[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Ovirt-devel] [PATCH ovirt-node-image] do not require SELinux build host if disabled in kickstart



Alan Pevec <apevec redhat com> wrote:

> Signed-off-by: Alan Pevec <apevec redhat com>
> ---
>  ovirt-node-image.spec.in |   18 +++++++++++++-----
>  1 files changed, 13 insertions(+), 5 deletions(-)
>
> diff --git a/ovirt-node-image.spec.in b/ovirt-node-image.spec.in
> index 6483fe4..838ff43 100644
> --- a/ovirt-node-image.spec.in
> +++ b/ovirt-node-image.spec.in
> @@ -59,15 +59,23 @@ mkdir -p %{ovirt_cache_dir}/node-image-tmp
>  mkdir -p %{ovirt_cache_dir}/yum
>
>  sudo su - -c "cd $(pwd) &&
> -              case $(cat /selinux/enforce 2>/dev/null) in
> -                  1) enforcing=1 ; setenforce 0 ;;
> -                  0) enforcing=0 ;;
> -                  *) echo SELinux must be enabled; exit 1 ;;
> +              enforcing=$(cat /selinux/enforce 2>/dev/null)
> +              case x\$enforcing in
> +                  x1) setenforce 0 ;;
> +                  x0) ;;
> +                   *) if ksflatten %{name}.ks 2>/dev/null \
> +                        | grep -q 'selinux --disabled'; then

Probably won't ever matter, but...
you could add '^[[:space:]]', in case there's ever leading spaces,
it's #-commented (if ksflatten doesn't eliminate those), or that string
happens to occur within some other construct, like a grep argument ;-)

             | grep -q '^[[:space:]]*selinux[[:space:]]*--disabled'; then

> +                        echo WARNING: SELinux disabled in kickstart
> +                      else
> +                        echo ERROR: SELinux enabled in kickstart, \
> +                             but disabled on the build machine
> +                        exit 1
> +                      fi ;;
>                esac
>                livecd-creator --skip-minimize -c %{name}.ks -f %{name} \
>                 --tmpdir='%{ovirt_cache_dir}/node-image-tmp' \
>                 --cache='%{ovirt_cache_dir}/yum'
> -              setenforce \$enforcing"
> +              setenforce \$enforcing 2>/dev/null"

I'd prefer not to discard setenforce diagnostics, and to run it only
if necessary, so how about invoking it only when $enforcing is 1 ?

              test x\$enforcing = x1 && setenforce 1"


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]