Remove SELinux Permissive checks

Anaconda, Lorax, lorax-composer, and livemedia-creator can all now run
with SELinux in Enforcing mode. It does not need to be disabled and if
there are denials they should be reported as a bug.

Log the current state of SELinux when starting, update the
documentation.
This commit is contained in:
Brian C. Lane 2018-11-13 09:50:05 -08:00
parent cd6f4fdb67
commit 35b8957f12
6 changed files with 27 additions and 41 deletions

View File

@ -208,10 +208,7 @@ install. There are a couple of things to keep in mind when doing this:
running under you may encounter strange bugs if you try to build newer or
older releases.
2. Make sure selinux is set to permissive or disabled. It won't install
correctly with selinux set to enforcing yet.
3. It may totally trash your host. So far I haven't had this happen, but the
2. It may totally trash your host. So far I haven't had this happen, but the
possibility exists that a bug in Anaconda could result in it operating on
real devices. I recommend running it in a virt or on a system that you can
afford to lose all data from.
@ -229,6 +226,10 @@ Example cmdline:
or UEFI). You can create BIOS partitioned disk images on UEFI by using
virt.
.. note::
As of version 30.7 SELinux can be set to Enforcing. The current state is
logged for debugging purposes and if there are SELinux denials they should
be reported as a bug.
AMI Images
----------

View File

@ -16,15 +16,16 @@ installation and configuration of the images.
Important Things To Note
------------------------
* SELinux must be in Permissive mode. Anaconda requires SELinux be in permissive mode
for image creation to work correctly. You can either edit the setting in the
``/etc/sysconfig/selinux`` file, or run ``setenforce 0`` before starting lorax-composer.
* As of version 30.7 SELinux can be set to Enforcing. The current state is
logged for debugging purposes and if there are SELinux denials they should
be reported as a bug.
* All image types lock the root account, except for live-iso. You will need to either
use one of the `Customizations`_ methods for setting a ssh key/password, install a
package that creates a user, or use something like `cloud-init` to setup access at
boot time.
Installation
------------
@ -75,7 +76,6 @@ Security
Some security related issues that you should be aware of before running ``lorax-composer``:
* One of the API server threads needs to retain root privileges in order to run Anaconda.
* SELinux must be set to Permissive or disabled to allow ``livemedia-creator`` to run Anaconda.
* Only allow authorized users access to the ``weldr`` group and socket.
Since Anaconda kickstarts are used there is the possibility that a user could

View File

@ -215,6 +215,8 @@ class Lorax(BaseLoraxClass):
self.init_file_logging(logdir)
logger.debug("version is %s", vernum)
log_selinux_state()
logger.debug("using work directory %s", self.workdir)
logger.debug("using log directory %s", logdir)
@ -230,22 +232,6 @@ class Lorax(BaseLoraxClass):
logger.critical("no root privileges")
sys.exit(1)
# is selinux disabled?
# With selinux in enforcing mode the rpcbind package required for
# dracut nfs module, which is in turn required by anaconda module,
# will not get installed, because it's preinstall scriptlet fails,
# resulting in an incomplete initial ramdisk image.
# The reason is that the scriptlet runs tools from the shadow-utils
# package in chroot, particularly groupadd and useradd to add the
# required rpc group and rpc user. This operation fails, because
# the selinux context on files in the chroot, that the shadow-utils
# tools need to access (/etc/group, /etc/passwd, /etc/shadow etc.),
# is wrong and selinux therefore disallows access to these files.
logger.info("checking the selinux mode")
if selinux.is_selinux_enabled() and selinux.security_getenforce():
logger.critical("selinux must be disabled or in Permissive mode")
sys.exit(1)
# do we have a proper dnf base object?
logger.info("checking dnf base object")
if not isinstance(dbo, dnf.Base):
@ -464,3 +450,13 @@ def find_templates(templatedir="/usr/share/lorax"):
except IndexError:
pass
return templatedir
def log_selinux_state():
"""Log the current state of selinux"""
if selinux.is_selinux_enabled():
if selinux.security_getenforce():
logger.info("selinux is enabled and in Enforcing mode")
else:
logger.info("selinux is enabled and in Permissive mode")
else:
logger.info("selinux is Disabled")

View File

@ -22,12 +22,11 @@ log = logging.getLogger("livemedia-creator")
import glob
import os
import selinux
import sys
import tempfile
# Use the Lorax treebuilder branch for iso creation
from pylorax import setup_logging, find_templates, vernum
from pylorax import setup_logging, find_templates, vernum, log_selinux_state
from pylorax.cmdline import lmc_parser
from pylorax.creator import run_creator, DRACUT_DEFAULT
from pylorax.imgutils import default_image_name
@ -43,6 +42,7 @@ def main():
log.debug( opts )
log.info("livemedia-creator v%s", vernum)
log_selinux_state()
# Find the lorax templates
opts.lorax_templates = find_templates(opts.lorax_templates or "/usr/share/lorax")
@ -91,10 +91,6 @@ def main():
and not os.path.exists("/usr/sbin/anaconda"):
errors.append("no-virt requires anaconda to be installed.")
if is_install and opts.no_virt:
if selinux.is_selinux_enabled() and selinux.security_getenforce():
errors.append("selinux must be disabled or in Permissive mode.")
if opts.make_appliance and not opts.app_template:
opts.app_template = joinpaths(opts.lorax_templates,
"appliance/libvirt.tmpl")

View File

@ -33,10 +33,9 @@ import dnf
import dnf.logging
import librepo
import pylorax
from pylorax import DRACUT_DEFAULT
from pylorax import DRACUT_DEFAULT, log_selinux_state
from pylorax.cmdline import lorax_parser
from pylorax.dnfbase import get_dnf_base_object
import selinux
def setup_logging(opts):
pylorax.setup_logging(opts.logfile, log)
@ -74,10 +73,7 @@ def main():
setup_logging(opts)
log.info("checking the selinux mode")
if selinux.is_selinux_enabled() and selinux.security_getenforce():
log.critical("selinux must be disabled or in Permissive mode")
sys.exit(1)
log_selinux_state()
if not opts.workdir:
tempfile.tempdir = opts.tmp

View File

@ -27,7 +27,6 @@ dnf_log = logging.getLogger("dnf")
import grp
import os
import pwd
import selinux
import sys
import subprocess
import tempfile
@ -35,7 +34,7 @@ from threading import Lock
from gevent import socket
from gevent.pywsgi import WSGIServer
from pylorax import vernum
from pylorax import vernum, log_selinux_state
from pylorax.api.cmdline import lorax_composer_parser
from pylorax.api.config import configure, make_dnf_dirs, make_queue_dirs, make_owned_dir
from pylorax.api.compose import test_templates
@ -134,6 +133,7 @@ if __name__ == '__main__':
os.makedirs(logpath)
setup_logging(opts.logfile)
log.debug("opts=%s", opts)
log_selinux_state()
if not make_pidfile():
log.error("PID file exists, lorax-composer already running. Quitting.")
@ -152,9 +152,6 @@ if __name__ == '__main__':
except KeyError:
errors.append("Missing group '%s'" % opts.group)
if selinux.is_selinux_enabled() and selinux.security_getenforce():
errors.append("selinux must be disabled or in Permissive mode.")
# No point in continuing if there are uid or gid errors
if errors:
for e in errors: