Update documentation for - 28.14.17
Regenerate the documentation for the SELinux changes. Related: rhbz#1645189
This commit is contained in:
parent
97b138c3d1
commit
32b3df0892
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -368,6 +368,8 @@
|
||||
<span class="bp">self</span><span class="o">.</span><span class="n">init_file_logging</span><span class="p">(</span><span class="n">logdir</span><span class="p">)</span>
|
||||
|
||||
<span class="n">logger</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">"version is </span><span class="si">%s</span><span class="s2">"</span><span class="p">,</span> <span class="n">vernum</span><span class="p">)</span>
|
||||
<span class="n">log_selinux_state</span><span class="p">()</span>
|
||||
|
||||
<span class="n">logger</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">"using work directory </span><span class="si">%s</span><span class="s2">"</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">workdir</span><span class="p">)</span>
|
||||
<span class="n">logger</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">"using log directory </span><span class="si">%s</span><span class="s2">"</span><span class="p">,</span> <span class="n">logdir</span><span class="p">)</span>
|
||||
|
||||
@ -383,22 +385,6 @@
|
||||
<span class="n">logger</span><span class="o">.</span><span class="n">critical</span><span class="p">(</span><span class="s2">"no root privileges"</span><span class="p">)</span>
|
||||
<span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
|
||||
|
||||
<span class="c1"># is selinux disabled?</span>
|
||||
<span class="c1"># With selinux in enforcing mode the rpcbind package required for</span>
|
||||
<span class="c1"># dracut nfs module, which is in turn required by anaconda module,</span>
|
||||
<span class="c1"># will not get installed, because it's preinstall scriptlet fails,</span>
|
||||
<span class="c1"># resulting in an incomplete initial ramdisk image.</span>
|
||||
<span class="c1"># The reason is that the scriptlet runs tools from the shadow-utils</span>
|
||||
<span class="c1"># package in chroot, particularly groupadd and useradd to add the</span>
|
||||
<span class="c1"># required rpc group and rpc user. This operation fails, because</span>
|
||||
<span class="c1"># the selinux context on files in the chroot, that the shadow-utils</span>
|
||||
<span class="c1"># tools need to access (/etc/group, /etc/passwd, /etc/shadow etc.),</span>
|
||||
<span class="c1"># is wrong and selinux therefore disallows access to these files.</span>
|
||||
<span class="n">logger</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s2">"checking the selinux mode"</span><span class="p">)</span>
|
||||
<span class="k">if</span> <span class="n">selinux</span><span class="o">.</span><span class="n">is_selinux_enabled</span><span class="p">()</span> <span class="ow">and</span> <span class="n">selinux</span><span class="o">.</span><span class="n">security_getenforce</span><span class="p">():</span>
|
||||
<span class="n">logger</span><span class="o">.</span><span class="n">critical</span><span class="p">(</span><span class="s2">"selinux must be disabled or in Permissive mode"</span><span class="p">)</span>
|
||||
<span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
|
||||
|
||||
<span class="c1"># do we have a proper dnf base object?</span>
|
||||
<span class="n">logger</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s2">"checking dnf base object"</span><span class="p">)</span>
|
||||
<span class="k">if</span> <span class="ow">not</span> <span class="nb">isinstance</span><span class="p">(</span><span class="n">dbo</span><span class="p">,</span> <span class="n">dnf</span><span class="o">.</span><span class="n">Base</span><span class="p">):</span>
|
||||
@ -610,6 +596,16 @@
|
||||
<span class="k">except</span> <span class="ne">IndexError</span><span class="p">:</span>
|
||||
<span class="k">pass</span>
|
||||
<span class="k">return</span> <span class="n">templatedir</span></div>
|
||||
|
||||
<div class="viewcode-block" id="log_selinux_state"><a class="viewcode-back" href="../pylorax.html#pylorax.log_selinux_state">[docs]</a><span class="k">def</span> <span class="nf">log_selinux_state</span><span class="p">():</span>
|
||||
<span class="sd">"""Log the current state of selinux"""</span>
|
||||
<span class="k">if</span> <span class="n">selinux</span><span class="o">.</span><span class="n">is_selinux_enabled</span><span class="p">():</span>
|
||||
<span class="k">if</span> <span class="n">selinux</span><span class="o">.</span><span class="n">security_getenforce</span><span class="p">():</span>
|
||||
<span class="n">logger</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s2">"selinux is enabled and in Enforcing mode"</span><span class="p">)</span>
|
||||
<span class="k">else</span><span class="p">:</span>
|
||||
<span class="n">logger</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s2">"selinux is enabled and in Permissive mode"</span><span class="p">)</span>
|
||||
<span class="k">else</span><span class="p">:</span>
|
||||
<span class="n">logger</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s2">"selinux is Disabled"</span><span class="p">)</span></div>
|
||||
</pre></div>
|
||||
|
||||
</div>
|
||||
|
@ -267,20 +267,7 @@
|
||||
<span class="k">else</span><span class="p">:</span>
|
||||
<span class="n">fssize</span> <span class="o">=</span> <span class="kc">None</span> <span class="c1"># Let mkext4img figure out the needed size</span>
|
||||
|
||||
<span class="n">mkext4img</span><span class="p">(</span><span class="n">rootdir</span><span class="p">,</span> <span class="n">outfile</span><span class="p">,</span> <span class="n">label</span><span class="o">=</span><span class="n">label</span><span class="p">,</span> <span class="n">size</span><span class="o">=</span><span class="n">fssize</span><span class="p">)</span>
|
||||
<span class="c1"># Reset selinux context on new rootfs</span>
|
||||
<span class="k">with</span> <span class="n">LoopDev</span><span class="p">(</span><span class="n">outfile</span><span class="p">)</span> <span class="k">as</span> <span class="n">loopdev</span><span class="p">:</span>
|
||||
<span class="k">with</span> <span class="n">Mount</span><span class="p">(</span><span class="n">loopdev</span><span class="p">)</span> <span class="k">as</span> <span class="n">mnt</span><span class="p">:</span>
|
||||
<span class="n">cmd</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">"setfiles"</span><span class="p">,</span> <span class="s2">"-e"</span><span class="p">,</span> <span class="s2">"/proc"</span><span class="p">,</span> <span class="s2">"-e"</span><span class="p">,</span> <span class="s2">"/sys"</span><span class="p">,</span> <span class="s2">"-e"</span><span class="p">,</span> <span class="s2">"/dev"</span><span class="p">,</span>
|
||||
<span class="s2">"-e"</span><span class="p">,</span> <span class="s2">"/install"</span><span class="p">,</span> <span class="s2">"-e"</span><span class="p">,</span> <span class="s2">"/ostree"</span><span class="p">,</span>
|
||||
<span class="s2">"/etc/selinux/targeted/contexts/files/file_contexts"</span><span class="p">,</span> <span class="s2">"/"</span><span class="p">]</span>
|
||||
<span class="n">root</span> <span class="o">=</span> <span class="n">join</span><span class="p">(</span><span class="n">mnt</span><span class="p">,</span> <span class="n">sysroot</span><span class="o">.</span><span class="n">lstrip</span><span class="p">(</span><span class="s2">"/"</span><span class="p">))</span>
|
||||
<span class="k">try</span><span class="p">:</span>
|
||||
<span class="n">runcmd</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">root</span><span class="o">=</span><span class="n">root</span><span class="p">)</span>
|
||||
<span class="k">except</span> <span class="n">CalledProcessError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
|
||||
<span class="n">logger</span><span class="o">.</span><span class="n">error</span><span class="p">(</span><span class="s2">"setfiles exited with a non-zero return code (</span><span class="si">%d</span><span class="s2">) which may "</span>
|
||||
<span class="s2">"be caused by running without SELinux in Permissive mode."</span><span class="p">,</span> <span class="n">e</span><span class="o">.</span><span class="n">returncode</span><span class="p">)</span>
|
||||
<span class="k">raise</span></div>
|
||||
<span class="n">mkext4img</span><span class="p">(</span><span class="n">rootdir</span><span class="p">,</span> <span class="n">outfile</span><span class="p">,</span> <span class="n">label</span><span class="o">=</span><span class="n">label</span><span class="p">,</span> <span class="n">size</span><span class="o">=</span><span class="n">fssize</span><span class="p">)</span></div>
|
||||
|
||||
|
||||
<span class="c1">######## Utility functions ###############################################</span>
|
||||
|
@ -192,10 +192,7 @@ install. There are a couple of things to keep in mind when doing this:
|
||||
running under you may encounter strange bugs if you try to build newer or
|
||||
older releases.
|
||||
|
||||
2. Make sure selinux is set to permissive or disabled. It won't install
|
||||
correctly with selinux set to enforcing yet.
|
||||
|
||||
3. It may totally trash your host. So far I haven't had this happen, but the
|
||||
2. It may totally trash your host. So far I haven't had this happen, but the
|
||||
possibility exists that a bug in Anaconda could result in it operating on
|
||||
real devices. I recommend running it in a virt or on a system that you can
|
||||
afford to lose all data from.
|
||||
@ -213,6 +210,10 @@ Example cmdline:
|
||||
or UEFI). You can create BIOS partitioned disk images on UEFI by using
|
||||
virt.
|
||||
|
||||
.. note::
|
||||
As of version 30.7 SELinux can be set to Enforcing. The current state is
|
||||
logged for debugging purposes and if there are SELinux denials they should
|
||||
be reported as a bug.
|
||||
|
||||
AMI Images
|
||||
----------
|
||||
|
@ -16,15 +16,16 @@ installation and configuration of the images.
|
||||
Important Things To Note
|
||||
------------------------
|
||||
|
||||
* SELinux must be in Permissive mode. Anaconda requires SELinux be in permissive mode
|
||||
for image creation to work correctly. You can either edit the setting in the
|
||||
``/etc/sysconfig/selinux`` file, or run ``setenforce 0`` before starting lorax-composer.
|
||||
* As of version 30.7 SELinux can be set to Enforcing. The current state is
|
||||
logged for debugging purposes and if there are SELinux denials they should
|
||||
be reported as a bug.
|
||||
|
||||
* All image types lock the root account, except for live-iso. You will need to either
|
||||
use one of the `Customizations`_ methods for setting a ssh key/password, install a
|
||||
package that creates a user, or use something like `cloud-init` to setup access at
|
||||
boot time.
|
||||
|
||||
|
||||
Installation
|
||||
------------
|
||||
|
||||
@ -69,7 +70,6 @@ Security
|
||||
Some security related issues that you should be aware of before running ``lorax-composer``:
|
||||
|
||||
* One of the API server threads needs to retain root privileges in order to run Anaconda.
|
||||
* SELinux must be set to Permissive or disabled to allow ``livemedia-creator`` to run Anaconda.
|
||||
* Only allow authorized users access to the ``weldr`` group and socket.
|
||||
|
||||
Since Anaconda kickstarts are used there is the possibility that a user could
|
||||
|
@ -527,6 +527,8 @@
|
||||
<li><a href="pylorax.html#pylorax.ltmpl.LoraxTemplateRunner.log">log() (pylorax.ltmpl.LoraxTemplateRunner method)</a>
|
||||
</li>
|
||||
<li><a href="pylorax.html#pylorax.monitor.LogServer.log_check">log_check() (pylorax.monitor.LogServer method)</a>
|
||||
</li>
|
||||
<li><a href="pylorax.html#pylorax.log_selinux_state">log_selinux_state() (in module pylorax)</a>
|
||||
</li>
|
||||
<li><a href="pylorax.html#pylorax.monitor.LogMonitor">LogMonitor (class in pylorax.monitor)</a>
|
||||
</li>
|
||||
|
@ -725,8 +725,6 @@ install. There are a couple of things to keep in mind when doing this:</p>
|
||||
host is running. Because Anaconda has expectations about the system it is
|
||||
running under you may encounter strange bugs if you try to build newer or
|
||||
older releases.</li>
|
||||
<li>Make sure selinux is set to permissive or disabled. It won’t install
|
||||
correctly with selinux set to enforcing yet.</li>
|
||||
<li>It may totally trash your host. So far I haven’t had this happen, but the
|
||||
possibility exists that a bug in Anaconda could result in it operating on
|
||||
real devices. I recommend running it in a virt or on a system that you can
|
||||
@ -743,6 +741,12 @@ the current directory or in the directory used for –logfile</p>
|
||||
or UEFI). You can create BIOS partitioned disk images on UEFI by using
|
||||
virt.</p>
|
||||
</div>
|
||||
<div class="admonition note">
|
||||
<p class="first admonition-title">Note</p>
|
||||
<p class="last">As of version 30.7 SELinux can be set to Enforcing. The current state is
|
||||
logged for debugging purposes and if there are SELinux denials they should
|
||||
be reported as a bug.</p>
|
||||
</div>
|
||||
</div>
|
||||
<div class="section" id="ami-images">
|
||||
<h2>AMI Images<a class="headerlink" href="#ami-images" title="Permalink to this headline">¶</a></h2>
|
||||
|
@ -208,9 +208,9 @@ installation and configuration of the images.</p>
|
||||
<div class="section" id="important-things-to-note">
|
||||
<h2>Important Things To Note<a class="headerlink" href="#important-things-to-note" title="Permalink to this headline">¶</a></h2>
|
||||
<ul class="simple">
|
||||
<li>SELinux must be in Permissive mode. Anaconda requires SELinux be in permissive mode
|
||||
for image creation to work correctly. You can either edit the setting in the
|
||||
<code class="docutils literal notranslate"><span class="pre">/etc/sysconfig/selinux</span></code> file, or run <code class="docutils literal notranslate"><span class="pre">setenforce</span> <span class="pre">0</span></code> before starting lorax-composer.</li>
|
||||
<li>As of version 30.7 SELinux can be set to Enforcing. The current state is
|
||||
logged for debugging purposes and if there are SELinux denials they should
|
||||
be reported as a bug.</li>
|
||||
<li>All image types lock the root account, except for live-iso. You will need to either
|
||||
use one of the <a class="reference internal" href="#customizations">Customizations</a> methods for setting a ssh key/password, install a
|
||||
package that creates a user, or use something like <cite>cloud-init</cite> to setup access at
|
||||
@ -257,7 +257,6 @@ messages as well as extra debugging info and API requests.</p>
|
||||
<p>Some security related issues that you should be aware of before running <code class="docutils literal notranslate"><span class="pre">lorax-composer</span></code>:</p>
|
||||
<ul class="simple">
|
||||
<li>One of the API server threads needs to retain root privileges in order to run Anaconda.</li>
|
||||
<li>SELinux must be set to Permissive or disabled to allow <code class="docutils literal notranslate"><span class="pre">livemedia-creator</span></code> to run Anaconda.</li>
|
||||
<li>Only allow authorized users access to the <code class="docutils literal notranslate"><span class="pre">weldr</span></code> group and socket.</li>
|
||||
</ul>
|
||||
<p>Since Anaconda kickstarts are used there is the possibility that a user could
|
||||
|
Binary file not shown.
@ -2191,6 +2191,12 @@ lowest numbered directory entry is returned.</p>
|
||||
<code class="descclassname">pylorax.</code><code class="descname">get_buildarch</code><span class="sig-paren">(</span><em>dbo</em><span class="sig-paren">)</span><a class="reference internal" href="_modules/pylorax.html#get_buildarch"><span class="viewcode-link">[source]</span></a><a class="headerlink" href="#pylorax.get_buildarch" title="Permalink to this definition">¶</a></dt>
|
||||
<dd></dd></dl>
|
||||
|
||||
<dl class="function">
|
||||
<dt id="pylorax.log_selinux_state">
|
||||
<code class="descclassname">pylorax.</code><code class="descname">log_selinux_state</code><span class="sig-paren">(</span><span class="sig-paren">)</span><a class="reference internal" href="_modules/pylorax.html#log_selinux_state"><span class="viewcode-link">[source]</span></a><a class="headerlink" href="#pylorax.log_selinux_state" title="Permalink to this definition">¶</a></dt>
|
||||
<dd><p>Log the current state of selinux</p>
|
||||
</dd></dl>
|
||||
|
||||
<dl class="function">
|
||||
<dt id="pylorax.setup_logging">
|
||||
<code class="descclassname">pylorax.</code><code class="descname">setup_logging</code><span class="sig-paren">(</span><em>logfile</em>, <em>theLogger</em><span class="sig-paren">)</span><a class="reference internal" href="_modules/pylorax.html#setup_logging"><span class="viewcode-link">[source]</span></a><a class="headerlink" href="#pylorax.setup_logging" title="Permalink to this definition">¶</a></dt>
|
||||
|
File diff suppressed because one or more lines are too long
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -1,6 +1,6 @@
|
||||
.\" Man page generated from reStructuredText.
|
||||
.
|
||||
.TH "COMPOSER-CLI" "1" "Nov 27, 2018" "28.14.17" "Lorax"
|
||||
.TH "COMPOSER-CLI" "1" "Nov 29, 2018" "28.14.17" "Lorax"
|
||||
.SH NAME
|
||||
composer-cli \- Composer Cmdline Utility Documentation
|
||||
.
|
||||
|
@ -1,6 +1,6 @@
|
||||
.\" Man page generated from reStructuredText.
|
||||
.
|
||||
.TH "LIVEMEDIA-CREATOR" "1" "Nov 27, 2018" "28.14.17" "Lorax"
|
||||
.TH "LIVEMEDIA-CREATOR" "1" "Nov 29, 2018" "28.14.17" "Lorax"
|
||||
.SH NAME
|
||||
livemedia-creator \- Live Media Creator Documentation
|
||||
.
|
||||
@ -573,9 +573,6 @@ host is running. Because Anaconda has expectations about the system it is
|
||||
running under you may encounter strange bugs if you try to build newer or
|
||||
older releases.
|
||||
.IP 2. 3
|
||||
Make sure selinux is set to permissive or disabled. It won\(aqt install
|
||||
correctly with selinux set to enforcing yet.
|
||||
.IP 3. 3
|
||||
It may totally trash your host. So far I haven\(aqt had this happen, but the
|
||||
possibility exists that a bug in Anaconda could result in it operating on
|
||||
real devices. I recommend running it in a virt or on a system that you can
|
||||
@ -598,6 +595,15 @@ or UEFI). You can create BIOS partitioned disk images on UEFI by using
|
||||
virt.
|
||||
.UNINDENT
|
||||
.UNINDENT
|
||||
.sp
|
||||
\fBNOTE:\fP
|
||||
.INDENT 0.0
|
||||
.INDENT 3.5
|
||||
As of version 30.7 SELinux can be set to Enforcing. The current state is
|
||||
logged for debugging purposes and if there are SELinux denials they should
|
||||
be reported as a bug.
|
||||
.UNINDENT
|
||||
.UNINDENT
|
||||
.SH AMI IMAGES
|
||||
.sp
|
||||
Amazon EC2 images can be created by using the \-\-make\-ami switch and an appropriate
|
||||
|
@ -1,6 +1,6 @@
|
||||
.\" Man page generated from reStructuredText.
|
||||
.
|
||||
.TH "LORAX-COMPOSER" "1" "Nov 27, 2018" "28.14.17" "Lorax"
|
||||
.TH "LORAX-COMPOSER" "1" "Nov 29, 2018" "28.14.17" "Lorax"
|
||||
.SH NAME
|
||||
lorax-composer \- Lorax Composer Documentation
|
||||
.
|
||||
@ -47,9 +47,9 @@ installation and configuration of the images.
|
||||
.SH IMPORTANT THINGS TO NOTE
|
||||
.INDENT 0.0
|
||||
.IP \(bu 2
|
||||
SELinux must be in Permissive mode. Anaconda requires SELinux be in permissive mode
|
||||
for image creation to work correctly. You can either edit the setting in the
|
||||
\fB/etc/sysconfig/selinux\fP file, or run \fBsetenforce 0\fP before starting lorax\-composer.
|
||||
As of version 30.7 SELinux can be set to Enforcing. The current state is
|
||||
logged for debugging purposes and if there are SELinux denials they should
|
||||
be reported as a bug.
|
||||
.IP \(bu 2
|
||||
All image types lock the root account, except for live\-iso. You will need to either
|
||||
use one of the \fI\%Customizations\fP methods for setting a ssh key/password, install a
|
||||
@ -99,8 +99,6 @@ Some security related issues that you should be aware of before running \fBlorax
|
||||
.IP \(bu 2
|
||||
One of the API server threads needs to retain root privileges in order to run Anaconda.
|
||||
.IP \(bu 2
|
||||
SELinux must be set to Permissive or disabled to allow \fBlivemedia\-creator\fP to run Anaconda.
|
||||
.IP \(bu 2
|
||||
Only allow authorized users access to the \fBweldr\fP group and socket.
|
||||
.UNINDENT
|
||||
.sp
|
||||
|
@ -1,6 +1,6 @@
|
||||
.\" Man page generated from reStructuredText.
|
||||
.
|
||||
.TH "LORAX" "1" "Nov 27, 2018" "28.14.17" "Lorax"
|
||||
.TH "LORAX" "1" "Nov 29, 2018" "28.14.17" "Lorax"
|
||||
.SH NAME
|
||||
lorax \- Lorax Documentation
|
||||
.
|
||||
|
Loading…
Reference in New Issue
Block a user