>
> Patch addressed to the ticket #321:
> https://fedorahosted.org/cobbler/ticket/321
>
> I've added also some concerns, about already implemented in cobbler
> selinux check. So please, read the ticket and leave feedback. :)
>
> Cheers!
> ==
> diff -urpN koan-1.2.6.orig/koan/app.py koan-1.2.6/koan/app.py
> --- koan-1.2.6.orig/koan/app.py 2008-12-10 09:04:12.082359000
+0100
> +++ koan-1.2.6/koan/app.py 2008-12-10 09:18:59.765607726 +0100
> @@ -1213,8 +1213,23 @@ class Koan:
> if lv_create != 0:
> raise InfoException, "LVM creation failed"
>
> + # partition location
> + partition_location = "/dev/mapper/%s-%s" %
(location,name.replace('-','--'))
> +
> + # check whether we have SELinux enabled system
> + args = "/usr/sbin/selinuxenabled"
> + selinuxenabled = sub_process.call(args)
> + if selinuxenabled == 0:
> + # permissive or enforcing or something else, and
> + # set appropriate security context for LVM
partition
> + args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
> + print "%s" % args
> + change_context = sub_process.call(args, shell=True)
> + if change_context != 0:
> + raise InfoException, "SELinux security context
setting to LVM partition failed"
> +
> # return partition location
> - return "/dev/mapper/%s-%s" %
(location,name.replace('-
','--'))
> + return partition_location
> else:
> raise InfoException, "volume group needs %s GB free
space." % virt_size
>
>
Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler
contains some code for similar things that uses getenforce. Earlier I
thought this binary didn't exist on my box, but I /do/ have it on F9.
Otherwise, looks fine, though I think we need to make sure this binary
is available. We should also check to see if it /exists/ first, because
long term we'll want koan to work on non-Fedora/Red-Hat based distros so
we can also package it there.
The tool is available on RHEL 4.6:
tcsia12# cat /etc/redhat-release
Red Hat Enterprise Linux AS release 4 (Nahant Update 6)
tcsia12# rpm -ql libselinux-1.19.1-7.4 | grep enable
/usr/sbin/selinuxenabled
/usr/share/man/man8/selinuxenabled.8.gz
On debian it is in selinux-utils, see
http://packages.debian.org/etch/i386/selinux-utils/filelist
Peter
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It
may contain proprietary material, confidential information and/or be subject to legal
privilege. It should not be copied, disclosed to, retained or used by, any other party. If
you are not an intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
12:11 p.m.
On Wed, Dec 10, 2008 at 06:04:36PM +0100, Vreman, Peter - Acision wrote:
> -----Original Message-----
> From: cobbler-bounces(a)lists.fedorahosted.org [mailto:cobbler-
> bounces(a)lists.fedorahosted.org] On Behalf Of Michael DeHaan
> Sent: woensdag 10 december 2008 17:36
> To: Anton Arapov
> Cc: cobbler(a)lists.fedorahosted.org
> Subject: Re: [KOAN 1.2.X PATCH] SELinux: set correct security context for
> lvm partitions
>
> Anton Arapov wrote:
> > Hello crew,
> >
> > On SELinux enabled system:
> > # cobbler system add --name vguest --profile F-10-x86_64 \
> > --virt-type qemu \
> > --virt-bridge virbr0 \
> > --virt-path vg
> > # koan --server 'host' --virt --system vguest2
> >
> > These will fail to run, because koan did not set the correct security
> context
> > for created lvm partition.
> > It must execute something like:
> > # chcon -t virt_image_t /dev/mapper/%lvm_partition%
> >
> > Patch addressed to the ticket #321:
> > https://fedorahosted.org/cobbler/ticket/321
> >
> > I've added also some concerns, about already implemented in cobbler
> > selinux check. So please, read the ticket and leave feedback. :)
> >
> > Cheers!
> > ==
> > diff -urpN koan-1.2.6.orig/koan/app.py koan-1.2.6/koan/app.py
> > --- koan-1.2.6.orig/koan/app.py 2008-12-10 09:04:12.082359000
> +0100
> > +++ koan-1.2.6/koan/app.py 2008-12-10 09:18:59.765607726 +0100
> > @@ -1213,8 +1213,23 @@ class Koan:
> > if lv_create != 0:
> > raise InfoException, "LVM creation failed"
> >
> > + # partition location
> > + partition_location = "/dev/mapper/%s-%s" %
> (location,name.replace('-','--'))
> > +
> > + # check whether we have SELinux enabled system
> > + args = "/usr/sbin/selinuxenabled"
> > + selinuxenabled = sub_process.call(args)
> > + if selinuxenabled == 0:
> > + # permissive or enforcing or something else, and
> > + # set appropriate security context for LVM
> partition
> > + args = "/usr/bin/chcon -t virt_image_t %s" %
> partition_location
> > + print "%s" % args
> > + change_context = sub_process.call(args, shell=True)
> > + if change_context != 0:
> > + raise InfoException, "SELinux security context
> setting to LVM partition failed"
> > +
> > # return partition location
> > - return "/dev/mapper/%s-%s" %
(location,name.replace('-
> ','--'))
> > + return partition_location
> > else:
> > raise InfoException, "volume group needs %s GB free
> space." % virt_size
> >
> >
>
> Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler
> contains some code for similar things that uses getenforce. Earlier I
> thought this binary didn't exist on my box, but I /do/ have it on F9.
>
> Otherwise, looks fine, though I think we need to make sure this binary
> is available. We should also check to see if it /exists/ first, because
> long term we'll want koan to work on non-Fedora/Red-Hat based distros so
> we can also package it there.
The tool is available on RHEL 4.6:
Great! So we can go with this patch. :)
-- Anton.
tcsia12# cat /etc/redhat-release
Red Hat Enterprise Linux AS release 4 (Nahant Update 6)
tcsia12# rpm -ql libselinux-1.19.1-7.4 | grep enable
/usr/sbin/selinuxenabled
/usr/share/man/man8/selinuxenabled.8.gz
On debian it is in selinux-utils, see
http://packages.debian.org/etch/i386/selinux-utils/filelist
Peter
This e-mail and any attachment is for authorised use by the intended recipient(s) only.
It may contain proprietary material, confidential information and/or be subject to legal
privilege. It should not be copied, disclosed to, retained or used by, any other party. If
you are not an intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
--
-Anton
12:27 p.m.
Anton Arapov wrote:
On Wed, Dec 10, 2008 at 06:04:36PM +0100, Vreman, Peter - Acision
wrote:
>
>> -----Original Message-----
>> From: cobbler-bounces(a)lists.fedorahosted.org [mailto:cobbler-
>> bounces(a)lists.fedorahosted.org] On Behalf Of Michael DeHaan
>> Sent: woensdag 10 december 2008 17:36
>> To: Anton Arapov
>> Cc: cobbler(a)lists.fedorahosted.org
>> Subject: Re: [KOAN 1.2.X PATCH] SELinux: set correct security context for
>> lvm partitions
>>
>> Anton Arapov wrote:
>>
>>> Hello crew,
>>>
>>> On SELinux enabled system:
>>> # cobbler system add --name vguest --profile F-10-x86_64 \
>>> --virt-type qemu \
>>> --virt-bridge virbr0 \
>>> --virt-path vg
>>> # koan --server 'host' --virt --system vguest2
>>>
>>> These will fail to run, because koan did not set the correct security
>>>
>> context
>>
>>> for created lvm partition.
>>> It must execute something like:
>>> # chcon -t virt_image_t /dev/mapper/%lvm_partition%
>>>
>>> Patch addressed to the ticket #321:
>>> https://fedorahosted.org/cobbler/ticket/321
>>>
>>> I've added also some concerns, about already implemented in cobbler
>>> selinux check. So please, read the ticket and leave feedback. :)
>>>
>>> Cheers!
>>> ==
>>> diff -urpN koan-1.2.6.orig/koan/app.py koan-1.2.6/koan/app.py
>>> --- koan-1.2.6.orig/koan/app.py 2008-12-10 09:04:12.082359000
>>>
>> +0100
>>
>>> +++ koan-1.2.6/koan/app.py 2008-12-10 09:18:59.765607726 +0100
>>> @@ -1213,8 +1213,23 @@ class Koan:
>>> if lv_create != 0:
>>> raise InfoException, "LVM creation
failed"
>>>
>>> + # partition location
>>> + partition_location = "/dev/mapper/%s-%s" %
>>>
>> (location,name.replace('-','--'))
>>
>>> +
>>> + # check whether we have SELinux enabled system
>>> + args = "/usr/sbin/selinuxenabled"
>>> + selinuxenabled = sub_process.call(args)
>>> + if selinuxenabled == 0:
>>> + # permissive or enforcing or something else, and
>>> + # set appropriate security context for LVM
>>>
>> partition
>>
>>> + args = "/usr/bin/chcon -t virt_image_t %s" %
>>>
>> partition_location
>>
>>> + print "%s" % args
>>> + change_context = sub_process.call(args, shell=True)
>>> + if change_context != 0:
>>> + raise InfoException, "SELinux security context
>>>
>> setting to LVM partition failed"
>>
>>> +
>>> # return partition location
>>> - return "/dev/mapper/%s-%s" %
(location,name.replace('-
>>>
>> ','--'))
>>
>>> + return partition_location
>>> else:
>>> raise InfoException, "volume group needs %s GB free
>>>
>> space." % virt_size
>>
>>>
>> Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler
>> contains some code for similar things that uses getenforce. Earlier I
>> thought this binary didn't exist on my box, but I /do/ have it on F9.
>>
>> Otherwise, looks fine, though I think we need to make sure this binary
>> is available. We should also check to see if it /exists/ first, because
>> long term we'll want koan to work on non-Fedora/Red-Hat based distros so
>> we can also package it there.
>>
> The tool is available on RHEL 4.6:
>
Great! So we can go with this patch. :)
-- Anton.
> tcsia12# cat /etc/redhat-release
> Red Hat Enterprise Linux AS release 4 (Nahant Update 6)
> tcsia12# rpm -ql libselinux-1.19.1-7.4 | grep enable
> /usr/sbin/selinuxenabled
> /usr/share/man/man8/selinuxenabled.8.gz
>
> On debian it is in selinux-utils, see
http://packages.debian.org/etch/i386/selinux-utils/filelist
>
>
> Peter
>
>
> This e-mail and any attachment is for authorised use by the intended recipient(s)
only. It may contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by, any other
party. If you are not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
>
>
> _______________________________________________
> cobbler mailing list
> cobbler(a)lists.fedorahosted.org
> https://fedorahosted.org/mailman/listinfo/cobbler
>
FWIW, this patch does not apply -- possibly it was made against master
and not the devel branch.
See https://fedorahosted.org/cobbler/wiki/PatchProcess and use
git-format-patch in the future and it makes things easier.
This is trivial so I'll see about applying it manually.
--Michael
2:50 a.m.
On Wed, Dec 10, 2008 at 01:27:29PM -0500, Michael DeHaan wrote:
Anton Arapov wrote:
> On Wed, Dec 10, 2008 at 06:04:36PM +0100, Vreman, Peter - Acision wrote:
>>> -----Original Message-----
>>> From: cobbler-bounces(a)lists.fedorahosted.org [mailto:cobbler-
>>> bounces(a)lists.fedorahosted.org] On Behalf Of Michael DeHaan
>>> Sent: woensdag 10 december 2008 17:36
>>> To: Anton Arapov
>>> Cc: cobbler(a)lists.fedorahosted.org
>>> Subject: Re: [KOAN 1.2.X PATCH] SELinux: set correct security context for
>>> lvm partitions
>>>
>>> Anton Arapov wrote:
>>>
>>>> Hello crew,
>>>>
>>>> On SELinux enabled system:
>>>> # cobbler system add --name vguest --profile F-10-x86_64 \
>>>> --virt-type qemu \
>>>> --virt-bridge virbr0 \
>>>> --virt-path vg
>>>> # koan --server 'host' --virt --system vguest2
>>>>
>>>> These will fail to run, because koan did not set the correct security
>>>>
>>> context
>>>
>>>> for created lvm partition.
>>>> It must execute something like:
>>>> # chcon -t virt_image_t /dev/mapper/%lvm_partition%
>>>>
>>>> Patch addressed to the ticket #321:
>>>> https://fedorahosted.org/cobbler/ticket/321
>>>>
>>>> I've added also some concerns, about already implemented in
cobbler
>>>> selinux check. So please, read the ticket and leave feedback. :)
>>>>
>>>> Cheers!
>>>> ==
[...cut...]
>>> Is "/usr/sbin/selinuxenabled" available on
older EL distros? Cobbler
>>> contains some code for similar things that uses getenforce. Earlier I
>>> thought this binary didn't exist on my box, but I /do/ have it on F9.
>>>
>>> Otherwise, looks fine, though I think we need to make sure this binary
>>> is available. We should also check to see if it /exists/ first, because
>>> long term we'll want koan to work on non-Fedora/Red-Hat based distros
so
>>> we can also package it there.
>> The tool is available on RHEL 4.6:
> Great! So we can go with this patch. :)
[...cut...]
FWIW, this patch does not apply -- possibly it was made against
master
and not the devel branch.
See https://fedorahosted.org/cobbler/wiki/PatchProcess and use
git-format-patch in the future and it makes things easier.
This is trivial so I'll see about applying it manually.
there is path against koan git tree:
koan/app.py | 9 +++++++++
koan/utils.py | 7 +++++++
2 files changed, 16 insertions(+), 0 deletions(-)
diff --git a/koan/app.py b/koan/app.py
index f5f982f..5751de2 100755
--- a/koan/app.py
+++ b/koan/app.py
@@ -1213,6 +1213,15 @@ class Koan:
if lv_create != 0:
raise InfoException, "LVM creation failed"
+ # SELinux enabled system?
+ if utils.is_selinux_enabled():
+ # set appropriate security context for LVM partition
+ args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
+ print "%s" % args
+ change_context = sub_process.call(args, shell=True)
+ if change_context != 0:
+ raise InfoException, "SELinux security context setting to
LVM partition failed"
+
# return partition location
return "/dev/mapper/%s-%s" %
(location,name.replace('-','--'))
else:
diff --git a/koan/utils.py b/koan/utils.py
index 36ef75f..cfebce8 100644
--- a/koan/utils.py
+++ b/koan/utils.py
@@ -156,6 +156,13 @@ def subprocess_call(cmd,ignore_rc=False):
raise InfoException, "command failed (%s)" % rc
return rc
+def is_selinux_enabled():
+ args = "/usr/sbin/selinuxenabled"
+ selinuxenabled = sub_process.call(args)
+ if selinuxenabled == 0:
+ return True
+ else:
+ return False
def input_string_or_hash(options,delim=None):
"""
2:54 a.m.
On Thu, Dec 11, 2008 at 09:50:34AM +0100, Anton Arapov wrote:
On Wed, Dec 10, 2008 at 01:27:29PM -0500, Michael DeHaan wrote:
> Anton Arapov wrote:
> > On Wed, Dec 10, 2008 at 06:04:36PM +0100, Vreman, Peter - Acision wrote:
> >>> -----Original Message-----
> >>> From: cobbler-bounces(a)lists.fedorahosted.org [mailto:cobbler-
> >>> bounces(a)lists.fedorahosted.org] On Behalf Of Michael DeHaan
> >>> Sent: woensdag 10 december 2008 17:36
> >>> To: Anton Arapov
> >>> Cc: cobbler(a)lists.fedorahosted.org
> >>> Subject: Re: [KOAN 1.2.X PATCH] SELinux: set correct security context
for
> >>> lvm partitions
> >>>
> >>> Anton Arapov wrote:
> >>>
> >>>> Hello crew,
> >>>>
> >>>> On SELinux enabled system:
> >>>> # cobbler system add --name vguest --profile F-10-x86_64 \
> >>>> --virt-type qemu \
> >>>> --virt-bridge virbr0 \
> >>>> --virt-path vg
> >>>> # koan --server 'host' --virt --system vguest2
> >>>>
> >>>> These will fail to run, because koan did not set the correct
security
> >>>>
> >>> context
> >>>
> >>>> for created lvm partition.
> >>>> It must execute something like:
> >>>> # chcon -t virt_image_t /dev/mapper/%lvm_partition%
> >>>>
> >>>> Patch addressed to the ticket #321:
> >>>> https://fedorahosted.org/cobbler/ticket/321
> >>>>
> >>>> I've added also some concerns, about already implemented in
cobbler
> >>>> selinux check. So please, read the ticket and leave feedback. :)
> >>>>
> >>>> Cheers!
> >>>> ==
[...cut...]
> >>> Is "/usr/sbin/selinuxenabled" available on older EL distros?
Cobbler
> >>> contains some code for similar things that uses getenforce. Earlier I
> >>> thought this binary didn't exist on my box, but I /do/ have it on
F9.
> >>>
> >>> Otherwise, looks fine, though I think we need to make sure this binary
> >>> is available. We should also check to see if it /exists/ first,
because
> >>> long term we'll want koan to work on non-Fedora/Red-Hat based
distros so
> >>> we can also package it there.
> >> The tool is available on RHEL 4.6:
> > Great! So we can go with this patch. :)
[...cut...]
> FWIW, this patch does not apply -- possibly it was made against master
> and not the devel branch.
>
> See https://fedorahosted.org/cobbler/wiki/PatchProcess and use
> git-format-patch in the future and it makes things easier.
>
> This is trivial so I'll see about applying it manually.
arrgh ... incorrect one has been generated, drop it.
will rediff in a moment.
there is path against koan git tree:
koan/app.py | 9 +++++++++
koan/utils.py | 7 +++++++
2 files changed, 16 insertions(+), 0 deletions(-)
diff --git a/koan/app.py b/koan/app.py
index f5f982f..5751de2 100755
--- a/koan/app.py
+++ b/koan/app.py
@@ -1213,6 +1213,15 @@ class Koan:
if lv_create != 0:
raise InfoException, "LVM creation failed"
+ # SELinux enabled system?
+ if utils.is_selinux_enabled():
+ # set appropriate security context for LVM partition
+ args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
+ print "%s" % args
+ change_context = sub_process.call(args, shell=True)
+ if change_context != 0:
+ raise InfoException, "SELinux security context setting to
LVM partition failed"
+
# return partition location
return "/dev/mapper/%s-%s" %
(location,name.replace('-','--'))
else:
diff --git a/koan/utils.py b/koan/utils.py
index 36ef75f..cfebce8 100644
--- a/koan/utils.py
+++ b/koan/utils.py
@@ -156,6 +156,13 @@ def subprocess_call(cmd,ignore_rc=False):
raise InfoException, "command failed (%s)" % rc
return rc
+def is_selinux_enabled():
+ args = "/usr/sbin/selinuxenabled"
+ selinuxenabled = sub_process.call(args)
+ if selinuxenabled == 0:
+ return True
+ else:
+ return False
def input_string_or_hash(options,delim=None):
"""
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
--
-Anton
3:01 a.m.
New subject: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions
On Wed, Dec 10, 2008 at 01:27:29PM -0500, Michael DeHaan wrote:
Anton Arapov wrote:
> On Wed, Dec 10, 2008 at 06:04:36PM +0100, Vreman, Peter - Acision wrote:
>>> -----Original Message-----
>>> From: cobbler-bounces(a)lists.fedorahosted.org [mailto:cobbler-
>>> bounces(a)lists.fedorahosted.org] On Behalf Of Michael DeHaan
>>> Sent: woensdag 10 december 2008 17:36
>>> To: Anton Arapov
>>> Cc: cobbler(a)lists.fedorahosted.org
>>> Subject: Re: [KOAN 1.2.X PATCH] SELinux: set correct security context for
>>> lvm partitions
>>>
>>> Anton Arapov wrote:
>>>> Hello crew,
>>>>
>>>> On SELinux enabled system:
>>>> # cobbler system add --name vguest --profile F-10-x86_64 \
>>>> --virt-type qemu \
>>>> --virt-bridge virbr0 \
>>>> --virt-path vg
>>>> # koan --server 'host' --virt --system vguest2
>>>>
>>>> These will fail to run, because koan did not set the correct security
context
>>>> for created lvm partition.
>>>> It must execute something like:
>>>> # chcon -t virt_image_t /dev/mapper/%lvm_partition%
>>>>
>>>> Patch addressed to the ticket #321:
>>>> https://fedorahosted.org/cobbler/ticket/321
>>>>
>>>> I've added also some concerns, about already implemented in
cobbler
>>>> selinux check. So please, read the ticket and leave feedback. :)
>>>>
[...cut...]
>>> Is "/usr/sbin/selinuxenabled" available on
older EL distros? Cobbler
>>> contains some code for similar things that uses getenforce. Earlier I
>>> thought this binary didn't exist on my box, but I /do/ have it on F9.
>>>
>>> Otherwise, looks fine, though I think we need to make sure this binary
>>> is available. We should also check to see if it /exists/ first, because
>>> long term we'll want koan to work on non-Fedora/Red-Hat based distros
so
>>> we can also package it there.
>> The tool is available on RHEL 4.6:
> Great! So we can go with this patch. :)
[...cut...]
FWIW, this patch does not apply -- possibly it was made against
master
and not the devel branch.
See https://fedorahosted.org/cobbler/wiki/PatchProcess and use
git-format-patch in the future and it makes things easier.
This is trivial so I'll see about applying it manually.
I figured out that cobbler from git devel branch already uses
selinuxenabled util. So I did it in the way it is in cobbler:
==
koan/app.py | 14 +++++++++++++-
koan/utils.py | 7 +++++++
2 files changed, 20 insertions(+), 1 deletions(-)
diff --git a/koan/app.py b/koan/app.py
index f5f982f..879f8ed 100755
--- a/koan/app.py
+++ b/koan/app.py
@@ -1213,8 +1213,20 @@ class Koan:
if lv_create != 0:
raise InfoException, "LVM creation failed"
+ # full path to LVM partition
+ partition_location = "/dev/mapper/%s-%s" %
(location,name.replace('-','--'))
+
+ # SELinux enabled system?
+ if utils.is_selinux_enabled():
+ # set appropriate security context for LVM partition
+ args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
+ print "%s" % args
+ change_context = sub_process.call(args, shell=True)
+ if change_context != 0:
+ raise InfoException, "SELinux security context setting to
LVM partition failed"
+
# return partition location
- return "/dev/mapper/%s-%s" %
(location,name.replace('-','--'))
+ return partition_location
else:
raise InfoException, "volume group needs %s GB free space." %
virt_size
diff --git a/koan/utils.py b/koan/utils.py
index 36ef75f..cfebce8 100644
--- a/koan/utils.py
+++ b/koan/utils.py
@@ -156,6 +156,13 @@ def subprocess_call(cmd,ignore_rc=False):
raise InfoException, "command failed (%s)" % rc
return rc
+def is_selinux_enabled():
+ args = "/usr/sbin/selinuxenabled"
+ selinuxenabled = sub_process.call(args)
+ if selinuxenabled == 0:
+ return True
+ else:
+ return False
def input_string_or_hash(options,delim=None):
"""
10:40 a.m.
New subject: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions
Anton Arapov wrote:
On Wed, Dec 10, 2008 at 01:27:29PM -0500, Michael DeHaan wrote:
> Anton Arapov wrote:
>
>> On Wed, Dec 10, 2008 at 06:04:36PM +0100, Vreman, Peter - Acision wrote:
>>
>>>> -----Original Message-----
>>>> From: cobbler-bounces(a)lists.fedorahosted.org [mailto:cobbler-
>>>> bounces(a)lists.fedorahosted.org] On Behalf Of Michael DeHaan
>>>> Sent: woensdag 10 december 2008 17:36
>>>> To: Anton Arapov
>>>> Cc: cobbler(a)lists.fedorahosted.org
>>>> Subject: Re: [KOAN 1.2.X PATCH] SELinux: set correct security context
for
>>>> lvm partitions
>>>>
>>>> Anton Arapov wrote:
>>>>
>>>>> Hello crew,
>>>>>
>>>>> On SELinux enabled system:
>>>>> # cobbler system add --name vguest --profile F-10-x86_64 \
>>>>> --virt-type qemu \
>>>>> --virt-bridge virbr0 \
>>>>> --virt-path vg
>>>>> # koan --server 'host' --virt --system vguest2
>>>>>
>>>>> These will fail to run, because koan did not set the correct
security context
>>>>> for created lvm partition.
>>>>> It must execute something like:
>>>>> # chcon -t virt_image_t /dev/mapper/%lvm_partition%
>>>>>
>>>>> Patch addressed to the ticket #321:
>>>>> https://fedorahosted.org/cobbler/ticket/321
>>>>>
>>>>> I've added also some concerns, about already implemented in
cobbler
>>>>> selinux check. So please, read the ticket and leave feedback. :)
>>>>>
>>>>>
[...cut...]
>>>> Is "/usr/sbin/selinuxenabled" available on older EL distros?
Cobbler
>>>> contains some code for similar things that uses getenforce. Earlier I
>>>> thought this binary didn't exist on my box, but I /do/ have it on
F9.
>>>>
>>>> Otherwise, looks fine, though I think we need to make sure this binary
>>>> is available. We should also check to see if it /exists/ first, because
>>>> long term we'll want koan to work on non-Fedora/Red-Hat based distros
so
>>>> we can also package it there.
>>>>
>>> The tool is available on RHEL 4.6:
>>>
>> Great! So we can go with this patch. :)
>>
[...cut...]
> FWIW, this patch does not apply -- possibly it was made against master
> and not the devel branch.
>
> See https://fedorahosted.org/cobbler/wiki/PatchProcess and use
> git-format-patch in the future and it makes things easier.
>
> This is trivial so I'll see about applying it manually.
>
I figured out that cobbler from git devel branch already uses
selinuxenabled util. So I did it in the way it is in cobbler:
Only because I copied from your patch yesterday :)
You should see that koan's devel branch already has your change applied,
so I believe we're good.
Thanks!
--Michael
==
koan/app.py | 14 +++++++++++++-
koan/utils.py | 7 +++++++
2 files changed, 20 insertions(+), 1 deletions(-)
diff --git a/koan/app.py b/koan/app.py
index f5f982f..879f8ed 100755
--- a/koan/app.py
+++ b/koan/app.py
@@ -1213,8 +1213,20 @@ class Koan:
if lv_create != 0:
raise InfoException, "LVM creation failed"
+ # full path to LVM partition
+ partition_location = "/dev/mapper/%s-%s" %
(location,name.replace('-','--'))
+
+ # SELinux enabled system?
+ if utils.is_selinux_enabled():
+ # set appropriate security context for LVM partition
+ args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
+ print "%s" % args
+ change_context = sub_process.call(args, shell=True)
+ if change_context != 0:
+ raise InfoException, "SELinux security context setting to
LVM partition failed"
+
# return partition location
- return "/dev/mapper/%s-%s" %
(location,name.replace('-','--'))
+ return partition_location
else:
raise InfoException, "volume group needs %s GB free space." %
virt_size
diff --git a/koan/utils.py b/koan/utils.py
index 36ef75f..cfebce8 100644
--- a/koan/utils.py
+++ b/koan/utils.py
@@ -156,6 +156,13 @@ def subprocess_call(cmd,ignore_rc=False):
raise InfoException, "command failed (%s)" % rc
return rc
+def is_selinux_enabled():
+ args = "/usr/sbin/selinuxenabled"
+ selinuxenabled = sub_process.call(args)
+ if selinuxenabled == 0:
+ return True
+ else:
+ return False
def input_string_or_hash(options,delim=None):
"""
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
11:02 a.m.
New subject: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions
On Thu, Dec 11, 2008 at 11:40:25AM -0500, Michael DeHaan wrote:
Anton Arapov wrote:
> On Wed, Dec 10, 2008 at 01:27:29PM -0500, Michael DeHaan wrote:
>
>> Anton Arapov wrote:
>>
>>> On Wed, Dec 10, 2008 at 06:04:36PM +0100, Vreman, Peter - Acision wrote:
>>>
>>>>> -----Original Message-----
>>>>> From: cobbler-bounces(a)lists.fedorahosted.org [mailto:cobbler-
>>>>> bounces(a)lists.fedorahosted.org] On Behalf Of Michael DeHaan
>>>>> Sent: woensdag 10 december 2008 17:36
>>>>> To: Anton Arapov
>>>>> Cc: cobbler(a)lists.fedorahosted.org
>>>>> Subject: Re: [KOAN 1.2.X PATCH] SELinux: set correct security
context for
>>>>> lvm partitions
>>>>>
>>>>> Anton Arapov wrote:
>>>>>
>>>>>> Hello crew,
>>>>>>
>>>>>> On SELinux enabled system:
>>>>>> # cobbler system add --name vguest --profile F-10-x86_64 \
>>>>>> --virt-type qemu \
>>>>>> --virt-bridge virbr0 \
>>>>>> --virt-path vg
>>>>>> # koan --server 'host' --virt --system vguest2
>>>>>>
>>>>>> These will fail to run, because koan did not set the correct
security context
>>>>>> for created lvm partition.
>>>>>> It must execute something like:
>>>>>> # chcon -t virt_image_t /dev/mapper/%lvm_partition%
>>>>>>
>>>>>> Patch addressed to the ticket #321:
>>>>>> https://fedorahosted.org/cobbler/ticket/321
>>>>>>
>>>>>> I've added also some concerns, about already implemented
in cobbler
>>>>>> selinux check. So please, read the ticket and leave feedback.
:)
>>>>>>
>>>>>>
> [...cut...]
>
>
>>>>> Is "/usr/sbin/selinuxenabled" available on older EL
distros? Cobbler
>>>>> contains some code for similar things that uses getenforce. Earlier
I
>>>>> thought this binary didn't exist on my box, but I /do/ have it
on F9.
>>>>>
>>>>> Otherwise, looks fine, though I think we need to make sure this
binary
>>>>> is available. We should also check to see if it /exists/ first,
because
>>>>> long term we'll want koan to work on non-Fedora/Red-Hat based
distros so
>>>>> we can also package it there.
>>>>>
>>>> The tool is available on RHEL 4.6:
>>>>
>>> Great! So we can go with this patch. :)
>>>
> [...cut...]
>
>
>> FWIW, this patch does not apply -- possibly it was made against master
>> and not the devel branch.
>>
>> See https://fedorahosted.org/cobbler/wiki/PatchProcess and use
>> git-format-patch in the future and it makes things easier.
>>
>> This is trivial so I'll see about applying it manually.
>>
>
> I figured out that cobbler from git devel branch already uses
> selinuxenabled util. So I did it in the way it is in cobbler:
>
Only because I copied from your patch yesterday :)
You should see that koan's devel branch already has your change applied,
so I believe we're good.
Aha! ... Didn't notice that we have
'devel' branch in koan's git as
well .... :) I see it now.
Thanks!
--Michael
> ==
>
> koan/app.py | 14 +++++++++++++-
> koan/utils.py | 7 +++++++
> 2 files changed, 20 insertions(+), 1 deletions(-)
>
> diff --git a/koan/app.py b/koan/app.py
> index f5f982f..879f8ed 100755
> --- a/koan/app.py
> +++ b/koan/app.py
> @@ -1213,8 +1213,20 @@ class Koan:
> if lv_create != 0:
> raise InfoException, "LVM creation failed"
>
> + # full path to LVM partition
> + partition_location = "/dev/mapper/%s-%s" %
(location,name.replace('-','--'))
> +
> + # SELinux enabled system?
> + if utils.is_selinux_enabled():
> + # set appropriate security context for LVM partition
> + args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
> + print "%s" % args
> + change_context = sub_process.call(args, shell=True)
> + if change_context != 0:
> + raise InfoException, "SELinux security context setting
to LVM partition failed"
> +
> # return partition location
> - return "/dev/mapper/%s-%s" %
(location,name.replace('-','--'))
> + return partition_location
> else:
> raise InfoException, "volume group needs %s GB free
space." % virt_size
>
> diff --git a/koan/utils.py b/koan/utils.py
> index 36ef75f..cfebce8 100644
> --- a/koan/utils.py
> +++ b/koan/utils.py
> @@ -156,6 +156,13 @@ def subprocess_call(cmd,ignore_rc=False):
> raise InfoException, "command failed (%s)" % rc
> return rc
>
> +def is_selinux_enabled():
> + args = "/usr/sbin/selinuxenabled"
> + selinuxenabled = sub_process.call(args)
> + if selinuxenabled == 0:
> + return True
> + else:
> + return False
>
> def input_string_or_hash(options,delim=None):
> """
>
> _______________________________________________
> cobbler mailing list
> cobbler(a)lists.fedorahosted.org
> https://fedorahosted.org/mailman/listinfo/cobbler
>
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
--
-Anton
9:33 a.m.
New subject: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions
Anton Arapov wrote:
On Thu, Dec 11, 2008 at 11:40:25AM -0500, Michael DeHaan wrote:
> Anton Arapov wrote:
>
>
Anton,
I'm pretty sure it's fine for applications to be ensuring that contexts
are set right, so the earlier things seem fine to me, though it also
seems that we would be better served having a SELinux policy written for
koan, and having that shipped with koan (and possibly installed by the
RPM -- or providing instructions for it do so). Perhaps we can follow
that tactic instead?
This would have the benefit of also being able to move koan out of being
unconfined, which may actually /improve/ security in a few regards
(except of course koan's there to reinstall your system if you use
--replace-self so it's a bit illusory to assume that's why we're doing
it). The policy would need to be very open ended because koan can
install files with it's --update-files feature and also manipulate grub?
Does that make sense?
--Michael
3:06 p.m.
New subject: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions
On Fri, Dec 12, 2008 at 10:33:44AM -0500, Michael DeHaan wrote:
Anton Arapov wrote:
> On Thu, Dec 11, 2008 at 11:40:25AM -0500, Michael DeHaan wrote:
>
>> Anton Arapov wrote:
>>
>>
Anton,
I'm pretty sure it's fine for applications to be ensuring that contexts
are set right, so the earlier things seem fine to me, though it also
seems that we would be better served having a SELinux policy written for
koan, and having that shipped with koan (and possibly installed by the
RPM -- or providing instructions for it do so). Perhaps we can follow
that tactic instead?
This would have the benefit of also being able to move koan out of being
unconfined, which may actually /improve/ security in a few regards
(except of course koan's there to reinstall your system if you use
--replace-self so it's a bit illusory to assume that's why we're doing
it). The policy would need to be very open ended because koan can
install files with it's --update-files feature and also manipulate grub?
Does that make sense?
Michael,
I did some investigations today, and have had a chance to speak
to Dan Walsh, our selinux guru. And the concern is that we have
mentioned by me selinux restrictions with semanage just because of
tricky implementation of the logging(how we log things to
~/.koan/koan.log) and another one, seems we have problem in
sub_process, it leaves filedescriptor open....
I will dive into it this weeked and will come up with solution.
If there will be the neeed of setting some context to the koan script,
probably..... but I do not think so. :)
-- Anton
4:49 p.m.
New subject: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions
On Fri, Dec 12, 2008 at 10:06:43PM +0100, Anton Arapov wrote:
On Fri, Dec 12, 2008 at 10:33:44AM -0500, Michael DeHaan wrote:
> Anton Arapov wrote:
> > On Thu, Dec 11, 2008 at 11:40:25AM -0500, Michael DeHaan wrote:
> >
> >> Anton Arapov wrote:
> >>
> >>
>
> Anton,
>
> I'm pretty sure it's fine for applications to be ensuring that contexts
> are set right, so the earlier things seem fine to me, though it also
> seems that we would be better served having a SELinux policy written for
> koan, and having that shipped with koan (and possibly installed by the
> RPM -- or providing instructions for it do so). Perhaps we can follow
> that tactic instead?
>
> This would have the benefit of also being able to move koan out of being
> unconfined, which may actually /improve/ security in a few regards
> (except of course koan's there to reinstall your system if you use
> --replace-self so it's a bit illusory to assume that's why we're doing
> it). The policy would need to be very open ended because koan can
> install files with it's --update-files feature and also manipulate grub?
>
> Does that make sense?
Michael,
I did some investigations today, and have had a chance to speak
to Dan Walsh, our selinux guru. And the concern is that we have
mentioned by me selinux restrictions with semanage just because of
tricky implementation of the logging(how we log things to
~/.koan/koan.log) and another one, seems we have problem in
sub_process, it leaves filedescriptor open....
I will dive into it this weeked and will come up with solution.
If there will be the neeed of setting some context to the koan script,
probably..... but I do not think so. :)
-- Anton
I'm afraid, I will not have a time to work futher on this next week,
so sharing what I have:
In order to eliminate the problem with logging, we need to set
appropriate context to ~/.koan/koan.log or log everything to /var/log
for example, var_log_t:
# chcon -v -t var_log_t /root/.koan/koan.log
And if we really care about it, it will be better to create some
koan's context, may be koan_log_t, and use it. Do we need this?
Might be we will use /var/log/* in the future?
And the last one:
node=bandura.englab.brq.redhat.com type=AVC msg=audit(1229121538.953:228):
avc: denied { read write } for pid=22082 comm="semanage"
path="socket:[96400]" dev=sockfs ino=96400
scontext=unconfined_u:unconfined_r:semanage_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=tcp_socket
, have no idea ... this hits just by adding .call(semanage). I tried to reproduce
it in test script, and everything works just fine.
Usually, such things solved by:
fcntl(socket, F_SETFD, FD_CLOEXEC),
but it's python, and I do not see any sockets using,... evenmore, I do not see
why we need 'import socket' in app.py and utils.py, I think they could be
easily removed. ...
[START] // This code works as expected without selinux somplaint:
#!/bin/env python
import sys
import sub_process
import exceptions
class InfoException(exceptions.Exception):
"""
Custom exception for tracking of fatal errors.
"""
def __init__(self,value,**args):
self.value = value % args
self.from_koan = 1
def __str__(self):
return repr(self.value)
#=======================================================
if __name__ == '__main__':
context = "virt_image_t"
partition_location = "/dev/mapper/vg-kvm_f10--disk0"
args = "/usr/sbin/semanage fcontext -a -t %s %s" % (context,
partition_location)
print "%s" % args
permanent_context = sub_process.call(args, shell=True)
print permanent_context
if permanent_context != 0:
raise InfoException, "SELinux security context setting to LVM partition
failed"
sys.exit(0)
[END]
... the following patch is working. SELinux will complaint
, but this does not prevent us of successful 'semanage' execution.
So you can apply it, at least we will have working/booting LV
images after system reboot, despite annoying selinux messsages.
==
koan/app.py | 24 +++++++++++++++++-------
1 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/koan/app.py b/koan/app.py
index 5031bed..1eae1dd 100755
--- a/koan/app.py
+++ b/koan/app.py
@@ -1420,13 +1420,23 @@ class Koan:
args = "/usr/sbin/selinuxenabled"
selinuxenabled = sub_process.call(args)
if selinuxenabled == 0:
- # permissive or enforcing or something else, and
- # set appropriate security context for LVM partition
- args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
- print "%s" % args
- change_context = sub_process.call(args, shell=True)
- if change_context != 0:
- raise InfoException, "SELinux security context setting to
LVM partition failed"
+ # permissive or enforcing or something else
+ context = "virt_image_t"
+
+ # check the current context
+ args = "/bin/ls -Z %s" % partition_location
+ context_str = sub_process.Popen(args, stdout=sub_process.PIPE,
shell=True).communicate()[0]
+ if context_str.find(context) == -1:
+ # set appropriate security context for LVM partition
+ args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
+ print "%s" % args
+ change_context = sub_process.call(args, shell=True)
+ # make the context for LVM partition permanent by updating the
policy
+ args = "/usr/sbin/semanage fcontext -a -t %s %s" %
(context, partition_location)
+ print "%s" % args
+ permanent_context = sub_process.call(args, shell=True)
+ if change_context != 0 or permanent_context != 0:
+ raise InfoException, "SELinux security context setting
to LVM partition failed"
# return partition location
return partition_location
--
-Anton
5:08 p.m.
New subject: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions
On Fri, Dec 12, 2008 at 2:49 PM, Anton Arapov <aarapov(a)redhat.com> wrote:
On Fri, Dec 12, 2008 at 10:06:43PM +0100, Anton Arapov wrote:
> On Fri, Dec 12, 2008 at 10:33:44AM -0500, Michael DeHaan wrote:
> > Anton Arapov wrote:
> > > On Thu, Dec 11, 2008 at 11:40:25AM -0500, Michael DeHaan wrote:
> > >
> > >> Anton Arapov wrote:
> > >>
> > >>
> >
> > Anton,
> >
> > I'm pretty sure it's fine for applications to be ensuring that contexts
> > are set right, so the earlier things seem fine to me, though it also
> > seems that we would be better served having a SELinux policy written for
> > koan, and having that shipped with koan (and possibly installed by the
> > RPM -- or providing instructions for it do so). Perhaps we can follow
> > that tactic instead?
> >
> > This would have the benefit of also being able to move koan out of being
> > unconfined, which may actually /improve/ security in a few regards
> > (except of course koan's there to reinstall your system if you use
> > --replace-self so it's a bit illusory to assume that's why we're
doing
> > it). The policy would need to be very open ended because koan can
> > install files with it's --update-files feature and also manipulate grub?
> >
> > Does that make sense?
>
> Michael,
>
> I did some investigations today, and have had a chance to speak
> to Dan Walsh, our selinux guru. And the concern is that we have
> mentioned by me selinux restrictions with semanage just because of
> tricky implementation of the logging(how we log things to
> ~/.koan/koan.log) and another one, seems we have problem in
> sub_process, it leaves filedescriptor open....
>
> I will dive into it this weeked and will come up with solution.
> If there will be the neeed of setting some context to the koan script,
> probably..... but I do not think so. :)
>
> -- Anton
>
I'm afraid, I will not have a time to work futher on this next week,
so sharing what I have:
In order to eliminate the problem with logging, we need to set
appropriate context to ~/.koan/koan.log or log everything to /var/log
for example, var_log_t:
# chcon -v -t var_log_t /root/.koan/koan.log
And if we really care about it, it will be better to create some
koan's context, may be koan_log_t, and use it. Do we need this?
Might be we will use /var/log/* in the future?
Ideally, cobbler would do:
import syslog
syslog(...
and then cobbler logs would use existing syslog infrastructures. It is
annoying that it doesn't currently for those of us who have big syslog
environments.
--
Jeff Schroeder
Don't drink and derive, alcohol and analysis don't mix.
http://www.digitalprognosis.com
10:27 a.m.
New subject: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions
Jeff Schroeder wrote:
On Fri, Dec 12, 2008 at 2:49 PM, Anton Arapov
<aarapov(a)redhat.com> wrote:
> On Fri, Dec 12, 2008 at 10:06:43PM +0100, Anton Arapov wrote:
>
>> On Fri, Dec 12, 2008 at 10:33:44AM -0500, Michael DeHaan wrote:
>>
>>> Anton Arapov wrote:
>>>
>>>> On Thu, Dec 11, 2008 at 11:40:25AM -0500, Michael DeHaan wrote:
>>>>
>>>>
>>>>> Anton Arapov wrote:
>>>>>
>>>>>
>>>>>
>>> Anton,
>>>
>>> I'm pretty sure it's fine for applications to be ensuring that
contexts
>>> are set right, so the earlier things seem fine to me, though it also
>>> seems that we would be better served having a SELinux policy written for
>>> koan, and having that shipped with koan (and possibly installed by the
>>> RPM -- or providing instructions for it do so). Perhaps we can follow
>>> that tactic instead?
>>>
>>> This would have the benefit of also being able to move koan out of being
>>> unconfined, which may actually /improve/ security in a few regards
>>> (except of course koan's there to reinstall your system if you use
>>> --replace-self so it's a bit illusory to assume that's why we're
doing
>>> it). The policy would need to be very open ended because koan can
>>> install files with it's --update-files feature and also manipulate grub?
>>>
>>> Does that make sense?
>>>
>> Michael,
>>
>> I did some investigations today, and have had a chance to speak
>> to Dan Walsh, our selinux guru. And the concern is that we have
>> mentioned by me selinux restrictions with semanage just because of
>> tricky implementation of the logging(how we log things to
>> ~/.koan/koan.log) and another one, seems we have problem in
>> sub_process, it leaves filedescriptor open....
>>
>> I will dive into it this weeked and will come up with solution.
>> If there will be the neeed of setting some context to the koan script,
>> probably..... but I do not think so. :)
>>
>> -- Anton
>>
>>
> I'm afraid, I will not have a time to work futher on this next week,
> so sharing what I have:
>
> In order to eliminate the problem with logging, we need to set
> appropriate context to ~/.koan/koan.log or log everything to /var/log
> for example, var_log_t:
> # chcon -v -t var_log_t /root/.koan/koan.log
>
> And if we really care about it, it will be better to create some
> koan's context, may be koan_log_t, and use it. Do we need this?
> Might be we will use /var/log/* in the future?
>
Ideally, cobbler would do:
import syslog
syslog(...
and then cobbler logs would use existing syslog infrastructures. It is
annoying that it doesn't currently for those of us who have big syslog
environments.
FWIW, we are referring to koan here, but that's a valid point.
We can probably look at tweaking Cobbler and koan's logging to use
syslog (either by default or as an option) in a future release. Comments
welcome.
Meanwhile, file an RFE in Trac so we don't forget --
(fedorahosted.org/cobbler)
--Michael
6:28 a.m.
New subject: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions
On Fri, Dec 12, 2008 at 11:49:47PM +0100, Anton Arapov wrote:
On Fri, Dec 12, 2008 at 10:06:43PM +0100, Anton Arapov wrote:
[..skip..]
And the last one:
node=bandura.englab.brq.redhat.com type=AVC msg=audit(1229121538.953:228):
avc: denied { read write } for pid=22082 comm="semanage"
path="socket:[96400]" dev=sockfs ino=96400
scontext=unconfined_u:unconfined_r:semanage_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=tcp_socket
, have no idea ... this hits just by adding .call(semanage). I tried to reproduce
it in test script, and everything works just fine.
Usually, such things solved by:
fcntl(socket, F_SETFD, FD_CLOEXEC),
but it's python, and I do not see any sockets using,... evenmore, I do not see
why we need 'import socket' in app.py and utils.py, I think they could be
easily removed. ...
looks like I hit the known bug here:
https://bugzilla.redhat.com/show_bug.cgi?id=429678
will get more assurance and let you know.
--Anton
10:24 a.m.
New subject: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions
In order to eliminate the problem with logging, we need to set
appropriate context to ~/.koan/koan.log or log everything to /var/log
for example, var_log_t:
# chcon -v -t var_log_t /root/.koan/koan.log
Moving everything properly to /var/log was on my list anyway, this is
normal.
I can change this.
And the last one:
node=bandura.englab.brq.redhat.com type=AVC msg=audit(1229121538.953:228):
avc: denied { read write } for pid=22082 comm="semanage"
path="socket:[96400]" dev=sockfs ino=96400
scontext=unconfined_u:unconfined_r:semanage_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=tcp_socket
, have no idea ... this hits just by adding .call(semanage). I tried to reproduce
it in test script, and everything works just fine.
Usually, such things solved by:
fcntl(socket, F_SETFD, FD_CLOEXEC),
but it's python, and I do not see any sockets using,... evenmore, I do not see
why we need 'import socket' in app.py and utils.py, I think they could be
easily removed. ...
xmlrpclib uses sockets. No suggestions from setroubleshoot on this one?
As for the import, you are correct, but it's not hurting anything
either. We used to use socket.gethostname() and such.
[START] // This code works as expected without selinux somplaint:
#!/bin/env python
import sys
import sub_process
import exceptions
class InfoException(exceptions.Exception):
"""
Custom exception for tracking of fatal errors.
"""
def __init__(self,value,**args):
self.value = value % args
self.from_koan = 1
def __str__(self):
return repr(self.value)
#=======================================================
if __name__ == '__main__':
context = "virt_image_t"
partition_location = "/dev/mapper/vg-kvm_f10--disk0"
args = "/usr/sbin/semanage fcontext -a -t %s %s" % (context,
partition_location)
print "%s" % args
permanent_context = sub_process.call(args, shell=True)
print permanent_context
if permanent_context != 0:
raise InfoException, "SELinux security context setting to LVM partition
failed"
sys.exit(0)
[END]
... the following patch is working. SELinux will complaint
, but this does not prevent us of successful 'semanage' execution.
So you can apply it, at least we will have working/booting LV
images after system reboot, despite annoying selinux messsages.
Thanks alot...... I've asked this before, but if you are going to send
in a patch either send it as an attachment or send it from
git-format-patch/git-send-email.
Saves a lot of time and is also easier on you...
==
koan/app.py | 24 +++++++++++++++++-------
1 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/koan/app.py b/koan/app.py
index 5031bed..1eae1dd 100755
--- a/koan/app.py
+++ b/koan/app.py
@@ -1420,13 +1420,23 @@ class Koan:
args = "/usr/sbin/selinuxenabled"
selinuxenabled = sub_process.call(args)
if selinuxenabled == 0:
- # permissive or enforcing or something else, and
- # set appropriate security context for LVM partition
- args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
- print "%s" % args
- change_context = sub_process.call(args, shell=True)
- if change_context != 0:
- raise InfoException, "SELinux security context setting to
LVM partition failed"
+ # permissive or enforcing or something else
+ context = "virt_image_t"
+
+ # check the current context
+ args = "/bin/ls -Z %s" % partition_location
+ context_str = sub_process.Popen(args, stdout=sub_process.PIPE,
shell=True).communicate()[0]
+ if context_str.find(context) == -1:
+ # set appropriate security context for LVM partition
+ args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
+ print "%s" % args
+ change_context = sub_process.call(args, shell=True)
+ # make the context for LVM partition permanent by updating the
policy
+ args = "/usr/sbin/semanage fcontext -a -t %s %s" %
(context, partition_location)
+ print "%s" % args
+ permanent_context = sub_process.call(args, shell=True)
+ if change_context != 0 or permanent_context != 0:
+ raise InfoException, "SELinux security context setting
to LVM partition failed"
# return partition location
return partition_location
11:04 a.m.
New subject: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions
On Sat, Dec 13, 2008 at 11:24:08AM -0500, Michael DeHaan wrote:
... the following patch is working. SELinux will complaint
> , but this does not prevent us of successful 'semanage' execution.
> So you can apply it, at least we will have working/booting LV
> images after system reboot, despite annoying selinux messsages.
>
>
Thanks alot...... I've asked this before, but if you are going to send
in a patch either send it as an attachment or send it from
git-format-patch/git-send-email.
Saves a lot of time and is also easier on you...
Okay, will be doing this way ...
latest news, ...
The .call(semanage) is safe itself, but it hits the problem, that very
difficult to triage. There is a leak of file descriptor to child.
Will try to find out this ...
And I think you can drop the patch with semanage inside, unless we
need it asap, and I guess - we don't. :) Anyway, I don't like it in
the form it's here.
-- Anton
> ==
>
> koan/app.py | 24 +++++++++++++++++-------
> 1 files changed, 17 insertions(+), 7 deletions(-)
>
> diff --git a/koan/app.py b/koan/app.py
> index 5031bed..1eae1dd 100755
> --- a/koan/app.py
> +++ b/koan/app.py
> @@ -1420,13 +1420,23 @@ class Koan:
> args = "/usr/sbin/selinuxenabled"
> selinuxenabled = sub_process.call(args)
> if selinuxenabled == 0:
> - # permissive or enforcing or something else, and
> - # set appropriate security context for LVM partition
> - args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
> - print "%s" % args
> - change_context = sub_process.call(args, shell=True)
> - if change_context != 0:
> - raise InfoException, "SELinux security context setting
to LVM partition failed"
> + # permissive or enforcing or something else
> + context = "virt_image_t"
> +
> + # check the current context
> + args = "/bin/ls -Z %s" % partition_location
> + context_str = sub_process.Popen(args, stdout=sub_process.PIPE,
shell=True).communicate()[0]
> + if context_str.find(context) == -1:
> + # set appropriate security context for LVM partition
> + args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
> + print "%s" % args
> + change_context = sub_process.call(args, shell=True)
> + # make the context for LVM partition permanent by updating
the policy
> + args = "/usr/sbin/semanage fcontext -a -t %s %s"
% (context, partition_location)
> + print "%s" % args
> + permanent_context = sub_process.call(args, shell=True)
> + if change_context != 0 or permanent_context != 0:
> + raise InfoException, "SELinux security context
setting to LVM partition failed"
>
> # return partition location
> return partition_location
--
-Anton
11:09 a.m.
New subject: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions
Anton Arapov wrote:
On Sat, Dec 13, 2008 at 11:24:08AM -0500, Michael DeHaan wrote:
> ... the following patch is working. SELinux will complaint
>
>> , but this does not prevent us of successful 'semanage' execution.
>> So you can apply it, at least we will have working/booting LV
>> images after system reboot, despite annoying selinux messsages.
>>
>>
>>
> Thanks alot...... I've asked this before, but if you are going to send
> in a patch either send it as an attachment or send it from
> git-format-patch/git-send-email.
> Saves a lot of time and is also easier on you...
>
Okay, will be doing this way ...
latest news, ...
The .call(semanage) is safe itself, but it hits the problem, that very
difficult to triage. There is a leak of file descriptor to child.
Will try to find out this ...
And I think you can drop the patch with semanage inside, unless we
need it asap, and I guess - we don't. :) Anyway, I don't like it in
the form it's here.
-- Anton
Sure. I'm not sure I understand why we need to be calling semanage,
anyway, are you saying that the LVM contexts applied with chcon are not
preserved across a reboot in LVM?
Referring to your comment:
+ # make the context for LVM partition permanent by updating the
policy
args = "/usr/sbin/semanage fcontext -a -t %s %s" % (context,
partition_location)
+ print "%s" % args
+ permanent_context = sub_process.call(args, shell=True)
So we're ok with just the chcon then?
I've already commited changes to git for moving the logfile to
/var/log/koan, as it should have been originally. Users will note that
this is only used currently for libvirt trivia, that /is/ useful in
debugging virt issues, but we don't yet log our activities with respect
to "--replace-self", primarily because if we replace successfully the
logfile will be blown away. However it does make sense that seeing we
use this for other things now (--update-files), in the future we'll want
to be increasing the amount of logging in koan in general. I'll open an
RFE on this one.
--Michael
>> ==
>>
>> koan/app.py | 24 +++++++++++++++++-------
>> 1 files changed, 17 insertions(+), 7 deletions(-)
>>
>> diff --git a/koan/app.py b/koan/app.py
>> index 5031bed..1eae1dd 100755
>> --- a/koan/app.py
>> +++ b/koan/app.py
>> @@ -1420,13 +1420,23 @@ class Koan:
>> args = "/usr/sbin/selinuxenabled"
>> selinuxenabled = sub_process.call(args)
>> if selinuxenabled == 0:
>> - # permissive or enforcing or something else, and
>> - # set appropriate security context for LVM partition
>> - args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
>> - print "%s" % args
>> - change_context = sub_process.call(args, shell=True)
>> - if change_context != 0:
>> - raise InfoException, "SELinux security context
setting to LVM partition failed"
>> + # permissive or enforcing or something else
>> + context = "virt_image_t"
>> +
>> + # check the current context
>> + args = "/bin/ls -Z %s" % partition_location
>> + context_str = sub_process.Popen(args,
stdout=sub_process.PIPE, shell=True).communicate()[0]
>> + if context_str.find(context) == -1:
>> + # set appropriate security context for LVM partition
>> + args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
>> + print "%s" % args
>> + change_context = sub_process.call(args, shell=True)
>> + # make the context for LVM partition permanent by
updating the policy
>> + args = "/usr/sbin/semanage fcontext -a -t %s
%s" % (context, partition_location)
>> + print "%s" % args
>> + permanent_context = sub_process.call(args, shell=True)
>> + if change_context != 0 or permanent_context != 0:
>> + raise InfoException, "SELinux security context
setting to LVM partition failed"
>>
>> # return partition location
>> return partition_location
>>
5:07 a.m.
New subject: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions
On Sat, Dec 13, 2008 at 12:09:40PM -0500, Michael DeHaan wrote:
Anton Arapov wrote:
> On Sat, Dec 13, 2008 at 11:24:08AM -0500, Michael DeHaan wrote:
>
>> ... the following patch is working. SELinux will complaint
>>
>>> , but this does not prevent us of successful 'semanage' execution.
>>> So you can apply it, at least we will have working/booting LV
>>> images after system reboot, despite annoying selinux messsages.
>>>
>>>
>>>
>> Thanks alot...... I've asked this before, but if you are going to send
>> in a patch either send it as an attachment or send it from
>> git-format-patch/git-send-email.
>> Saves a lot of time and is also easier on you...
>>
> Okay, will be doing this way ...
>
> latest news, ...
> The .call(semanage) is safe itself, but it hits the problem, that very
> difficult to triage. There is a leak of file descriptor to child.
> Will try to find out this ...
>
> And I think you can drop the patch with semanage inside, unless we
> need it asap, and I guess - we don't. :) Anyway, I don't like it in
> the form it's here.
>
>
> -- Anton
>
Sure. I'm not sure I understand why we need to be calling semanage,
anyway, are you saying that the LVM contexts applied with chcon are not
preserved across a reboot in LVM?
yes, in order preserve the context you need to
change the SELinux
policy, and semanage is the tool for it.
Referring to your comment:
+ # make the context for LVM partition permanent by updating the
policy
args = "/usr/sbin/semanage fcontext -a -t %s %s" % (context,
partition_location)
+ print "%s" % args
+ permanent_context = sub_process.call(args, shell=True)
So we're ok with just the chcon then?
It's better then nothing atm.
I've already commited changes to git for moving the logfile to
/var/log/koan, as it should have been originally. Users will note that
this is only used currently for libvirt trivia, that /is/ useful in
debugging virt issues, but we don't yet log our activities with respect
to "--replace-self", primarily because if we replace successfully the
logfile will be blown away. However it does make sense that seeing we
use this for other things now (--update-files), in the future we'll want
to be increasing the amount of logging in koan in general. I'll open an
RFE on this one.
looks good. :)
--Anton.
--Michael
>
>
>>> ==
>>>
>>> koan/app.py | 24 +++++++++++++++++-------
>>> 1 files changed, 17 insertions(+), 7 deletions(-)
>>>
>>> diff --git a/koan/app.py b/koan/app.py
>>> index 5031bed..1eae1dd 100755
>>> --- a/koan/app.py
>>> +++ b/koan/app.py
>>> @@ -1420,13 +1420,23 @@ class Koan:
>>> args = "/usr/sbin/selinuxenabled"
>>> selinuxenabled = sub_process.call(args)
>>> if selinuxenabled == 0:
>>> - # permissive or enforcing or something else, and
>>> - # set appropriate security context for LVM partition
>>> - args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
>>> - print "%s" % args
>>> - change_context = sub_process.call(args, shell=True)
>>> - if change_context != 0:
>>> - raise InfoException, "SELinux security context
setting to LVM partition failed"
>>> + # permissive or enforcing or something else
>>> + context = "virt_image_t"
>>> +
>>> + # check the current context
>>> + args = "/bin/ls -Z %s" % partition_location
>>> + context_str = sub_process.Popen(args,
stdout=sub_process.PIPE, shell=True).communicate()[0]
>>> + if context_str.find(context) == -1:
>>> + # set appropriate security context for LVM
partition
>>> + args = "/usr/bin/chcon -t virt_image_t
%s" % partition_location
>>> + print "%s" % args
>>> + change_context = sub_process.call(args,
shell=True)
>>> + # make the context for LVM partition permanent by
updating the policy
>>> + args = "/usr/sbin/semanage fcontext -a -t %s
%s" % (context, partition_location)
>>> + print "%s" % args
>>> + permanent_context = sub_process.call(args,
shell=True)
>>> + if change_context != 0 or permanent_context != 0:
>>> + raise InfoException, "SELinux security
context setting to LVM partition failed"
>>>
>>> # return partition location
>>> return partition_location
>>>
>
>
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
--
-Anton
7:30 a.m.
New subject: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions
On Fri, Dec 12, 2008 at 11:49:47PM +0100, Anton Arapov wrote:
[..snip..]
node=bandura.englab.brq.redhat.com type=AVC
msg=audit(1229121538.953:228):
avc: denied { read write } for pid=22082 comm="semanage"
path="socket:[96400]" dev=sockfs ino=96400
scontext=unconfined_u:unconfined_r:semanage_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=tcp_socket
, have no idea ... this hits just by adding .call(semanage). I tried to reproduce
it in test script, and everything works just fine.
Usually, such things solved by:
fcntl(socket, F_SETFD, FD_CLOEXEC),
but it's python, and I do not see any sockets using,... evenmore, I do not see
why we need 'import socket' in app.py and utils.py, I think they could be
easily removed. ...
[code]
...
url = "http://%s:80/cobbler_api" % (server)
self.xmlrpc_server = ServerProxy(url)
self.xmlrpc_server.get_profiles()
...
[/code]
xmlrpc_server is the descriptor SELinux complaints about.
Not sure how to fix it. I'm not familiar well with this lib so far. Don't you know
if
it possible to use it 'on demand', when we need something from xmlrpc - connect
and
disconnect at the end of operation?
-- Anton
7:33 a.m.
New subject: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions
Anton Arapov wrote:
On Fri, Dec 12, 2008 at 11:49:47PM +0100, Anton Arapov wrote:
[..snip..]
> node=bandura.englab.brq.redhat.com type=AVC msg=audit(1229121538.953:228):
> avc: denied { read write } for pid=22082 comm="semanage"
path="socket:[96400]" dev=sockfs ino=96400
> scontext=unconfined_u:unconfined_r:semanage_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=tcp_socket
> , have no idea ... this hits just by adding .call(semanage). I tried to reproduce
> it in test script, and everything works just fine.
>
> Usually, such things solved by:
> fcntl(socket, F_SETFD, FD_CLOEXEC),
> but it's python, and I do not see any sockets using,... evenmore, I do not see
> why we need 'import socket' in app.py and utils.py, I think they could be
> easily removed. ...
>
[code]
...
url = "http://%s:80/cobbler_api" % (server)
self.xmlrpc_server = ServerProxy(url)
self.xmlrpc_server.get_profiles()
...
[/code]
xmlrpc_server is the descriptor SELinux complaints about.
Not sure how to fix it. I'm not familiar well with this lib so far. Don't you
know if
it possible to use it 'on demand', when we need something from xmlrpc - connect
and
disconnect at the end of operation?
-- Anton
Cobbler's use of xmlrpclib is no different than any other python
library, of which we have many that use xmlrpclib -- it probably points
at something fundamental that needs to be fixed in SELinux if it's
complaining about simple socket usage.
--Michael
7:38 a.m.
New subject: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions
On Mon, Dec 15, 2008 at 08:33:24AM -0500, Michael DeHaan wrote:
Anton Arapov wrote:
> On Fri, Dec 12, 2008 at 11:49:47PM +0100, Anton Arapov wrote:
> [..snip..]
>
>> node=bandura.englab.brq.redhat.com type=AVC msg=audit(1229121538.953:228):
>> avc: denied { read write } for pid=22082 comm="semanage"
path="socket:[96400]" dev=sockfs ino=96400
>> scontext=unconfined_u:unconfined_r:semanage_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>> tclass=tcp_socket , have no idea ... this hits just by adding
>> .call(semanage). I tried to reproduce
>> it in test script, and everything works just fine.
>>
>> Usually, such things solved by:
>> fcntl(socket, F_SETFD, FD_CLOEXEC),
>> but it's python, and I do not see any sockets using,... evenmore, I do not
see
>> why we need 'import socket' in app.py and utils.py, I think they could
be
>> easily removed. ...
>>
>
> [code]
> ...
> url = "http://%s:80/cobbler_api" % (server)
> self.xmlrpc_server = ServerProxy(url)
> self.xmlrpc_server.get_profiles()
> ...
> [/code]
>
> xmlrpc_server is the descriptor SELinux complaints about.
>
> Not sure how to fix it. I'm not familiar well with this lib so far.
> Don't you know if it possible to use it 'on demand', when we need
> something from xmlrpc - connect and
> disconnect at the end of operation?
> -- Anton
>
>
Cobbler's use of xmlrpclib is no different than any other python
library, of which we have many that use xmlrpclib -- it probably points
at something fundamental that needs to be fixed in SELinux if it's
complaining about simple socket usage.
Agreed.
Michal, I'm going to send the patch with semanage inside, it will
be functional for 100%, with only complaint from SELinux. This
benefit us, and me personally =), by working virtual machine after
reboot.
Also, it will be easier to bugreport to SELinux developers, I'll
give them the link to koan's git with comments.
Does it sound good to you?
--Michael
--
-Anton
7:41 a.m.
New subject: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions
Anton Arapov wrote:
On Mon, Dec 15, 2008 at 08:33:24AM -0500, Michael DeHaan wrote:
> Anton Arapov wrote:
>
>> On Fri, Dec 12, 2008 at 11:49:47PM +0100, Anton Arapov wrote:
>> [..snip..]
>>
>>
>>> node=bandura.englab.brq.redhat.com type=AVC msg=audit(1229121538.953:228):
>>> avc: denied { read write } for pid=22082 comm="semanage"
path="socket:[96400]" dev=sockfs ino=96400
>>> scontext=unconfined_u:unconfined_r:semanage_t:s0
>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>> tclass=tcp_socket , have no idea ... this hits just by adding
>>> .call(semanage). I tried to reproduce
>>> it in test script, and everything works just fine.
>>>
>>> Usually, such things solved by:
>>> fcntl(socket, F_SETFD, FD_CLOEXEC),
>>> but it's python, and I do not see any sockets using,... evenmore, I do
not see
>>> why we need 'import socket' in app.py and utils.py, I think they
could be
>>> easily removed. ...
>>>
>>>
>> [code]
>> ...
>> url = "http://%s:80/cobbler_api" % (server)
>> self.xmlrpc_server = ServerProxy(url)
>> self.xmlrpc_server.get_profiles()
>> ...
>> [/code]
>>
>> xmlrpc_server is the descriptor SELinux complaints about.
>>
>> Not sure how to fix it. I'm not familiar well with this lib so far.
>> Don't you know if it possible to use it 'on demand', when we need
>> something from xmlrpc - connect and
>> disconnect at the end of operation?
>> -- Anton
>>
>>
>>
> Cobbler's use of xmlrpclib is no different than any other python
> library, of which we have many that use xmlrpclib -- it probably points
> at something fundamental that needs to be fixed in SELinux if it's
> complaining about simple socket usage.
>
Agreed.
Michal, I'm going to send the patch with semanage inside, it will
be functional for 100%, with only complaint from SELinux. This
benefit us, and me personally =), by working virtual machine after
reboot.
Also, it will be easier to bugreport to SELinux developers, I'll
give them the link to koan's git with comments.
Does it sound good to you?
> --Michael
>
Sounds good, send it along and I'll apply it.
Thanks!
--Michael
8:32 a.m.
New subject: [KOAN PATCH] resend: SELinux: set correct security context for lvm partitions
On Mon, Dec 15, 2008 at 08:41:54AM -0500, Michael DeHaan wrote:
Anton Arapov wrote:
> On Mon, Dec 15, 2008 at 08:33:24AM -0500, Michael DeHaan wrote:
>
>> Anton Arapov wrote:
>>
>>> On Fri, Dec 12, 2008 at 11:49:47PM +0100, Anton Arapov wrote:
>>> [..snip..]
>>>
>>>> node=bandura.englab.brq.redhat.com type=AVC
msg=audit(1229121538.953:228):
>>>> avc: denied { read write } for pid=22082 comm="semanage"
path="socket:[96400]" dev=sockfs ino=96400
>>>> scontext=unconfined_u:unconfined_r:semanage_t:s0
>>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>>> tclass=tcp_socket , have no idea ... this hits just by adding
>>>> .call(semanage). I tried to reproduce
>>>> it in test script, and everything works just fine.
>>>>
>>>> Usually, such things solved by:
>>>> fcntl(socket, F_SETFD, FD_CLOEXEC),
>>>> but it's python, and I do not see any sockets using,... evenmore, I
do not see
>>>> why we need 'import socket' in app.py and utils.py, I think they
could be
>>>> easily removed. ...
>>>>
>>> [code]
>>> ...
>>> url = "http://%s:80/cobbler_api" % (server)
>>> self.xmlrpc_server = ServerProxy(url)
>>> self.xmlrpc_server.get_profiles()
>>> ...
>>> [/code]
>>>
>>> xmlrpc_server is the descriptor SELinux complaints about.
>>>
>>> Not sure how to fix it. I'm not familiar well with this lib so far.
>>> Don't you know if it possible to use it 'on demand', when we need
>>> something from xmlrpc - connect and
>>> disconnect at the end of operation?
>>> -- Anton
>>>
>>>
>> Cobbler's use of xmlrpclib is no different than any other python
>> library, of which we have many that use xmlrpclib -- it probably
>> points at something fundamental that needs to be fixed in SELinux if
>> it's complaining about simple socket usage.
>>
>
> Agreed.
>
> Michal, I'm going to send the patch with semanage inside, it will
> be functional for 100%, with only complaint from SELinux. This
> benefit us, and me personally =), by working virtual machine after
> reboot.
>
> Also, it will be easier to bugreport to SELinux developers, I'll
> give them the link to koan's git with comments.
>
> Does it sound good to you?
>
>> --Michael
Sounds good, send it along and I'll apply it.
Yay! ... SOLVED.
when started to research how to gracefully close descriptors, and
sockets in particular, find out that sub_process already offers it
by passing to .call() option - closefds=True.
=)
--
-Anton
12:24 p.m.
New subject: [KOAN 1.2.X PATCH] SELinux: set correct security context for lvm partitions
Vreman, Peter - Acision wrote:
> -----Original Message-----
> From: cobbler-bounces(a)lists.fedorahosted.org [mailto:cobbler-
> bounces(a)lists.fedorahosted.org] On Behalf Of Michael DeHaan
> Sent: woensdag 10 december 2008 17:36
> To: Anton Arapov
> Cc: cobbler(a)lists.fedorahosted.org
> Subject: Re: [KOAN 1.2.X PATCH] SELinux: set correct security context for
> lvm partitions
>
> Anton Arapov wrote:
>
>> Hello crew,
>>
>> On SELinux enabled system:
>> # cobbler system add --name vguest --profile F-10-x86_64 \
>> --virt-type qemu \
>> --virt-bridge virbr0 \
>> --virt-path vg
>> # koan --server 'host' --virt --system vguest2
>>
>> These will fail to run, because koan did not set the correct security
>>
> context
>
>> for created lvm partition.
>> It must execute something like:
>> # chcon -t virt_image_t /dev/mapper/%lvm_partition%
>>
>> Patch addressed to the ticket #321:
>> https://fedorahosted.org/cobbler/ticket/321
>>
>> I've added also some concerns, about already implemented in cobbler
>> selinux check. So please, read the ticket and leave feedback. :)
>>
>> Cheers!
>> ==
>> diff -urpN koan-1.2.6.orig/koan/app.py koan-1.2.6/koan/app.py
>> --- koan-1.2.6.orig/koan/app.py 2008-12-10 09:04:12.082359000
>>
> +0100
>
>> +++ koan-1.2.6/koan/app.py 2008-12-10 09:18:59.765607726 +0100
>> @@ -1213,8 +1213,23 @@ class Koan:
>> if lv_create != 0:
>> raise InfoException, "LVM creation failed"
>>
>> + # partition location
>> + partition_location = "/dev/mapper/%s-%s" %
>>
> (location,name.replace('-','--'))
>
>> +
>> + # check whether we have SELinux enabled system
>> + args = "/usr/sbin/selinuxenabled"
>> + selinuxenabled = sub_process.call(args)
>> + if selinuxenabled == 0:
>> + # permissive or enforcing or something else, and
>> + # set appropriate security context for LVM
>>
> partition
>
>> + args = "/usr/bin/chcon -t virt_image_t %s" %
>>
> partition_location
>
>> + print "%s" % args
>> + change_context = sub_process.call(args, shell=True)
>> + if change_context != 0:
>> + raise InfoException, "SELinux security context
>>
> setting to LVM partition failed"
>
>> +
>> # return partition location
>> - return "/dev/mapper/%s-%s" %
(location,name.replace('-
>>
> ','--'))
>
>> + return partition_location
>> else:
>> raise InfoException, "volume group needs %s GB free
>>
> space." % virt_size
>
>>
> Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler
> contains some code for similar things that uses getenforce. Earlier I
> thought this binary didn't exist on my box, but I /do/ have it on F9.
>
> Otherwise, looks fine, though I think we need to make sure this binary
> is available. We should also check to see if it /exists/ first, because
> long term we'll want koan to work on non-Fedora/Red-Hat based distros so
> we can also package it there.
>
The tool is available on RHEL 4.6:
tcsia12# cat /etc/redhat-release
Red Hat Enterprise Linux AS release 4 (Nahant Update 6)
tcsia12# rpm -ql libselinux-1.19.1-7.4 | grep enable
/usr/sbin/selinuxenabled
/usr/share/man/man8/selinuxenabled.8.gz
On debian it is in selinux-utils, see
http://packages.debian.org/etch/i386/selinux-utils/filelist
Peter
This e-mail and any attachment is for authorised use by the intended recipient(s) only.
It may contain proprietary material, confidential information and/or be subject to legal
privilege. It should not be copied, disclosed to, retained or used by, any other party. If
you are not an intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
Good deal, I'll apply this.
--Michael
12:10 p.m.
On Wed, Dec 10, 2008 at 11:35:54AM -0500, Michael DeHaan wrote:
Anton Arapov wrote:
> Hello crew,
>
> On SELinux enabled system:
> # cobbler system add --name vguest --profile F-10-x86_64 \
> --virt-type qemu \
> --virt-bridge virbr0 \
> --virt-path vg
> # koan --server 'host' --virt --system vguest2
>
> These will fail to run, because koan did not set the correct security context
> for created lvm partition.
> It must execute something like: # chcon -t virt_image_t
> /dev/mapper/%lvm_partition%
>
> Patch addressed to the ticket #321:
> https://fedorahosted.org/cobbler/ticket/321
>
> I've added also some concerns, about already implemented in cobbler
> selinux check. So please, read the ticket and leave feedback. :)
>
> Cheers!
> ==
> diff -urpN koan-1.2.6.orig/koan/app.py koan-1.2.6/koan/app.py
> --- koan-1.2.6.orig/koan/app.py 2008-12-10 09:04:12.082359000 +0100
> +++ koan-1.2.6/koan/app.py 2008-12-10 09:18:59.765607726 +0100
> @@ -1213,8 +1213,23 @@ class Koan:
> if lv_create != 0:
> raise InfoException, "LVM creation failed"
> + # partition location
> + partition_location = "/dev/mapper/%s-%s" %
(location,name.replace('-','--'))
> +
> + # check whether we have SELinux enabled system
> + args = "/usr/sbin/selinuxenabled"
> + selinuxenabled = sub_process.call(args)
> + if selinuxenabled == 0:
> + # permissive or enforcing or something else, and
> + # set appropriate security context for LVM partition
> + args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
> + print "%s" % args
> + change_context = sub_process.call(args, shell=True)
> + if change_context != 0:
> + raise InfoException, "SELinux security context setting
to LVM partition failed"
> +
> # return partition location
> - return "/dev/mapper/%s-%s" %
(location,name.replace('-','--'))
> + return partition_location
> else:
> raise InfoException, "volume group needs %s GB free
space." % virt_size
>
Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler
contains some code for similar things that uses getenforce. Earlier I
thought this binary didn't exist on my box, but I /do/ have it on F9.
Otherwise, looks fine, though I think we need to make sure this binary
is available. We should also check to see if it /exists/ first, because
long term we'll want koan to work on non-Fedora/Red-Hat based distros so
we can also package it there.
will check this in rhel4.6/4.7 and rhel5.2, and will let you know. I
guess, we do not care about rhel2/rhel3. ;-)
--Michael
--
-Anton
12:20 p.m.
Anton Arapov wrote:
On Wed, Dec 10, 2008 at 11:35:54AM -0500, Michael DeHaan wrote:
> Anton Arapov wrote:
>
>> Hello crew,
>>
>> On SELinux enabled system:
>> # cobbler system add --name vguest --profile F-10-x86_64 \
>> --virt-type qemu \
>> --virt-bridge virbr0 \
>> --virt-path vg
>> # koan --server 'host' --virt --system vguest2
>>
>> These will fail to run, because koan did not set the correct security context
>> for created lvm partition.
>> It must execute something like: # chcon -t virt_image_t
>> /dev/mapper/%lvm_partition%
>>
>> Patch addressed to the ticket #321:
>> https://fedorahosted.org/cobbler/ticket/321
>>
>> I've added also some concerns, about already implemented in cobbler
>> selinux check. So please, read the ticket and leave feedback. :)
>>
>> Cheers!
>> ==
>> diff -urpN koan-1.2.6.orig/koan/app.py koan-1.2.6/koan/app.py
>> --- koan-1.2.6.orig/koan/app.py 2008-12-10 09:04:12.082359000 +0100
>> +++ koan-1.2.6/koan/app.py 2008-12-10 09:18:59.765607726 +0100
>> @@ -1213,8 +1213,23 @@ class Koan:
>> if lv_create != 0:
>> raise InfoException, "LVM creation failed"
>> + # partition location
>> + partition_location = "/dev/mapper/%s-%s" %
(location,name.replace('-','--'))
>> +
>> + # check whether we have SELinux enabled system
>> + args = "/usr/sbin/selinuxenabled"
>> + selinuxenabled = sub_process.call(args)
>> + if selinuxenabled == 0:
>> + # permissive or enforcing or something else, and
>> + # set appropriate security context for LVM partition
>> + args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
>> + print "%s" % args
>> + change_context = sub_process.call(args, shell=True)
>> + if change_context != 0:
>> + raise InfoException, "SELinux security context
setting to LVM partition failed"
>> +
>> # return partition location
>> - return "/dev/mapper/%s-%s" %
(location,name.replace('-','--'))
>> + return partition_location
>> else:
>> raise InfoException, "volume group needs %s GB free
space." % virt_size
>>
>>
> Is "/usr/sbin/selinuxenabled" available on older EL distros? Cobbler
> contains some code for similar things that uses getenforce. Earlier I
> thought this binary didn't exist on my box, but I /do/ have it on F9.
>
> Otherwise, looks fine, though I think we need to make sure this binary
> is available. We should also check to see if it /exists/ first, because
> long term we'll want koan to work on non-Fedora/Red-Hat based distros so
> we can also package it there.
>
will check this in rhel4.6/4.7 and rhel5.2, and will let you know. I
guess, we do not care about rhel2/rhel3. ;-)
Excellent.
koan does work on rhel2/3 for --replace-self, but this is for the virt
code, so, no, we don't care :)
--Michael
> --Michael
>
>
>
5635
days inactive
5640
days old
cobbler@lists.fedorahosted.org
27 comments
4 participants
participants (4)
-
Anton Arapov -
Jeff Schroeder -
Michael DeHaan -
Vreman, Peter