[PATCH 1/2] LiveCD - Add fake /selinux so livecd can run in enforcing

eparis at redhat.com eparis at redhat.com
Fri Jun 6 20:11:53 UTC 2008


From: Eric Paris <eparis at redhat.com>

This patch adds a /selinux directory to a newly created livecd compose which
will allow the tools inside the chroot to interoperate with the live system
successfully.

Signed-off-by: Eric Paris <eparis at redhat.com>
---
 imgcreate/creator.py   |   55 ++++++++++++++++++++++++++++++++++++++++++++---
 imgcreate/kickstart.py |    2 +-
 2 files changed, 52 insertions(+), 5 deletions(-)

diff --git a/imgcreate/creator.py b/imgcreate/creator.py
index 5d010a1..f65f7d4 100644
--- a/imgcreate/creator.py
+++ b/imgcreate/creator.py
@@ -24,6 +24,7 @@ import tempfile
 import shutil
 import logging
 
+import selinux
 import yum
 import rpm
 
@@ -421,6 +422,52 @@ class ImageCreator(object):
         os.symlink('/proc/self/fd/2', self._instroot + "/dev/stderr")
         os.umask(origumask)
 
+    def __create_selinuxfs(self):
+        # if selinux exists on the host we need to lie to the chroot
+        if os.path.exists("/selinux/enforce"):
+            selinux_dir = self._instroot + "/selinux"
+
+            # enforce=0 tells the chroot selinux is not enforcing
+            # policyvers=999 tell the chroot to make the highest version of policy it can
+            files = (('/enforce', '0'),
+                     ('/policyvers', '999'))
+            for (file, value) in files:
+                fd = os.open(selinux_dir + file, os.O_WRONLY | os.O_TRUNC | os.O_CREAT)
+                os.write(fd, value)
+                os.close(fd)
+
+            # we steal mls from the host system for now, might be best to always set it to 1????
+            files = ("/mls",)
+            for file in files:
+                shutil.copyfile("/selinux" + file, selinux_dir + file)
+
+            # make /load -> /dev/null so chroot policy loads don't hurt anything
+            os.mknod(selinux_dir + "/load", 0666 | stat.S_IFCHR, os.makedev(1, 3))
+
+        # selinux is on in the kickstart, so clean up as best we can to start
+        if kickstart.selinux_enabled(self.ks):
+            # label the fs like it is a root before the bind mounting
+            arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot]
+            subprocess.call(arglist, close_fds = True)
+            # these dumb things don't get magically fixed, so make the user generic
+            for f in ("/proc", "/sys", "/selinux"):
+                arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f]
+                subprocess.call(arglist, close_fds = True)
+
+    def __destroy_selinuxfs(self):
+        # if the system was running selinux clean up our lies
+        if os.path.exists("/selinux/enforce"):
+            files = ('/enforce',
+                     '/policyvers',
+                     '/mls',
+                     '/load')
+            for file in files:
+                try:
+                    os.unlink(self._instroot + "/selinux" + file)
+                except OSError:
+                    pass
+
+
     def mount(self, base_on = None, cachedir = None):
         """Setup the target filesystem in preparation for an install.
 
@@ -446,7 +493,7 @@ class ImageCreator(object):
 
         self._mount_instroot(base_on)
 
-        for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum"):
+        for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum", "/sys", "/proc", "/selinux"):
             makedirs(self._instroot + d)
 
         cachesrc = cachedir or (self.__builddir + "/yum-cache")
@@ -458,9 +505,7 @@ class ImageCreator(object):
                           (cachesrc, "/var/cache/yum")]:
             self.__bindmounts.append(BindChrootMount(f, self._instroot, dest))
 
-        # /selinux should only be mounted if selinux is enabled (enforcing or permissive)
-        if kickstart.selinux_enabled(self.ks):
-            self.__bindmounts.append(BindChrootMount("/selinux", self._instroot, None))
+        self.__create_selinuxfs()
 
         self._do_bindmounts()
 
@@ -483,6 +528,8 @@ class ImageCreator(object):
         except OSError:
             pass
 
+        self.__destroy_selinuxfs()
+
         self._undo_bindmounts()
 
         self._unmount_instroot()
diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index c83e795..180cea2 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -389,7 +389,7 @@ class SelinuxConfig(KickstartConfig):
         if not os.path.exists(self.path("/sbin/restorecon")):
             return
 
-        self.call(["/sbin/restorecon", "-l", "-v", "-r", "/"])
+        self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
 
     def apply(self, ksselinux):
         if os.path.exists(self.path("/usr/sbin/lokkit")):
-- 
1.5.5.3




More information about the fedora-selinux-list mailing list