Remove SELinux Permissive checks

Anaconda, Lorax, lorax-composer, and livemedia-creator can all now run
with SELinux in Enforcing mode. It does not need to be disabled and if
there are denials they should be reported as a bug.

Log the current state of SELinux when starting, update the
documentation.

docs/livemedia-creator.rst

@@ -208,10 +208,7 @@ install.  There are a couple of things to keep in mind when doing this:
    running under you may encounter strange bugs if you try to build newer or
    older releases.
 
-2. Make sure selinux is set to permissive or disabled. It won't install
+2. It may totally trash your host. So far I haven't had this happen, but the
-   correctly with selinux set to enforcing yet.
-
-3. It may totally trash your host. So far I haven't had this happen, but the
    possibility exists that a bug in Anaconda could result in it operating on
    real devices. I recommend running it in a virt or on a system that you can
    afford to lose all data from.
@@ -229,6 +226,10 @@ Example cmdline:
     or UEFI). You can create BIOS partitioned disk images on UEFI by using
     virt.
 
+.. note::
+    As of version 30.7 SELinux can be set to Enforcing. The current state is
+    logged for debugging purposes and if there are SELinux denials they should
+    be reported as a bug.
 
 AMI Images
 ----------

docs/lorax-composer.rst

@@ -16,15 +16,16 @@ installation and configuration of the images.
 Important Things To Note
 ------------------------
 
-* SELinux must be in Permissive mode. Anaconda requires SELinux be in permissive mode
+* As of version 30.7 SELinux can be set to Enforcing. The current state is
-  for image creation to work correctly. You can either edit the setting in the
+  logged for debugging purposes and if there are SELinux denials they should
-  ``/etc/sysconfig/selinux`` file, or run ``setenforce 0`` before starting lorax-composer.
+  be reported as a bug.
 
 * All image types lock the root account, except for live-iso. You will need to either
   use one of the `Customizations`_ methods for setting a ssh key/password, install a
   package that creates a user, or use something like `cloud-init` to setup access at
   boot time.
 
+
 Installation
 ------------
 
@@ -75,7 +76,6 @@ Security
 Some security related issues that you should be aware of before running ``lorax-composer``:
 
 * One of the API server threads needs to retain root privileges in order to run Anaconda.
-* SELinux must be set to Permissive or disabled to allow ``livemedia-creator`` to run Anaconda.
 * Only allow authorized users access to the ``weldr`` group and socket.
 
 Since Anaconda kickstarts are used there is the possibility that a user could

src/pylorax/__init__.py

@@ -215,6 +215,8 @@ class Lorax(BaseLoraxClass):
         self.init_file_logging(logdir)
 
         logger.debug("version is %s", vernum)
+        log_selinux_state()
+
         logger.debug("using work directory %s", self.workdir)
         logger.debug("using log directory %s", logdir)
 
@@ -230,22 +232,6 @@ class Lorax(BaseLoraxClass):
             logger.critical("no root privileges")
             sys.exit(1)
 
-        # is selinux disabled?
-        # With selinux in enforcing mode the rpcbind package required for
-        # dracut nfs module, which is in turn required by anaconda module,
-        # will not get installed, because it's preinstall scriptlet fails,
-        # resulting in an incomplete initial ramdisk image.
-        # The reason is that the scriptlet runs tools from the shadow-utils
-        # package in chroot, particularly groupadd and useradd to add the
-        # required rpc group and rpc user. This operation fails, because
-        # the selinux context on files in the chroot, that the shadow-utils
-        # tools need to access (/etc/group, /etc/passwd, /etc/shadow etc.),
-        # is wrong and selinux therefore disallows access to these files.
-        logger.info("checking the selinux mode")
-        if selinux.is_selinux_enabled() and selinux.security_getenforce():
-            logger.critical("selinux must be disabled or in Permissive mode")
-            sys.exit(1)
-
         # do we have a proper dnf base object?
         logger.info("checking dnf base object")
         if not isinstance(dbo, dnf.Base):
@@ -464,3 +450,13 @@ def find_templates(templatedir="/usr/share/lorax"):
         except IndexError:
             pass
     return templatedir
+
+def log_selinux_state():
+    """Log the current state of selinux"""
+    if selinux.is_selinux_enabled():
+        if selinux.security_getenforce():
+            logger.info("selinux is enabled and in Enforcing mode")
+        else:
+            logger.info("selinux is enabled and in Permissive mode")
+    else:
+        logger.info("selinux is Disabled")

src/sbin/livemedia-creator

@@ -22,12 +22,11 @@ log = logging.getLogger("livemedia-creator")
 
 import glob
 import os
-import selinux
 import sys
 import tempfile
 
 # Use the Lorax treebuilder branch for iso creation
-from pylorax import setup_logging, find_templates, vernum
+from pylorax import setup_logging, find_templates, vernum, log_selinux_state
 from pylorax.cmdline import lmc_parser
 from pylorax.creator import run_creator, DRACUT_DEFAULT
 from pylorax.imgutils import default_image_name
@@ -43,6 +42,7 @@ def main():
     log.debug( opts )
 
     log.info("livemedia-creator v%s", vernum)
+    log_selinux_state()
 
     # Find the lorax templates
     opts.lorax_templates = find_templates(opts.lorax_templates or "/usr/share/lorax")
@@ -91,10 +91,6 @@ def main():
        and not os.path.exists("/usr/sbin/anaconda"):
         errors.append("no-virt requires anaconda to be installed.")
 
-    if is_install and opts.no_virt:
-        if selinux.is_selinux_enabled() and selinux.security_getenforce():
-            errors.append("selinux must be disabled or in Permissive mode.")
-
     if opts.make_appliance and not opts.app_template:
         opts.app_template = joinpaths(opts.lorax_templates,
                                             "appliance/libvirt.tmpl")

src/sbin/lorax

@@ -33,10 +33,9 @@ import dnf
 import dnf.logging
 import librepo
 import pylorax
-from pylorax import DRACUT_DEFAULT
+from pylorax import DRACUT_DEFAULT, log_selinux_state
 from pylorax.cmdline import lorax_parser
 from pylorax.dnfbase import get_dnf_base_object
-import selinux
 
 def setup_logging(opts):
     pylorax.setup_logging(opts.logfile, log)
@@ -74,10 +73,7 @@ def main():
 
     setup_logging(opts)
 
-    log.info("checking the selinux mode")
+    log_selinux_state()
-    if selinux.is_selinux_enabled() and selinux.security_getenforce():
-        log.critical("selinux must be disabled or in Permissive mode")
-        sys.exit(1)
 
     if not opts.workdir:
         tempfile.tempdir = opts.tmp

src/sbin/lorax-composer

@@ -27,7 +27,6 @@ dnf_log = logging.getLogger("dnf")
 import grp
 import os
 import pwd
-import selinux
 import sys
 import subprocess
 import tempfile
@@ -35,7 +34,7 @@ from threading import Lock
 from gevent import socket
 from gevent.pywsgi import WSGIServer
 
-from pylorax import vernum
+from pylorax import vernum, log_selinux_state
 from pylorax.api.cmdline import lorax_composer_parser
 from pylorax.api.config import configure, make_dnf_dirs, make_queue_dirs, make_owned_dir
 from pylorax.api.compose import test_templates
@@ -134,6 +133,7 @@ if __name__ == '__main__':
         os.makedirs(logpath)
     setup_logging(opts.logfile)
     log.debug("opts=%s", opts)
+    log_selinux_state()
 
     if not make_pidfile():
         log.error("PID file exists, lorax-composer already running. Quitting.")
@@ -152,9 +152,6 @@ if __name__ == '__main__':
     except KeyError:
         errors.append("Missing group '%s'" % opts.group)
 
-    if selinux.is_selinux_enabled() and selinux.security_getenforce():
-        errors.append("selinux must be disabled or in Permissive mode.")
-
     # No point in continuing if there are uid or gid errors
     if errors:
         for e in errors: