[PATCH 1/2] LiveCD - Add fake /selinux so livecd can run in enforcing
eparis at redhat.com
eparis at redhat.com
Fri Jun 6 20:11:53 UTC 2008
From: Eric Paris <eparis at redhat.com>
This patch adds a /selinux directory to a newly created livecd compose which
will allow the tools inside the chroot to interoperate with the live system
successfully.
Signed-off-by: Eric Paris <eparis at redhat.com>
---
imgcreate/creator.py | 55 ++++++++++++++++++++++++++++++++++++++++++++---
imgcreate/kickstart.py | 2 +-
2 files changed, 52 insertions(+), 5 deletions(-)
diff --git a/imgcreate/creator.py b/imgcreate/creator.py
index 5d010a1..f65f7d4 100644
--- a/imgcreate/creator.py
+++ b/imgcreate/creator.py
@@ -24,6 +24,7 @@ import tempfile
import shutil
import logging
+import selinux
import yum
import rpm
@@ -421,6 +422,52 @@ class ImageCreator(object):
os.symlink('/proc/self/fd/2', self._instroot + "/dev/stderr")
os.umask(origumask)
+ def __create_selinuxfs(self):
+ # if selinux exists on the host we need to lie to the chroot
+ if os.path.exists("/selinux/enforce"):
+ selinux_dir = self._instroot + "/selinux"
+
+ # enforce=0 tells the chroot selinux is not enforcing
+ # policyvers=999 tell the chroot to make the highest version of policy it can
+ files = (('/enforce', '0'),
+ ('/policyvers', '999'))
+ for (file, value) in files:
+ fd = os.open(selinux_dir + file, os.O_WRONLY | os.O_TRUNC | os.O_CREAT)
+ os.write(fd, value)
+ os.close(fd)
+
+ # we steal mls from the host system for now, might be best to always set it to 1????
+ files = ("/mls",)
+ for file in files:
+ shutil.copyfile("/selinux" + file, selinux_dir + file)
+
+ # make /load -> /dev/null so chroot policy loads don't hurt anything
+ os.mknod(selinux_dir + "/load", 0666 | stat.S_IFCHR, os.makedev(1, 3))
+
+ # selinux is on in the kickstart, so clean up as best we can to start
+ if kickstart.selinux_enabled(self.ks):
+ # label the fs like it is a root before the bind mounting
+ arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot]
+ subprocess.call(arglist, close_fds = True)
+ # these dumb things don't get magically fixed, so make the user generic
+ for f in ("/proc", "/sys", "/selinux"):
+ arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f]
+ subprocess.call(arglist, close_fds = True)
+
+ def __destroy_selinuxfs(self):
+ # if the system was running selinux clean up our lies
+ if os.path.exists("/selinux/enforce"):
+ files = ('/enforce',
+ '/policyvers',
+ '/mls',
+ '/load')
+ for file in files:
+ try:
+ os.unlink(self._instroot + "/selinux" + file)
+ except OSError:
+ pass
+
+
def mount(self, base_on = None, cachedir = None):
"""Setup the target filesystem in preparation for an install.
@@ -446,7 +493,7 @@ class ImageCreator(object):
self._mount_instroot(base_on)
- for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum"):
+ for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum", "/sys", "/proc", "/selinux"):
makedirs(self._instroot + d)
cachesrc = cachedir or (self.__builddir + "/yum-cache")
@@ -458,9 +505,7 @@ class ImageCreator(object):
(cachesrc, "/var/cache/yum")]:
self.__bindmounts.append(BindChrootMount(f, self._instroot, dest))
- # /selinux should only be mounted if selinux is enabled (enforcing or permissive)
- if kickstart.selinux_enabled(self.ks):
- self.__bindmounts.append(BindChrootMount("/selinux", self._instroot, None))
+ self.__create_selinuxfs()
self._do_bindmounts()
@@ -483,6 +528,8 @@ class ImageCreator(object):
except OSError:
pass
+ self.__destroy_selinuxfs()
+
self._undo_bindmounts()
self._unmount_instroot()
diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index c83e795..180cea2 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -389,7 +389,7 @@ class SelinuxConfig(KickstartConfig):
if not os.path.exists(self.path("/sbin/restorecon")):
return
- self.call(["/sbin/restorecon", "-l", "-v", "-r", "/"])
+ self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
def apply(self, ksselinux):
if os.path.exists(self.path("/usr/sbin/lokkit")):
--
1.5.5.3
More information about the fedora-selinux-list
mailing list