Re: Unnecessary SELinux Failure Condition?
by Jay Greguske
Daniel J Walsh wrote:
> On 09/11/2009 04:47 PM, Jay Greguske wrote:
>
>> Hello,
>>
>> While using livecd-creator and poking around the code, I found a check
>> that I don't understand the reason for. livecd-creator will bail out if
>> the host has SELinux disabled and the kickstart file requests it be
>> enabled. Why is that? I would think that if SELinux was disabled but you
>> still had the policy available, that would be all you need to build a
>> properly labeled image.
>>
>> Out of curiosity I made changes to the code just to see what would
>> happen. I attached them to this mail for reference, NOT as proposed
>> changes to be applied to the livecd-tools code. On an F10 system with
>> SELinux disabled I was able to build a working livecd image that I could
>> boot and play around in. SELinux was being enforced in the image too. I
>> was able to do this with a RHEL 5 kernel as well, just to see if maybe
>> something had changed with an earlier version of SELinux.
>>
>> Perhaps the failure condition is no longer necessary?
>>
>> Thanks in advance,
>> - Jay
>>
> Yes I think that is no longer necessary. And it should definitely be supported.
>
>
Attached is a cleaner patch that removes the check and some other
unnecessary code (thanks Dan). With this users should be able to build
livecd images that have SELinux enabled on an SELinux-disabled host.
I've tested this on an F10 system with an F10 and a RHEL 5 kernel. Both
kernels I was able to build images with the SELinux enabled and disabled
on the host (but always enabled in the kickstart file).
Let me know what you guys think!
Thanks,
- Jay
14 years, 3 months
Persistent root / filesystem
by Vasilis Vlachoudis
Hi all,
I have remastered the Fedora Live CD to run through Virtual Box and to
mount automatically the ext3 virtual partitions. My problem is, when I
install an additional package or modify a file from the root filesystem,
the changes are not persistent. Is there a way to make them persistent,
something like unionfs with a partition of the virtual disks?
Thanks in advance
Vasilis
14 years, 3 months
livecd enforcing mode issue
by Bruno Wolff III
In F12 (at least) it looks like selinux is denying livecd-creator from
changing the root password of the image. I'll file a bug on this when
infrastructure is back up.
Here is the audit record:
audit.log.1:type=USER_CHAUTHTOK msg=audit(1260601250.607:153622): user pid=17278 uid=0 auid=500 ses=26 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=change password id=0 exe="/usr/bin/passwd" hostname=? addr=? terminal=pts/1 res=failed'
Here is the message printed by livecd-creator:
passwd: unconfined_u:unconfined_r:livecd_t:s0-s0:c0.c1023 is not authorized to change the password of root
This is with targeted policy 3.6.32-56.fc12.
14 years, 3 months
lzma + squashfs should be easy to use in livecd-tools
by Bruno Wolff III
Phillip Lougher posted lmza+squashfs patches to lkml yesterday and today
as a followup he posted a message indicating how to build / use the new
sqaushfs-tools to build or read squashfs file systems.
(http://marc.info/?l=linux-embedded&m=126029628723357&w=2)
The short description is that to use lzma compression when building
squashfs images you add a -comp lzma option and that when reading
squashfs file systems the type of compression is automatically detected
and no special action is needed.
If it is desired to have a single version of livecd-creator that works
regardless of whether or not mksquashfs supports lzma, it is possible to
run mksquashfs without any arguments and examine the output to see if
lzma is supported. It may also be necessary to check for a minimum kernel
being used for livecd image if livecd-creator is supposed to be able to compose
older versions of Fedora.
While I don't think I'd call this a "feature", I'd like to have something
testable by feature freeze and am willing to do some work to make this
happen.
14 years, 3 months
LiveUSB Security Updates Only
by Williamson Grant
Is there a simple way to set the default on a Live USB install to only
install Security updates.
I know using the yum-plugin-security and yum update --security is one
way, however for
Joe Average is there anyway to set this as a yum default, so that even a
yum update and or PackageKit will not prompt for additional updates?
14 years, 4 months
3 commits - docs/livecd-iso-to-disk.pod tools/livecd-iso-to-disk.sh
by Warren Togami 砥上勇
docs/livecd-iso-to-disk.pod | 8 ++++++--
tools/livecd-iso-to-disk.sh | 10 +++++-----
2 files changed, 11 insertions(+), 7 deletions(-)
New commits:
commit e22eee657156d205c10ddbc93afdb006d8152b97
Author: Bernie Innocenti <bernie(a)codewiz.org>
Date: Sun Nov 22 22:31:23 2009 -0500
LANG=C when parted output is being scraped, as localized strings cause it to fail.
diff --git a/tools/livecd-iso-to-disk.sh b/tools/livecd-iso-to-disk.sh
index 2fd6d29..95ca158 100755
--- a/tools/livecd-iso-to-disk.sh
+++ b/tools/livecd-iso-to-disk.sh
@@ -147,7 +147,7 @@ createGPTLayout() {
read
umount ${device}? &> /dev/null
/sbin/parted --script $device mklabel gpt
- partinfo=$(/sbin/parted --script -m $device "unit b print" |grep ^$device:)
+ partinfo=$(LANG=C /sbin/parted --script -m $device "unit b print" |grep ^$device:)
size=$(echo $partinfo |cut -d : -f 2 |sed -e 's/B$//')
/sbin/parted --script $device unit b mkpart '"EFI System Partition"' fat32 17408 $(($size - 17408)) set 1 boot on
USBDEV=${device}1
@@ -169,7 +169,7 @@ createMSDOSLayout() {
read
umount ${device}? &> /dev/null
/sbin/parted --script $device mklabel msdos
- partinfo=$(/sbin/parted --script -m $device "unit b print" |grep ^$device:)
+ partinfo=$(LANG=C /sbin/parted --script -m $device "unit b print" |grep ^$device:)
size=$(echo $partinfo |cut -d : -f 2 |sed -e 's/B$//')
/sbin/parted --script $device unit b mkpart primary fat32 17408 $(($size - 17408)) set 1 boot on
USBDEV=${device}1
@@ -192,7 +192,7 @@ checkGPT() {
exitclean
fi
- partinfo=$(/sbin/parted --script -m $device "print" |grep ^$partnum:)
+ partinfo=$(LANG=C /sbin/parted --script -m $device "print" |grep ^$partnum:)
volname=$(echo $partinfo |cut -d : -f 6)
flags=$(echo $partinfo |cut -d : -f 7)
if [ "$volname" != "EFI System Partition" ]; then
commit ffa15aef04108b65ab395617d835266e818b9b29
Author: Bastien Nocera <hadess(a)hadess.net>
Date: Sun Nov 8 14:28:48 2009 +0000
Document the --efi command-line argument
In the man page, and in the tool.
https://bugzilla.redhat.com/show_bug.cgi?id=533687
diff --git a/docs/livecd-iso-to-disk.pod b/docs/livecd-iso-to-disk.pod
index 9274ab8..c673eef 100644
--- a/docs/livecd-iso-to-disk.pod
+++ b/docs/livecd-iso-to-disk.pod
@@ -6,7 +6,7 @@ livecd-iso-to-disk - installs bootable CD images on a USB storage devices.
=head1 SYNOPSIS
-B<livecd-iso-to-disk> [--format] [--reset-mbr] [--noverify] [--overlay-size-mb <size>] [\-\-home\-size\-mb <size>] [\-\-unencrypted\-home] [\-\-skipcopy] <path-to-iso> <usb storage device>
+B<livecd-iso-to-disk> [--format] [--reset-mbr] [--noverify] [--efi] [--overlay-size-mb <size>] [\-\-home\-size\-mb <size>] [\-\-unencrypted\-home] [\-\-skipcopy] <path-to-iso> <usb storage device>
=head1 DESCRIPTION
@@ -20,7 +20,7 @@ B<livecd-iso-to-disk> is not a destructive process; any data you currently have
=item --format
-Formats the USB stick and creates a GPT partition table.
+Formats the USB stick and creates an MS-DOS partition table (or GPT partition table if --efi is passed).
=item --reset-mbr
@@ -46,6 +46,10 @@ Disables the encryption of the home directory.
Skips the copy of the live image to the USB stick.
+=item --efi
+
+Create a GPT partition table when --format is passed, and install an hybrid EFI/MBR bootloader on the disk. This is necessary for most Intel Macs.
+
=back
=head1 CONTRIBUTORS
diff --git a/tools/livecd-iso-to-disk.sh b/tools/livecd-iso-to-disk.sh
index e947b4a..2fd6d29 100755
--- a/tools/livecd-iso-to-disk.sh
+++ b/tools/livecd-iso-to-disk.sh
@@ -23,7 +23,7 @@
export PATH=/sbin:/usr/sbin:$PATH
usage() {
- echo "$0 [--format] [--reset-mbr] [--noverify] [--overlay-size-mb <size>] [--home-size-mb <size>] [--unencrypted-home] [--skipcopy] <isopath> <usbstick device>"
+ echo "$0 [--format] [--reset-mbr] [--noverify] [--overlay-size-mb <size>] [--home-size-mb <size>] [--unencrypted-home] [--skipcopy] [--efi] <isopath> <usbstick device>"
exit 1
}
commit 96a0ef5bf18f928beb7884935d47627101663f88
Author: Bastien Nocera <hadess(a)hadess.net>
Date: Mon Nov 9 12:48:28 2009 +0000
Update the root label for EFI as well
EFI likes to have its root disk label set correctly as well.
diff --git a/tools/livecd-iso-to-disk.sh b/tools/livecd-iso-to-disk.sh
index 67b25b7..e947b4a 100755
--- a/tools/livecd-iso-to-disk.sh
+++ b/tools/livecd-iso-to-disk.sh
@@ -596,7 +596,7 @@ fi
echo "Updating boot config file"
# adjust label and fstype
-sed -i -e "s/CDLABEL=[^ ]*/$USBLABEL/" -e "s/rootfstype=[^ ]*/rootfstype=$USBFS/" $BOOTCONFIG $BOOTCONFIG_EFI
+sed -i -e "s/CDLABEL=[^ ]*/$USBLABEL/" -e "s/rootfstype=[^ ]*/rootfstype=$USBFS/" -e "s/LABEL=[^ ]*/$USBLABEL/" $BOOTCONFIG $BOOTCONFIG_EFI
if [ -n "$kernelargs" ]; then sed -i -e "s/liveimg/liveimg ${kernelargs}/" $BOOTCONFIG $BOOTCONFIG_EFI ; fi
if [ "$LIVEOS" != "LiveOS" ]; then sed -i -e "s;liveimg;liveimg live_dir=$LIVEOS;" $BOOTCONFIG $BOOTCONFIG_EFI ; fi
14 years, 4 months