Remove SELinux Permissive checks

Anaconda, Lorax, lorax-composer, and livemedia-creator can all now run
with SELinux in Enforcing mode. It does not need to be disabled and if
there are denials they should be reported as a bug.

Log the current state of SELinux when starting, update the
documentation.

(cherry picked from commit 35b8957f12)
This commit is contained in:
Brian C. Lane 2018-11-13 09:50:05 -08:00
parent 43ff505804
commit 080705e8e6
6 changed files with 27 additions and 41 deletions

View File

@ -208,10 +208,7 @@ install. There are a couple of things to keep in mind when doing this:
running under you may encounter strange bugs if you try to build newer or running under you may encounter strange bugs if you try to build newer or
older releases. older releases.
2. Make sure selinux is set to permissive or disabled. It won't install 2. It may totally trash your host. So far I haven't had this happen, but the
correctly with selinux set to enforcing yet.
3. It may totally trash your host. So far I haven't had this happen, but the
possibility exists that a bug in Anaconda could result in it operating on possibility exists that a bug in Anaconda could result in it operating on
real devices. I recommend running it in a virt or on a system that you can real devices. I recommend running it in a virt or on a system that you can
afford to lose all data from. afford to lose all data from.
@ -229,6 +226,10 @@ Example cmdline:
or UEFI). You can create BIOS partitioned disk images on UEFI by using or UEFI). You can create BIOS partitioned disk images on UEFI by using
virt. virt.
.. note::
As of version 30.7 SELinux can be set to Enforcing. The current state is
logged for debugging purposes and if there are SELinux denials they should
be reported as a bug.
AMI Images AMI Images
---------- ----------

View File

@ -16,15 +16,16 @@ installation and configuration of the images.
Important Things To Note Important Things To Note
------------------------ ------------------------
* SELinux must be in Permissive mode. Anaconda requires SELinux be in permissive mode * As of version 30.7 SELinux can be set to Enforcing. The current state is
for image creation to work correctly. You can either edit the setting in the logged for debugging purposes and if there are SELinux denials they should
``/etc/sysconfig/selinux`` file, or run ``setenforce 0`` before starting lorax-composer. be reported as a bug.
* All image types lock the root account, except for live-iso. You will need to either * All image types lock the root account, except for live-iso. You will need to either
use one of the `Customizations`_ methods for setting a ssh key/password, install a use one of the `Customizations`_ methods for setting a ssh key/password, install a
package that creates a user, or use something like `cloud-init` to setup access at package that creates a user, or use something like `cloud-init` to setup access at
boot time. boot time.
Installation Installation
------------ ------------
@ -75,7 +76,6 @@ Security
Some security related issues that you should be aware of before running ``lorax-composer``: Some security related issues that you should be aware of before running ``lorax-composer``:
* One of the API server threads needs to retain root privileges in order to run Anaconda. * One of the API server threads needs to retain root privileges in order to run Anaconda.
* SELinux must be set to Permissive or disabled to allow ``livemedia-creator`` to run Anaconda.
* Only allow authorized users access to the ``weldr`` group and socket. * Only allow authorized users access to the ``weldr`` group and socket.
Since Anaconda kickstarts are used there is the possibility that a user could Since Anaconda kickstarts are used there is the possibility that a user could

View File

@ -214,6 +214,8 @@ class Lorax(BaseLoraxClass):
self.init_file_logging(logdir) self.init_file_logging(logdir)
logger.debug("version is %s", vernum) logger.debug("version is %s", vernum)
log_selinux_state()
logger.debug("using work directory %s", self.workdir) logger.debug("using work directory %s", self.workdir)
logger.debug("using log directory %s", logdir) logger.debug("using log directory %s", logdir)
@ -229,22 +231,6 @@ class Lorax(BaseLoraxClass):
logger.critical("no root privileges") logger.critical("no root privileges")
sys.exit(1) sys.exit(1)
# is selinux disabled?
# With selinux in enforcing mode the rpcbind package required for
# dracut nfs module, which is in turn required by anaconda module,
# will not get installed, because it's preinstall scriptlet fails,
# resulting in an incomplete initial ramdisk image.
# The reason is that the scriptlet runs tools from the shadow-utils
# package in chroot, particularly groupadd and useradd to add the
# required rpc group and rpc user. This operation fails, because
# the selinux context on files in the chroot, that the shadow-utils
# tools need to access (/etc/group, /etc/passwd, /etc/shadow etc.),
# is wrong and selinux therefore disallows access to these files.
logger.info("checking the selinux mode")
if selinux.is_selinux_enabled() and selinux.security_getenforce():
logger.critical("selinux must be disabled or in Permissive mode")
sys.exit(1)
# do we have a proper dnf base object? # do we have a proper dnf base object?
logger.info("checking dnf base object") logger.info("checking dnf base object")
if not isinstance(dbo, dnf.Base): if not isinstance(dbo, dnf.Base):
@ -456,3 +442,13 @@ def find_templates(templatedir="/usr/share/lorax"):
except IndexError: except IndexError:
pass pass
return templatedir return templatedir
def log_selinux_state():
"""Log the current state of selinux"""
if selinux.is_selinux_enabled():
if selinux.security_getenforce():
logger.info("selinux is enabled and in Enforcing mode")
else:
logger.info("selinux is enabled and in Permissive mode")
else:
logger.info("selinux is Disabled")

View File

@ -22,12 +22,11 @@ log = logging.getLogger("livemedia-creator")
import glob import glob
import os import os
import selinux
import sys import sys
import tempfile import tempfile
# Use the Lorax treebuilder branch for iso creation # Use the Lorax treebuilder branch for iso creation
from pylorax import setup_logging, find_templates, vernum from pylorax import setup_logging, find_templates, vernum, log_selinux_state
from pylorax.cmdline import lmc_parser from pylorax.cmdline import lmc_parser
from pylorax.creator import run_creator, DRACUT_DEFAULT from pylorax.creator import run_creator, DRACUT_DEFAULT
from pylorax.imgutils import default_image_name from pylorax.imgutils import default_image_name
@ -43,6 +42,7 @@ def main():
log.debug( opts ) log.debug( opts )
log.info("livemedia-creator v%s", vernum) log.info("livemedia-creator v%s", vernum)
log_selinux_state()
# Find the lorax templates # Find the lorax templates
opts.lorax_templates = find_templates(opts.lorax_templates or "/usr/share/lorax") opts.lorax_templates = find_templates(opts.lorax_templates or "/usr/share/lorax")
@ -91,10 +91,6 @@ def main():
and not os.path.exists("/usr/sbin/anaconda"): and not os.path.exists("/usr/sbin/anaconda"):
errors.append("no-virt requires anaconda to be installed.") errors.append("no-virt requires anaconda to be installed.")
if is_install and opts.no_virt:
if selinux.is_selinux_enabled() and selinux.security_getenforce():
errors.append("selinux must be disabled or in Permissive mode.")
if opts.make_appliance and not opts.app_template: if opts.make_appliance and not opts.app_template:
opts.app_template = joinpaths(opts.lorax_templates, opts.app_template = joinpaths(opts.lorax_templates,
"appliance/libvirt.tmpl") "appliance/libvirt.tmpl")

View File

@ -33,10 +33,9 @@ import dnf
import dnf.logging import dnf.logging
import librepo import librepo
import pylorax import pylorax
from pylorax import DRACUT_DEFAULT from pylorax import DRACUT_DEFAULT, log_selinux_state
from pylorax.cmdline import lorax_parser from pylorax.cmdline import lorax_parser
from pylorax.dnfbase import get_dnf_base_object from pylorax.dnfbase import get_dnf_base_object
import selinux
def setup_logging(opts): def setup_logging(opts):
pylorax.setup_logging(opts.logfile, log) pylorax.setup_logging(opts.logfile, log)
@ -74,10 +73,7 @@ def main():
setup_logging(opts) setup_logging(opts)
log.info("checking the selinux mode") log_selinux_state()
if selinux.is_selinux_enabled() and selinux.security_getenforce():
log.critical("selinux must be disabled or in Permissive mode")
sys.exit(1)
if not opts.workdir: if not opts.workdir:
tempfile.tempdir = opts.tmp tempfile.tempdir = opts.tmp

View File

@ -27,7 +27,6 @@ dnf_log = logging.getLogger("dnf")
import grp import grp
import os import os
import pwd import pwd
import selinux
import sys import sys
import subprocess import subprocess
import tempfile import tempfile
@ -35,7 +34,7 @@ from threading import Lock
from gevent import socket from gevent import socket
from gevent.pywsgi import WSGIServer from gevent.pywsgi import WSGIServer
from pylorax import vernum from pylorax import vernum, log_selinux_state
from pylorax.api.cmdline import lorax_composer_parser from pylorax.api.cmdline import lorax_composer_parser
from pylorax.api.config import configure, make_dnf_dirs, make_queue_dirs, make_owned_dir from pylorax.api.config import configure, make_dnf_dirs, make_queue_dirs, make_owned_dir
from pylorax.api.compose import test_templates from pylorax.api.compose import test_templates
@ -134,6 +133,7 @@ if __name__ == '__main__':
os.makedirs(logpath) os.makedirs(logpath)
setup_logging(opts.logfile) setup_logging(opts.logfile)
log.debug("opts=%s", opts) log.debug("opts=%s", opts)
log_selinux_state()
if not make_pidfile(): if not make_pidfile():
log.error("PID file exists, lorax-composer already running. Quitting.") log.error("PID file exists, lorax-composer already running. Quitting.")
@ -152,9 +152,6 @@ if __name__ == '__main__':
except KeyError: except KeyError:
errors.append("Missing group '%s'" % opts.group) errors.append("Missing group '%s'" % opts.group)
if selinux.is_selinux_enabled() and selinux.security_getenforce():
errors.append("selinux must be disabled or in Permissive mode.")
# No point in continuing if there are uid or gid errors # No point in continuing if there are uid or gid errors
if errors: if errors:
for e in errors: for e in errors: