Daniel J Walsh wrote:
On 09/11/2009 04:47 PM, Jay Greguske wrote:
Hello,
While using livecd-creator and poking around the code, I found a check that I don't understand the reason for. livecd-creator will bail out if the host has SELinux disabled and the kickstart file requests it be enabled. Why is that? I would think that if SELinux was disabled but you still had the policy available, that would be all you need to build a properly labeled image.
Out of curiosity I made changes to the code just to see what would happen. I attached them to this mail for reference, NOT as proposed changes to be applied to the livecd-tools code. On an F10 system with SELinux disabled I was able to build a working livecd image that I could boot and play around in. SELinux was being enforced in the image too. I was able to do this with a RHEL 5 kernel as well, just to see if maybe something had changed with an earlier version of SELinux.
Perhaps the failure condition is no longer necessary?
Thanks in advance,
- Jay
Yes I think that is no longer necessary. And it should definitely be supported.
Attached is a cleaner patch that removes the check and some other unnecessary code (thanks Dan). With this users should be able to build livecd images that have SELinux enabled on an SELinux-disabled host. I've tested this on an F10 system with an F10 and a RHEL 5 kernel. Both kernels I was able to build images with the SELinux enabled and disabled on the host (but always enabled in the kickstart file).
Let me know what you guys think!
Thanks, - Jay
On Fri, Sep 18, 2009 at 10:26 AM, Jay Greguske jgregusk@redhat.com wrote:
Daniel J Walsh wrote:
On 09/11/2009 04:47 PM, Jay Greguske wrote:
While using livecd-creator and poking around the code, I found a check that I don't understand the reason for. livecd-creator will bail out if the host has SELinux disabled and the kickstart file requests it be enabled. Why is that? I would think that if SELinux was disabled but you still had the policy available, that would be all you need to build a properly labeled image.
[snip]
Perhaps the failure condition is no longer necessary?
Yes I think that is no longer necessary. And it should definitely be supported.
Attached is a cleaner patch that removes the check and some other unnecessary code (thanks Dan). With this users should be able to build livecd images that have SELinux enabled on an SELinux-disabled host. I've tested this on an F10 system with an F10 and a RHEL 5 kernel. Both kernels I was able to build images with the SELinux enabled and disabled on the host (but always enabled in the kickstart file).
There have been some problems more recently with the booleans stuff if SELinux isn't enabled. Does that all end up working correctly still?
I'm not fundamentally opposed to the patch; it's just historically been something which didn't work.
- Jeremy
Jeremy Katz wrote:
On Fri, Sep 18, 2009 at 10:26 AM, Jay Greguske jgregusk@redhat.com wrote:
Daniel J Walsh wrote:
On 09/11/2009 04:47 PM, Jay Greguske wrote:
While using livecd-creator and poking around the code, I found a check that I don't understand the reason for. livecd-creator will bail out if the host has SELinux disabled and the kickstart file requests it be enabled. Why is that? I would think that if SELinux was disabled but you still had the policy available, that would be all you need to build a properly labeled image.
[snip]
Perhaps the failure condition is no longer necessary?
Yes I think that is no longer necessary. And it should definitely be supported.
Attached is a cleaner patch that removes the check and some other unnecessary code (thanks Dan). With this users should be able to build livecd images that have SELinux enabled on an SELinux-disabled host. I've tested this on an F10 system with an F10 and a RHEL 5 kernel. Both kernels I was able to build images with the SELinux enabled and disabled on the host (but always enabled in the kickstart file).
There have been some problems more recently with the booleans stuff if SELinux isn't enabled. Does that all end up working correctly still?
I'm not fundamentally opposed to the patch; it's just historically been something which didn't work.
- Jeremy
I'll look into it. Are there any you have in mind specifically?
- Jay
On Fri, Sep 25, 2009 at 8:59 AM, Jay Greguske jgregusk@redhat.com wrote:
Jeremy Katz wrote:
There have been some problems more recently with the booleans stuff if SELinux isn't enabled. Does that all end up working correctly still?
I'll look into it. Are there any you have in mind specifically?
Dan might remember better than I -- I vaguely remember that a lot of the home directory bits and also some of the xguest stuff requires working booleans
- Jeremy
Jeremy Katz wrote:
On Fri, Sep 25, 2009 at 8:59 AM, Jay Greguske jgregusk@redhat.com wrote:
Jeremy Katz wrote:
There have been some problems more recently with the booleans stuff if SELinux isn't enabled. Does that all end up working correctly still?
I'll look into it. Are there any you have in mind specifically?
Dan might remember better than I -- I vaguely remember that a lot of the home directory bits and also some of the xguest stuff requires working booleans
- Jeremy
I installed xguest to a running livecd (desktop ks file) and played with two booleans related to it: browser_write_xguest_data, and xguest_connect_network. With the former turned off the Guest account could not download files from random internet sites, and with the latter it couldn't connect at all, so I'd say they were functioning as expected. I'm pretty confident SELinux booleans are working correctly with these changes. If you have other tests to suggest I'd be happy to try them out.
Thanks, - Jay
Jay Greguske wrote:
Jeremy Katz wrote:
On Fri, Sep 25, 2009 at 8:59 AM, Jay Greguske jgregusk@redhat.com wrote:
Jeremy Katz wrote:
There have been some problems more recently with the booleans stuff if SELinux isn't enabled. Does that all end up working correctly still?
I'll look into it. Are there any you have in mind specifically?
Dan might remember better than I -- I vaguely remember that a lot of the home directory bits and also some of the xguest stuff requires working booleans
- Jeremy
I installed xguest to a running livecd (desktop ks file) and played with two booleans related to it: browser_write_xguest_data, and xguest_connect_network. With the former turned off the Guest account could not download files from random internet sites, and with the latter it couldn't connect at all, so I'd say they were functioning as expected. I'm pretty confident SELinux booleans are working correctly with these changes. If you have other tests to suggest I'd be happy to try them out.
Thanks,
- Jay
-- Fedora-livecd-list mailing list Fedora-livecd-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Is there anything more I can do to scoot these changes along? I don't want them to fall off radar...
- Jay
On Thu, Oct 22, 2009 at 10:42 PM, Jay Greguske jgregusk@redhat.com wrote:
Jay Greguske wrote:
Jeremy Katz wrote:
On Fri, Sep 25, 2009 at 8:59 AM, Jay Greguske jgregusk@redhat.com wrote:
Jeremy Katz wrote:
There have been some problems more recently with the booleans stuff if SELinux isn't enabled. Does that all end up working correctly still?
I'll look into it. Are there any you have in mind specifically?
Dan might remember better than I -- I vaguely remember that a lot of the home directory bits and also some of the xguest stuff requires working booleans
- Jeremy
I installed xguest to a running livecd (desktop ks file) and played with two booleans related to it: browser_write_xguest_data, and xguest_connect_network. With the former turned off the Guest account could not download files from random internet sites, and with the latter it couldn't connect at all, so I'd say they were functioning as expected. I'm pretty confident SELinux booleans are working correctly with these changes. If you have other tests to suggest I'd be happy to try them out.
Thanks,
- Jay
-- Fedora-livecd-list mailing list Fedora-livecd-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-livecd-list
Is there anything more I can do to scoot these changes along? I don't want them to fall off radar...
We definitely need this patch - I got few files with unlabeled_t in the image created with F12 livecd-tools (ovirt-node-image.ks) I guess setfiles replacing restorecon in your patch is what fixes it.
I've just found one issue with the patch: @@ -722,7 +714,6 @@ class ImageCreator(object): kickstart.KeyboardConfig(self._instroot).apply(ksh.keyboard) kickstart.TimezoneConfig(self._instroot).apply(ksh.timezone) kickstart.AuthConfig(self._instroot).apply(ksh.authconfig) - kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux) kickstart.FirewallConfig(self._instroot).apply(ksh.firewall) kickstart.RootPasswordConfig(self._instroot).apply(ksh.rootpw) kickstart.ServicesConfig(self._instroot).apply(ksh.services) @@ -734,6 +725,9 @@ class ImageCreator(object):
self.__run_post_scripts()
+ # selinux should always come last + kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux) + def launch_shell(self): """Launch a shell in the install root.
This reverts http://git.fedorahosted.org/git/?p=livecd;a=commitdiff;h=d8c25944dde2de95a38...
Other issue is that pykickstart "selinux" command doesn't have --type option to specify the policy and lokkit. assumes "targeted" if --selinuxtype=<type> is not specified. SelinuxConfig should not touch SELINUXTYPE already set in /etc/selinux/config by %post script. To avoid lokkit side-effects, I'll amend the patch to use Augeas to modify /etc/selinux/config
Alan
On Wed, Dec 16, 2009 at 12:03 AM, Alan Pevec apevec@gmail.com wrote:
I've just found one issue with the patch: @@ -734,6 +725,9 @@ class ImageCreator(object):
self.__run_post_scripts()
+ # selinux should always come last + kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux)
def launch_shell(self): """Launch a shell in the install root.
NAK. Nothing *EVER* can come after running %post scripts. It breaks one of the very few things that have to always be held true for kickstart scripts that came about after a few years of flip-flopping things around for various reasons that seemed good at the time.
Other issue is that pykickstart "selinux" command doesn't have --type option to specify the policy and lokkit. assumes "targeted" if --selinuxtype=<type> is not specified. SelinuxConfig should not touch SELINUXTYPE already set in /etc/selinux/config by %post script. To avoid lokkit side-effects, I'll amend the patch to use Augeas to modify /etc/selinux/config
I'd rather not have a dependency on augeas here. If it's important that people be able to specify the policy type in the kickstart config, then we should push that support in via pykickstart and lokkit, not change to a whole new toolset.
- Jeremy
livecd@lists.fedoraproject.org
-
Alan Pevec -
Jay Greguske -
Jeremy Katz