On Fri, Dec 12, 2008 at 10:06:43PM +0100, Anton Arapov wrote:
On Fri, Dec 12, 2008 at 10:33:44AM -0500, Michael DeHaan wrote:
> Anton Arapov wrote:
> > On Thu, Dec 11, 2008 at 11:40:25AM -0500, Michael DeHaan wrote:
> >
> >> Anton Arapov wrote:
> >>
> >>
>
> Anton,
>
> I'm pretty sure it's fine for applications to be ensuring that contexts
> are set right, so the earlier things seem fine to me, though it also
> seems that we would be better served having a SELinux policy written for
> koan, and having that shipped with koan (and possibly installed by the
> RPM -- or providing instructions for it do so). Perhaps we can follow
> that tactic instead?
>
> This would have the benefit of also being able to move koan out of being
> unconfined, which may actually /improve/ security in a few regards
> (except of course koan's there to reinstall your system if you use
> --replace-self so it's a bit illusory to assume that's why we're doing
> it). The policy would need to be very open ended because koan can
> install files with it's --update-files feature and also manipulate grub?
>
> Does that make sense?
Michael,
I did some investigations today, and have had a chance to speak
to Dan Walsh, our selinux guru. And the concern is that we have
mentioned by me selinux restrictions with semanage just because of
tricky implementation of the logging(how we log things to
~/.koan/koan.log) and another one, seems we have problem in
sub_process, it leaves filedescriptor open....
I will dive into it this weeked and will come up with solution.
If there will be the neeed of setting some context to the koan script,
probably..... but I do not think so. :)
-- Anton
I'm afraid, I will not have a time to work futher on this next week,
so sharing what I have:
In order to eliminate the problem with logging, we need to set
appropriate context to ~/.koan/koan.log or log everything to /var/log
for example, var_log_t:
# chcon -v -t var_log_t /root/.koan/koan.log
And if we really care about it, it will be better to create some
koan's context, may be koan_log_t, and use it. Do we need this?
Might be we will use /var/log/* in the future?
And the last one:
node=bandura.englab.brq.redhat.com type=AVC msg=audit(1229121538.953:228):
avc: denied { read write } for pid=22082 comm="semanage"
path="socket:[96400]" dev=sockfs ino=96400
scontext=unconfined_u:unconfined_r:semanage_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=tcp_socket
, have no idea ... this hits just by adding .call(semanage). I tried to reproduce
it in test script, and everything works just fine.
Usually, such things solved by:
fcntl(socket, F_SETFD, FD_CLOEXEC),
but it's python, and I do not see any sockets using,... evenmore, I do not see
why we need 'import socket' in app.py and utils.py, I think they could be
easily removed. ...
[START] // This code works as expected without selinux somplaint:
#!/bin/env python
import sys
import sub_process
import exceptions
class InfoException(exceptions.Exception):
"""
Custom exception for tracking of fatal errors.
"""
def __init__(self,value,**args):
self.value = value % args
self.from_koan = 1
def __str__(self):
return repr(self.value)
#=======================================================
if __name__ == '__main__':
context = "virt_image_t"
partition_location = "/dev/mapper/vg-kvm_f10--disk0"
args = "/usr/sbin/semanage fcontext -a -t %s %s" % (context,
partition_location)
print "%s" % args
permanent_context = sub_process.call(args, shell=True)
print permanent_context
if permanent_context != 0:
raise InfoException, "SELinux security context setting to LVM partition
failed"
sys.exit(0)
[END]
... the following patch is working. SELinux will complaint
, but this does not prevent us of successful 'semanage' execution.
So you can apply it, at least we will have working/booting LV
images after system reboot, despite annoying selinux messsages.
==
koan/app.py | 24 +++++++++++++++++-------
1 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/koan/app.py b/koan/app.py
index 5031bed..1eae1dd 100755
--- a/koan/app.py
+++ b/koan/app.py
@@ -1420,13 +1420,23 @@ class Koan:
args = "/usr/sbin/selinuxenabled"
selinuxenabled = sub_process.call(args)
if selinuxenabled == 0:
- # permissive or enforcing or something else, and
- # set appropriate security context for LVM partition
- args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
- print "%s" % args
- change_context = sub_process.call(args, shell=True)
- if change_context != 0:
- raise InfoException, "SELinux security context setting to
LVM partition failed"
+ # permissive or enforcing or something else
+ context = "virt_image_t"
+
+ # check the current context
+ args = "/bin/ls -Z %s" % partition_location
+ context_str = sub_process.Popen(args, stdout=sub_process.PIPE,
shell=True).communicate()[0]
+ if context_str.find(context) == -1:
+ # set appropriate security context for LVM partition
+ args = "/usr/bin/chcon -t virt_image_t %s" %
partition_location
+ print "%s" % args
+ change_context = sub_process.call(args, shell=True)
+ # make the context for LVM partition permanent by updating the
policy
+ args = "/usr/sbin/semanage fcontext -a -t %s %s" %
(context, partition_location)
+ print "%s" % args
+ permanent_context = sub_process.call(args, shell=True)
+ if change_context != 0 or permanent_context != 0:
+ raise InfoException, "SELinux security context setting
to LVM partition failed"
# return partition location
return partition_location
--
-Anton