Update documentation for - 28.14.17

Regenerate the documentation for the SELinux changes.

Related: rhbz#1645189
This commit is contained in:
Brian C. Lane 2018-11-29 13:08:44 -08:00
parent 97b138c3d1
commit 32b3df0892
22 changed files with 56 additions and 57 deletions

Binary file not shown.

View File

@ -368,6 +368,8 @@
<span class="bp">self</span><span class="o">.</span><span class="n">init_file_logging</span><span class="p">(</span><span class="n">logdir</span><span class="p">)</span>
<span class="n">logger</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;version is </span><span class="si">%s</span><span class="s2">&quot;</span><span class="p">,</span> <span class="n">vernum</span><span class="p">)</span>
<span class="n">log_selinux_state</span><span class="p">()</span>
<span class="n">logger</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;using work directory </span><span class="si">%s</span><span class="s2">&quot;</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">workdir</span><span class="p">)</span>
<span class="n">logger</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;using log directory </span><span class="si">%s</span><span class="s2">&quot;</span><span class="p">,</span> <span class="n">logdir</span><span class="p">)</span>
@ -383,22 +385,6 @@
<span class="n">logger</span><span class="o">.</span><span class="n">critical</span><span class="p">(</span><span class="s2">&quot;no root privileges&quot;</span><span class="p">)</span>
<span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
<span class="c1"># is selinux disabled?</span>
<span class="c1"># With selinux in enforcing mode the rpcbind package required for</span>
<span class="c1"># dracut nfs module, which is in turn required by anaconda module,</span>
<span class="c1"># will not get installed, because it&#39;s preinstall scriptlet fails,</span>
<span class="c1"># resulting in an incomplete initial ramdisk image.</span>
<span class="c1"># The reason is that the scriptlet runs tools from the shadow-utils</span>
<span class="c1"># package in chroot, particularly groupadd and useradd to add the</span>
<span class="c1"># required rpc group and rpc user. This operation fails, because</span>
<span class="c1"># the selinux context on files in the chroot, that the shadow-utils</span>
<span class="c1"># tools need to access (/etc/group, /etc/passwd, /etc/shadow etc.),</span>
<span class="c1"># is wrong and selinux therefore disallows access to these files.</span>
<span class="n">logger</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s2">&quot;checking the selinux mode&quot;</span><span class="p">)</span>
<span class="k">if</span> <span class="n">selinux</span><span class="o">.</span><span class="n">is_selinux_enabled</span><span class="p">()</span> <span class="ow">and</span> <span class="n">selinux</span><span class="o">.</span><span class="n">security_getenforce</span><span class="p">():</span>
<span class="n">logger</span><span class="o">.</span><span class="n">critical</span><span class="p">(</span><span class="s2">&quot;selinux must be disabled or in Permissive mode&quot;</span><span class="p">)</span>
<span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
<span class="c1"># do we have a proper dnf base object?</span>
<span class="n">logger</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s2">&quot;checking dnf base object&quot;</span><span class="p">)</span>
<span class="k">if</span> <span class="ow">not</span> <span class="nb">isinstance</span><span class="p">(</span><span class="n">dbo</span><span class="p">,</span> <span class="n">dnf</span><span class="o">.</span><span class="n">Base</span><span class="p">):</span>
@ -610,6 +596,16 @@
<span class="k">except</span> <span class="ne">IndexError</span><span class="p">:</span>
<span class="k">pass</span>
<span class="k">return</span> <span class="n">templatedir</span></div>
<div class="viewcode-block" id="log_selinux_state"><a class="viewcode-back" href="../pylorax.html#pylorax.log_selinux_state">[docs]</a><span class="k">def</span> <span class="nf">log_selinux_state</span><span class="p">():</span>
<span class="sd">&quot;&quot;&quot;Log the current state of selinux&quot;&quot;&quot;</span>
<span class="k">if</span> <span class="n">selinux</span><span class="o">.</span><span class="n">is_selinux_enabled</span><span class="p">():</span>
<span class="k">if</span> <span class="n">selinux</span><span class="o">.</span><span class="n">security_getenforce</span><span class="p">():</span>
<span class="n">logger</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s2">&quot;selinux is enabled and in Enforcing mode&quot;</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">logger</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s2">&quot;selinux is enabled and in Permissive mode&quot;</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">logger</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s2">&quot;selinux is Disabled&quot;</span><span class="p">)</span></div>
</pre></div>
</div>

View File

@ -267,20 +267,7 @@
<span class="k">else</span><span class="p">:</span>
<span class="n">fssize</span> <span class="o">=</span> <span class="kc">None</span> <span class="c1"># Let mkext4img figure out the needed size</span>
<span class="n">mkext4img</span><span class="p">(</span><span class="n">rootdir</span><span class="p">,</span> <span class="n">outfile</span><span class="p">,</span> <span class="n">label</span><span class="o">=</span><span class="n">label</span><span class="p">,</span> <span class="n">size</span><span class="o">=</span><span class="n">fssize</span><span class="p">)</span>
<span class="c1"># Reset selinux context on new rootfs</span>
<span class="k">with</span> <span class="n">LoopDev</span><span class="p">(</span><span class="n">outfile</span><span class="p">)</span> <span class="k">as</span> <span class="n">loopdev</span><span class="p">:</span>
<span class="k">with</span> <span class="n">Mount</span><span class="p">(</span><span class="n">loopdev</span><span class="p">)</span> <span class="k">as</span> <span class="n">mnt</span><span class="p">:</span>
<span class="n">cmd</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&quot;setfiles&quot;</span><span class="p">,</span> <span class="s2">&quot;-e&quot;</span><span class="p">,</span> <span class="s2">&quot;/proc&quot;</span><span class="p">,</span> <span class="s2">&quot;-e&quot;</span><span class="p">,</span> <span class="s2">&quot;/sys&quot;</span><span class="p">,</span> <span class="s2">&quot;-e&quot;</span><span class="p">,</span> <span class="s2">&quot;/dev&quot;</span><span class="p">,</span>
<span class="s2">&quot;-e&quot;</span><span class="p">,</span> <span class="s2">&quot;/install&quot;</span><span class="p">,</span> <span class="s2">&quot;-e&quot;</span><span class="p">,</span> <span class="s2">&quot;/ostree&quot;</span><span class="p">,</span>
<span class="s2">&quot;/etc/selinux/targeted/contexts/files/file_contexts&quot;</span><span class="p">,</span> <span class="s2">&quot;/&quot;</span><span class="p">]</span>
<span class="n">root</span> <span class="o">=</span> <span class="n">join</span><span class="p">(</span><span class="n">mnt</span><span class="p">,</span> <span class="n">sysroot</span><span class="o">.</span><span class="n">lstrip</span><span class="p">(</span><span class="s2">&quot;/&quot;</span><span class="p">))</span>
<span class="k">try</span><span class="p">:</span>
<span class="n">runcmd</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">root</span><span class="o">=</span><span class="n">root</span><span class="p">)</span>
<span class="k">except</span> <span class="n">CalledProcessError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
<span class="n">logger</span><span class="o">.</span><span class="n">error</span><span class="p">(</span><span class="s2">&quot;setfiles exited with a non-zero return code (</span><span class="si">%d</span><span class="s2">) which may &quot;</span>
<span class="s2">&quot;be caused by running without SELinux in Permissive mode.&quot;</span><span class="p">,</span> <span class="n">e</span><span class="o">.</span><span class="n">returncode</span><span class="p">)</span>
<span class="k">raise</span></div>
<span class="n">mkext4img</span><span class="p">(</span><span class="n">rootdir</span><span class="p">,</span> <span class="n">outfile</span><span class="p">,</span> <span class="n">label</span><span class="o">=</span><span class="n">label</span><span class="p">,</span> <span class="n">size</span><span class="o">=</span><span class="n">fssize</span><span class="p">)</span></div>
<span class="c1">######## Utility functions ###############################################</span>

View File

@ -192,10 +192,7 @@ install. There are a couple of things to keep in mind when doing this:
running under you may encounter strange bugs if you try to build newer or
older releases.
2. Make sure selinux is set to permissive or disabled. It won't install
correctly with selinux set to enforcing yet.
3. It may totally trash your host. So far I haven't had this happen, but the
2. It may totally trash your host. So far I haven't had this happen, but the
possibility exists that a bug in Anaconda could result in it operating on
real devices. I recommend running it in a virt or on a system that you can
afford to lose all data from.
@ -213,6 +210,10 @@ Example cmdline:
or UEFI). You can create BIOS partitioned disk images on UEFI by using
virt.
.. note::
As of version 30.7 SELinux can be set to Enforcing. The current state is
logged for debugging purposes and if there are SELinux denials they should
be reported as a bug.
AMI Images
----------

View File

@ -16,15 +16,16 @@ installation and configuration of the images.
Important Things To Note
------------------------
* SELinux must be in Permissive mode. Anaconda requires SELinux be in permissive mode
for image creation to work correctly. You can either edit the setting in the
``/etc/sysconfig/selinux`` file, or run ``setenforce 0`` before starting lorax-composer.
* As of version 30.7 SELinux can be set to Enforcing. The current state is
logged for debugging purposes and if there are SELinux denials they should
be reported as a bug.
* All image types lock the root account, except for live-iso. You will need to either
use one of the `Customizations`_ methods for setting a ssh key/password, install a
package that creates a user, or use something like `cloud-init` to setup access at
boot time.
Installation
------------
@ -69,7 +70,6 @@ Security
Some security related issues that you should be aware of before running ``lorax-composer``:
* One of the API server threads needs to retain root privileges in order to run Anaconda.
* SELinux must be set to Permissive or disabled to allow ``livemedia-creator`` to run Anaconda.
* Only allow authorized users access to the ``weldr`` group and socket.
Since Anaconda kickstarts are used there is the possibility that a user could

View File

@ -527,6 +527,8 @@
<li><a href="pylorax.html#pylorax.ltmpl.LoraxTemplateRunner.log">log() (pylorax.ltmpl.LoraxTemplateRunner method)</a>
</li>
<li><a href="pylorax.html#pylorax.monitor.LogServer.log_check">log_check() (pylorax.monitor.LogServer method)</a>
</li>
<li><a href="pylorax.html#pylorax.log_selinux_state">log_selinux_state() (in module pylorax)</a>
</li>
<li><a href="pylorax.html#pylorax.monitor.LogMonitor">LogMonitor (class in pylorax.monitor)</a>
</li>

View File

@ -725,8 +725,6 @@ install. There are a couple of things to keep in mind when doing this:</p>
host is running. Because Anaconda has expectations about the system it is
running under you may encounter strange bugs if you try to build newer or
older releases.</li>
<li>Make sure selinux is set to permissive or disabled. It wont install
correctly with selinux set to enforcing yet.</li>
<li>It may totally trash your host. So far I havent had this happen, but the
possibility exists that a bug in Anaconda could result in it operating on
real devices. I recommend running it in a virt or on a system that you can
@ -743,6 +741,12 @@ the current directory or in the directory used for logfile</p>
or UEFI). You can create BIOS partitioned disk images on UEFI by using
virt.</p>
</div>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">As of version 30.7 SELinux can be set to Enforcing. The current state is
logged for debugging purposes and if there are SELinux denials they should
be reported as a bug.</p>
</div>
</div>
<div class="section" id="ami-images">
<h2>AMI Images<a class="headerlink" href="#ami-images" title="Permalink to this headline"></a></h2>

View File

@ -208,9 +208,9 @@ installation and configuration of the images.</p>
<div class="section" id="important-things-to-note">
<h2>Important Things To Note<a class="headerlink" href="#important-things-to-note" title="Permalink to this headline"></a></h2>
<ul class="simple">
<li>SELinux must be in Permissive mode. Anaconda requires SELinux be in permissive mode
for image creation to work correctly. You can either edit the setting in the
<code class="docutils literal notranslate"><span class="pre">/etc/sysconfig/selinux</span></code> file, or run <code class="docutils literal notranslate"><span class="pre">setenforce</span> <span class="pre">0</span></code> before starting lorax-composer.</li>
<li>As of version 30.7 SELinux can be set to Enforcing. The current state is
logged for debugging purposes and if there are SELinux denials they should
be reported as a bug.</li>
<li>All image types lock the root account, except for live-iso. You will need to either
use one of the <a class="reference internal" href="#customizations">Customizations</a> methods for setting a ssh key/password, install a
package that creates a user, or use something like <cite>cloud-init</cite> to setup access at
@ -257,7 +257,6 @@ messages as well as extra debugging info and API requests.</p>
<p>Some security related issues that you should be aware of before running <code class="docutils literal notranslate"><span class="pre">lorax-composer</span></code>:</p>
<ul class="simple">
<li>One of the API server threads needs to retain root privileges in order to run Anaconda.</li>
<li>SELinux must be set to Permissive or disabled to allow <code class="docutils literal notranslate"><span class="pre">livemedia-creator</span></code> to run Anaconda.</li>
<li>Only allow authorized users access to the <code class="docutils literal notranslate"><span class="pre">weldr</span></code> group and socket.</li>
</ul>
<p>Since Anaconda kickstarts are used there is the possibility that a user could

Binary file not shown.

View File

@ -2191,6 +2191,12 @@ lowest numbered directory entry is returned.</p>
<code class="descclassname">pylorax.</code><code class="descname">get_buildarch</code><span class="sig-paren">(</span><em>dbo</em><span class="sig-paren">)</span><a class="reference internal" href="_modules/pylorax.html#get_buildarch"><span class="viewcode-link">[source]</span></a><a class="headerlink" href="#pylorax.get_buildarch" title="Permalink to this definition"></a></dt>
<dd></dd></dl>
<dl class="function">
<dt id="pylorax.log_selinux_state">
<code class="descclassname">pylorax.</code><code class="descname">log_selinux_state</code><span class="sig-paren">(</span><span class="sig-paren">)</span><a class="reference internal" href="_modules/pylorax.html#log_selinux_state"><span class="viewcode-link">[source]</span></a><a class="headerlink" href="#pylorax.log_selinux_state" title="Permalink to this definition"></a></dt>
<dd><p>Log the current state of selinux</p>
</dd></dl>
<dl class="function">
<dt id="pylorax.setup_logging">
<code class="descclassname">pylorax.</code><code class="descname">setup_logging</code><span class="sig-paren">(</span><em>logfile</em>, <em>theLogger</em><span class="sig-paren">)</span><a class="reference internal" href="_modules/pylorax.html#setup_logging"><span class="viewcode-link">[source]</span></a><a class="headerlink" href="#pylorax.setup_logging" title="Permalink to this definition"></a></dt>

File diff suppressed because one or more lines are too long

Binary file not shown.

View File

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "COMPOSER-CLI" "1" "Nov 27, 2018" "28.14.17" "Lorax"
.TH "COMPOSER-CLI" "1" "Nov 29, 2018" "28.14.17" "Lorax"
.SH NAME
composer-cli \- Composer Cmdline Utility Documentation
.

View File

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "LIVEMEDIA-CREATOR" "1" "Nov 27, 2018" "28.14.17" "Lorax"
.TH "LIVEMEDIA-CREATOR" "1" "Nov 29, 2018" "28.14.17" "Lorax"
.SH NAME
livemedia-creator \- Live Media Creator Documentation
.
@ -573,9 +573,6 @@ host is running. Because Anaconda has expectations about the system it is
running under you may encounter strange bugs if you try to build newer or
older releases.
.IP 2. 3
Make sure selinux is set to permissive or disabled. It won\(aqt install
correctly with selinux set to enforcing yet.
.IP 3. 3
It may totally trash your host. So far I haven\(aqt had this happen, but the
possibility exists that a bug in Anaconda could result in it operating on
real devices. I recommend running it in a virt or on a system that you can
@ -598,6 +595,15 @@ or UEFI). You can create BIOS partitioned disk images on UEFI by using
virt.
.UNINDENT
.UNINDENT
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
As of version 30.7 SELinux can be set to Enforcing. The current state is
logged for debugging purposes and if there are SELinux denials they should
be reported as a bug.
.UNINDENT
.UNINDENT
.SH AMI IMAGES
.sp
Amazon EC2 images can be created by using the \-\-make\-ami switch and an appropriate

View File

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "LORAX-COMPOSER" "1" "Nov 27, 2018" "28.14.17" "Lorax"
.TH "LORAX-COMPOSER" "1" "Nov 29, 2018" "28.14.17" "Lorax"
.SH NAME
lorax-composer \- Lorax Composer Documentation
.
@ -47,9 +47,9 @@ installation and configuration of the images.
.SH IMPORTANT THINGS TO NOTE
.INDENT 0.0
.IP \(bu 2
SELinux must be in Permissive mode. Anaconda requires SELinux be in permissive mode
for image creation to work correctly. You can either edit the setting in the
\fB/etc/sysconfig/selinux\fP file, or run \fBsetenforce 0\fP before starting lorax\-composer.
As of version 30.7 SELinux can be set to Enforcing. The current state is
logged for debugging purposes and if there are SELinux denials they should
be reported as a bug.
.IP \(bu 2
All image types lock the root account, except for live\-iso. You will need to either
use one of the \fI\%Customizations\fP methods for setting a ssh key/password, install a
@ -99,8 +99,6 @@ Some security related issues that you should be aware of before running \fBlorax
.IP \(bu 2
One of the API server threads needs to retain root privileges in order to run Anaconda.
.IP \(bu 2
SELinux must be set to Permissive or disabled to allow \fBlivemedia\-creator\fP to run Anaconda.
.IP \(bu 2
Only allow authorized users access to the \fBweldr\fP group and socket.
.UNINDENT
.sp

View File

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "LORAX" "1" "Nov 27, 2018" "28.14.17" "Lorax"
.TH "LORAX" "1" "Nov 29, 2018" "28.14.17" "Lorax"
.SH NAME
lorax \- Lorax Documentation
.