From 14fb4a9156c398f1afa0037361efbb53fbe98d2e Mon Sep 17 00:00:00 2001 From: "Brian C. Lane" Date: Tue, 13 Nov 2018 09:50:05 -0800 Subject: [PATCH] Remove SELinux Permissive checks Anaconda, Lorax, lorax-composer, and livemedia-creator can all now run with SELinux in Enforcing mode. It does not need to be disabled and if there are denials they should be reported as a bug. Log the current state of SELinux when starting, update the documentation. Resolves: rhbz#1645189 --- docs/livemedia-creator.rst | 9 +++++---- docs/lorax-composer.rst | 8 ++++---- src/pylorax/__init__.py | 28 ++++++++++++---------------- src/sbin/livemedia-creator | 8 ++------ src/sbin/lorax | 8 ++------ src/sbin/lorax-composer | 7 ++----- 6 files changed, 27 insertions(+), 41 deletions(-) diff --git a/docs/livemedia-creator.rst b/docs/livemedia-creator.rst index d3805952..0d76795f 100644 --- a/docs/livemedia-creator.rst +++ b/docs/livemedia-creator.rst @@ -192,10 +192,7 @@ install. There are a couple of things to keep in mind when doing this: running under you may encounter strange bugs if you try to build newer or older releases. -2. Make sure selinux is set to permissive or disabled. It won't install - correctly with selinux set to enforcing yet. - -3. It may totally trash your host. So far I haven't had this happen, but the +2. It may totally trash your host. So far I haven't had this happen, but the possibility exists that a bug in Anaconda could result in it operating on real devices. I recommend running it in a virt or on a system that you can afford to lose all data from. @@ -213,6 +210,10 @@ Example cmdline: or UEFI). You can create BIOS partitioned disk images on UEFI by using virt. +.. note:: + As of version 30.7 SELinux can be set to Enforcing. The current state is + logged for debugging purposes and if there are SELinux denials they should + be reported as a bug. AMI Images ---------- diff --git a/docs/lorax-composer.rst b/docs/lorax-composer.rst index 0a9df447..c743ed5b 100644 --- a/docs/lorax-composer.rst +++ b/docs/lorax-composer.rst @@ -16,15 +16,16 @@ installation and configuration of the images. Important Things To Note ------------------------ -* SELinux must be in Permissive mode. Anaconda requires SELinux be in permissive mode - for image creation to work correctly. You can either edit the setting in the - ``/etc/sysconfig/selinux`` file, or run ``setenforce 0`` before starting lorax-composer. +* As of version 30.7 SELinux can be set to Enforcing. The current state is + logged for debugging purposes and if there are SELinux denials they should + be reported as a bug. * All image types lock the root account, except for live-iso. You will need to either use one of the `Customizations`_ methods for setting a ssh key/password, install a package that creates a user, or use something like `cloud-init` to setup access at boot time. + Installation ------------ @@ -69,7 +70,6 @@ Security Some security related issues that you should be aware of before running ``lorax-composer``: * One of the API server threads needs to retain root privileges in order to run Anaconda. -* SELinux must be set to Permissive or disabled to allow ``livemedia-creator`` to run Anaconda. * Only allow authorized users access to the ``weldr`` group and socket. Since Anaconda kickstarts are used there is the possibility that a user could diff --git a/src/pylorax/__init__.py b/src/pylorax/__init__.py index dd0fa6db..acc4e5f4 100644 --- a/src/pylorax/__init__.py +++ b/src/pylorax/__init__.py @@ -214,6 +214,8 @@ class Lorax(BaseLoraxClass): self.init_file_logging(logdir) logger.debug("version is %s", vernum) + log_selinux_state() + logger.debug("using work directory %s", self.workdir) logger.debug("using log directory %s", logdir) @@ -229,22 +231,6 @@ class Lorax(BaseLoraxClass): logger.critical("no root privileges") sys.exit(1) - # is selinux disabled? - # With selinux in enforcing mode the rpcbind package required for - # dracut nfs module, which is in turn required by anaconda module, - # will not get installed, because it's preinstall scriptlet fails, - # resulting in an incomplete initial ramdisk image. - # The reason is that the scriptlet runs tools from the shadow-utils - # package in chroot, particularly groupadd and useradd to add the - # required rpc group and rpc user. This operation fails, because - # the selinux context on files in the chroot, that the shadow-utils - # tools need to access (/etc/group, /etc/passwd, /etc/shadow etc.), - # is wrong and selinux therefore disallows access to these files. - logger.info("checking the selinux mode") - if selinux.is_selinux_enabled() and selinux.security_getenforce(): - logger.critical("selinux must be disabled or in Permissive mode") - sys.exit(1) - # do we have a proper dnf base object? logger.info("checking dnf base object") if not isinstance(dbo, dnf.Base): @@ -456,3 +442,13 @@ def find_templates(templatedir="/usr/share/lorax"): except IndexError: pass return templatedir + +def log_selinux_state(): + """Log the current state of selinux""" + if selinux.is_selinux_enabled(): + if selinux.security_getenforce(): + logger.info("selinux is enabled and in Enforcing mode") + else: + logger.info("selinux is enabled and in Permissive mode") + else: + logger.info("selinux is Disabled") diff --git a/src/sbin/livemedia-creator b/src/sbin/livemedia-creator index e987132c..c7e242c5 100755 --- a/src/sbin/livemedia-creator +++ b/src/sbin/livemedia-creator @@ -22,12 +22,11 @@ log = logging.getLogger("livemedia-creator") import glob import os -import selinux import sys import tempfile # Use the Lorax treebuilder branch for iso creation -from pylorax import setup_logging, find_templates, vernum +from pylorax import setup_logging, find_templates, vernum, log_selinux_state from pylorax.cmdline import lmc_parser from pylorax.creator import run_creator, DRACUT_DEFAULT from pylorax.imgutils import default_image_name @@ -43,6 +42,7 @@ def main(): log.debug( opts ) log.info("livemedia-creator v%s", vernum) + log_selinux_state() # Find the lorax templates opts.lorax_templates = find_templates(opts.lorax_templates or "/usr/share/lorax") @@ -91,10 +91,6 @@ def main(): and not os.path.exists("/usr/sbin/anaconda"): errors.append("no-virt requires anaconda to be installed.") - if is_install and opts.no_virt: - if selinux.is_selinux_enabled() and selinux.security_getenforce(): - errors.append("selinux must be disabled or in Permissive mode.") - if opts.make_appliance and not opts.app_template: opts.app_template = joinpaths(opts.lorax_templates, "appliance/libvirt.tmpl") diff --git a/src/sbin/lorax b/src/sbin/lorax index 3fcea1bd..fbd63554 100755 --- a/src/sbin/lorax +++ b/src/sbin/lorax @@ -33,10 +33,9 @@ import dnf import dnf.logging import librepo import pylorax -from pylorax import DRACUT_DEFAULT, DEFAULT_PLATFORM_ID +from pylorax import DRACUT_DEFAULT, DEFAULT_PLATFORM_ID, log_selinux_state from pylorax.cmdline import lorax_parser from pylorax.sysutils import flatconfig -import selinux def setup_logging(opts): pylorax.setup_logging(opts.logfile, log) @@ -74,10 +73,7 @@ def main(): setup_logging(opts) - log.info("checking the selinux mode") - if selinux.is_selinux_enabled() and selinux.security_getenforce(): - log.critical("selinux must be disabled or in Permissive mode") - sys.exit(1) + log_selinux_state() if not opts.workdir: tempfile.tempdir = opts.tmp diff --git a/src/sbin/lorax-composer b/src/sbin/lorax-composer index e68a232b..b695d763 100755 --- a/src/sbin/lorax-composer +++ b/src/sbin/lorax-composer @@ -27,7 +27,6 @@ dnf_log = logging.getLogger("dnf") import grp import os import pwd -import selinux import sys import subprocess import tempfile @@ -35,7 +34,7 @@ from threading import Lock from gevent import socket from gevent.pywsgi import WSGIServer -from pylorax import vernum +from pylorax import vernum, log_selinux_state from pylorax.api.cmdline import lorax_composer_parser from pylorax.api.config import configure, make_dnf_dirs, make_queue_dirs from pylorax.api.compose import test_templates @@ -134,6 +133,7 @@ if __name__ == '__main__': os.makedirs(logpath) setup_logging(opts.logfile) log.debug("opts=%s", opts) + log_selinux_state() if not make_pidfile(): log.error("PID file exists, lorax-composer already running. Quitting.") @@ -152,9 +152,6 @@ if __name__ == '__main__': except KeyError: errors.append("Missing group '%s'" % opts.group) - if selinux.is_selinux_enabled() and selinux.security_getenforce(): - errors.append("selinux must be disabled or in Permissive mode.") - # No point in continuing if there are uid or gid errors if errors: for e in errors: