[Fedora-livecd-list] imgcreate/creator.py imgcreate/kickstart.py

[Jeremy Katz]

 imgcreate/creator.py   |    8 +++++++-
 imgcreate/kickstart.py |   10 ++++++----
 2 files changed, 13 insertions(+), 5 deletions(-)

New commits:
commit e98a30558acc58275ee2c4469e3c4f8bea9b566f
Author: Warren Togami <wtogami at redhat.com>
Date:   Wed Feb 20 14:39:47 2008 -0500

    selinux --disabled fixes
    
    The attached patch seems to fix "selinux --disabled" and other parts
    related to selinux.  It ensures that if SELinux is disabled, no labels are
    set on files as well as not running restorecon or bind-mounting /selinux

diff --git a/imgcreate/creator.py b/imgcreate/creator.py
index c7b1046..11fce2d 100644
--- a/imgcreate/creator.py
+++ b/imgcreate/creator.py
@@ -435,10 +435,14 @@ class ImageCreator(object):
 
         # bind mount system directories into _instroot
         for (f, dest) in [("/sys", None), ("/proc", None), ("/dev", None),
-                          ("/dev/pts", None), ("/selinux", None),
+                          ("/dev/pts", None),
                           (cachesrc, "/var/cache/yum")]:
             self.__bindmounts.append(BindChrootMount(f, self._instroot, dest))
 
+        # /selinux should only be mounted if selinux is enabled (enforcing or permissive)
+        if kickstart.selinux_enabled(self.ks):
+            self.__bindmounts.append(BindChrootMount("/selinux", self._instroot, None))
+
         self._do_bindmounts()
 
         os.symlink("../proc/mounts", self._instroot + "/etc/mtab")
@@ -551,6 +555,8 @@ class ImageCreator(object):
 
         if kickstart.exclude_docs(self.ks):
             rpm.addMacro("_excludedocs", "1")
+        if not kickstart.selinux_enabled(self.ks):
+            rpm.addMacro("__file_context_path", "%{nil}")
 
         try:
             self.__select_packages(ayum)
diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index a7e0723..30156d8 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -370,7 +370,7 @@ class SelinuxConfig(KickstartConfig):
             f = file(path, "w+")
             os.chmod(path, 0644)
 
-        if not ksselinux.selinux:
+        if ksselinux.selinux == ksconstants.SELINUX_DISABLED:
             return
         if not os.path.exists(self.path("/sbin/restorecon")):
             return
@@ -381,9 +381,11 @@ class SelinuxConfig(KickstartConfig):
         if os.path.exists(self.path("/usr/sbin/lokkit")):
             args = ["/usr/sbin/lokkit", "-f", "--quiet", "--nostart"]
 
-            if ksselinux.selinux:
+            if ksselinux.selinux == ksconstants.SELINUX_ENFORCING:
                 args.append("--selinux=enforcing")
-            else:
+            if ksselinux.selinux == ksconstants.SELINUX_PERMISSIVE:
+                args.append("--selinux=permissive")
+            if ksselinux.selinux == ksconstants.SELINUX_DISABLED:
                 args.append("--selinux=disabled")
 
             self.call(args)
@@ -483,4 +485,4 @@ def get_post_scripts(ks):
     return scripts
 
 def selinux_enabled(ks):
-    return ks.handler.selinux.selinux
+    return ks.handler.selinux.selinux == ksconstants.SELINUX_ENFORCING