[Fedora-livecd-list] Re: Unnecessary SELinux Failure Condition?
Jeremy Katz
katzj at fedoraproject.org
Wed Dec 16 15:02:05 UTC 2009
On Wed, Dec 16, 2009 at 12:03 AM, Alan Pevec <apevec at gmail.com> wrote:
> I've just found one issue with the patch:
> @@ -734,6 +725,9 @@ class ImageCreator(object):
>
> self.__run_post_scripts()
>
> + # selinux should always come last
> + kickstart.SelinuxConfig(self._instroot).apply(ksh.selinux)
> +
> def launch_shell(self):
> """Launch a shell in the install root.
NAK. Nothing *EVER* can come after running %post scripts. It breaks
one of the very few things that have to always be held true for
kickstart scripts that came about after a few years of flip-flopping
things around for various reasons that seemed good at the time.
> Other issue is that pykickstart "selinux" command doesn't have --type option
> to specify the policy and lokkit. assumes "targeted" if
> --selinuxtype=<type> is not specified. SelinuxConfig should not touch
> SELINUXTYPE already set in /etc/selinux/config by %post script.
> To avoid lokkit side-effects, I'll amend the patch to use Augeas to modify
> /etc/selinux/config
I'd rather not have a dependency on augeas here. If it's important
that people be able to specify the policy type in the kickstart
config, then we should push that support in via pykickstart and
lokkit, not change to a whole new toolset.
- Jeremy
More information about the Fedora-livecd-list
mailing list