[Fedora-livecd-list] imgcreate/creator.py imgcreate/kickstart.py
Brian C. Lane
bcl at fedoraproject.org
Thu Aug 11 20:54:10 UTC 2011
imgcreate/creator.py | 70 ++++++++++++++-----------------------------------
imgcreate/kickstart.py | 3 +-
2 files changed, 23 insertions(+), 50 deletions(-)
New commits:
commit cb058720dc6ffee1560dc147f50b95dc7ce49746
Author: Daniel Walsh <dwalsh at redhat.com>
Date: Thu Aug 11 10:35:34 2011 -0700
Handle move to /sys/fs/selinux (#728576)
selinux mountpoint has moved, read the mountpont from
/proc/mountinfo or fall back to /sys/fs/selinux
diff --git a/imgcreate/creator.py b/imgcreate/creator.py
index 675dcf6..0492c81 100644
--- a/imgcreate/creator.py
+++ b/imgcreate/creator.py
@@ -83,6 +83,15 @@ class ImageCreator(object):
self.__sanity_check()
+ # get selinuxfs mountpoint
+ self.__selinux_mountpoint = "/sys/fs/selinux"
+ with open("/proc/self/mountinfo", "r") as f:
+ for line in f.readlines():
+ fields = line.split()
+ if fields[-2] == "selinuxfs":
+ self.__selinux_mountpoint = fields[4]
+ break
+
def __del__(self):
self.cleanup()
@@ -435,63 +444,25 @@ class ImageCreator(object):
os.symlink(src, self._instroot + dest)
os.umask(origumask)
- def __getbooleans(self):
- booleans = []
- if not kickstart.selinux_enabled(self.ks) or not os.path.exists("/selinux/enforce"):
- return booleans
- for i in selinux.security_get_boolean_names()[1]:
- on = selinux.security_get_boolean_active(i)
- booleans.append(("/booleans/%s" % i, "%d %d" % (on, on)))
- return booleans
-
def __create_selinuxfs(self):
- # if selinux exists on the host we need to lie to the chroot
- if os.path.exists("/selinux/enforce"):
- selinux_dir = self._instroot + "/selinux"
-
- # enforce=0 tells the chroot selinux is not enforcing
- # policyvers=999 tell the chroot to make the highest version of policy it can
-
- files = [('/enforce', '0'),
- ('/policyvers', '999'),
- ('/commit_pending_bools', ''),
- ('/mls', str(selinux.is_selinux_mls_enabled()))]
-
- for (file, value) in files + self.__getbooleans():
- fd = os.open(selinux_dir + file, os.O_WRONLY | os.O_TRUNC | os.O_CREAT)
- os.write(fd, value)
- os.close(fd)
+ arglist = ["/bin/mount", "--bind", "/dev/null", self._instroot + self.__selinux_mountpoint + "/load"]
+ subprocess.call(arglist, close_fds = True)
- # we steal mls from the host system for now, might be best to always set it to 1????
- # make /load -> /dev/null so chroot policy loads don't hurt anything
- os.mknod(selinux_dir + "/load", 0666 | stat.S_IFCHR, os.makedev(1, 3))
-
- # selinux is on in the kickstart, so clean up as best we can to start
if kickstart.selinux_enabled(self.ks):
# label the fs like it is a root before the bind mounting
arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot]
subprocess.call(arglist, close_fds = True)
# these dumb things don't get magically fixed, so make the user generic
- for f in ("/proc", "/sys", "/selinux"):
+ # if selinux exists on the host we need to lie to the chroot
+ if selinux.is_selinux_enabled():
+ for f in ("/proc", "/sys"):
arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f]
subprocess.call(arglist, close_fds = True)
def __destroy_selinuxfs(self):
# if the system was running selinux clean up our lies
- if os.path.exists("/selinux/enforce"):
- for root, dirs, files in os.walk(self._instroot + "/selinux"):
- for name in files:
- try:
- os.remove(os.path.join(root, name))
- except OSError:
- pass
- for name in dirs:
- if os.path.join(root, name) == self._instroot + "/selinux":
- continue
- try:
- os.rmdir(os.path.join(root, name))
- except OSError:
- pass
+ arglist = ["/bin/umount", self._instroot + self.__selinux_mountpoint + "/load"]
+ subprocess.call(arglist, close_fds = True)
def mount(self, base_on = None, cachedir = None):
"""Setup the target filesystem in preparation for an install.
@@ -518,7 +489,7 @@ class ImageCreator(object):
self._mount_instroot(base_on)
- for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum", "/sys", "/proc", "/selinux/booleans"):
+ for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum", "/sys", "/proc"):
makedirs(self._instroot + d)
cachesrc = cachedir or (self.__builddir + "/yum-cache")
@@ -527,13 +498,14 @@ class ImageCreator(object):
# bind mount system directories into _instroot
for (f, dest) in [("/sys", None), ("/proc", None),
("/dev/pts", None), ("/dev/shm", None),
+ (self.__selinux_mountpoint, self.__selinux_mountpoint),
(cachesrc, "/var/cache/yum")]:
self.__bindmounts.append(BindChrootMount(f, self._instroot, dest))
- self.__create_selinuxfs()
-
self._do_bindmounts()
+ self.__create_selinuxfs()
+
self.__create_minimal_dev()
os.symlink("/proc/self/mounts", self._instroot + "/etc/mtab")
@@ -619,7 +591,7 @@ class ImageCreator(object):
# we need /usr/sbin/lokkit
def __can_handle_selinux(self, ayum):
file = "/usr/sbin/lokkit"
- if not kickstart.selinux_enabled(self.ks) and os.path.exists("/selinux/enforce") and not ayum.installHasFile(file):
+ if not kickstart.selinux_enabled(self.ks) and selinux.is_selinux_enabled() and not ayum.installHasFile(file):
raise CreatorError("Unable to disable SELinux because the installed package set did not include the file %s" % (file))
def install(self, repo_urls = {}):
diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index 33859d6..345c638 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -23,6 +23,7 @@ import subprocess
import time
import logging
import urlgrabber
+import selinux
try:
import system_config_keyboard.keyboard as keyboard
@@ -420,7 +421,7 @@ class SelinuxConfig(KickstartConfig):
if not os.path.exists(self.path("/sbin/setfiles")):
return
- self.call(["/sbin/setfiles", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/etc/selinux/targeted/contexts/files/file_contexts", "/"])
+ self.call(["/sbin/setfiles", "-p", "-e", "/proc", "-e", "/sys", "-e", "/dev", selinux.selinux_file_context_path(), "/"])
def apply(self, ksselinux):
if os.path.exists(self.path("/usr/sbin/lokkit")):
More information about the livecd
mailing list