[Ovirt-devel] [PATCH REPOST node-image] Use minimal selinux configuration and add modules selectively
Perry Myers
pmyers at redhat.com
Fri Nov 21 05:22:22 UTC 2008
Repost of patch. Original patch forgot to include ovirt-node-selinux.pp
in the list of selinux modules to install.
Signed-off-by: Perry Myers <pmyers at redhat.com>
---
common-blacklist.ks | 3 ---
common-pkgs.ks | 2 +-
common-post.ks | 24 ++++++++++++++++++++++++
3 files changed, 25 insertions(+), 4 deletions(-)
diff --git a/common-blacklist.ks b/common-blacklist.ks
index 48702da..3c89236 100644
--- a/common-blacklist.ks
+++ b/common-blacklist.ks
@@ -118,9 +118,6 @@ find /usr/share -type d -exec rmdir {} \; > /dev/null 2>&1
echo "Cleanup excess selinux modules"
$RM /usr/share/selinux
-# FIXME: We shouldn't remove all of the modules, just selected ones
-# need to do more fine grained black/white listing for this
-#$RM /etc/selinux/targeted/modules/active/modules/*
echo "Running image-minimizer..."
%end
diff --git a/common-pkgs.ks b/common-pkgs.ks
index a35519f..80993d6 100644
--- a/common-pkgs.ks
+++ b/common-pkgs.ks
@@ -12,7 +12,7 @@ kvm
syslinux
ovirt-node
ovirt-node-selinux
-selinux-policy-targeted
+selinux-policy-minimum
vim-minimal
-audit-libs-python
-hdparm
diff --git a/common-post.ks b/common-post.ks
index 7497b20..42c055f 100644
--- a/common-post.ks
+++ b/common-post.ks
@@ -3,6 +3,30 @@ echo "Starting Kickstart Post"
PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH
+# Import SELinux Modules
+echo "Enabling selinux modules"
+SEMODULES="base automount avahi consolekit cyrus dhcp dnsmasq guest hal ipsec \
+iscsi kerberos kerneloops ldap lockdev logadm mozilla ntp ovirt-node-selinux \
+polkit portmap qemu rpcbind sasl snmp stunnel sysstat tcpd unprivuser \
+unconfined usbmodules userhelper virt"
+
+lokkit -v --selinuxtype=minimum
+tmpdir=$(mktemp -d)
+
+for semodule in $SEMODULES; do
+ if [ -f /usr/share/selinux/minimum/$semodule.pp.bz2 ]; then
+ mv /usr/share/selinux/minimum/$semodule.pp.bz2 $tmpdir
+ bunzip2 $tmpdir/$semodule.pp.bz2
+ else
+ mv /usr/share/selinux/minimum/$semodule.pp $tmpdir
+ fi
+done
+
+ls $tmpdir/*.pp | grep -Ev "base.pp|enableaudit.pp" \
+ | xargs semodule -v -b $tmpdir/base.pp -i
+semodule -v -B
+rm -Rf $tmpdir
+
echo "Running ovirt-install-host stateless"
/usr/sbin/ovirt-install-node stateless
--
1.6.0.3
More information about the ovirt-devel
mailing list