Remove SELinux Permissive checks
Anaconda, Lorax, lorax-composer, and livemedia-creator can all now run with SELinux in Enforcing mode. It does not need to be disabled and if there are denials they should be reported as a bug. Log the current state of SELinux when starting, update the documentation. Resolves: rhbz#1654795
This commit is contained in:
Brian C. Lane
parent
a40fc22047
commit
482d6277e0
@ -194,6 +194,8 @@ class Lorax(BaseLoraxClass):
|
|||||||
self.init_file_logging(logdir)
|
self.init_file_logging(logdir)
|
||||||
|
|
||||||
logger.debug("version is %s", vernum)
|
logger.debug("version is %s", vernum)
|
||||||
|
log_selinux_state()
|
||||||
|
|
||||||
logger.debug("using work directory %s", self.workdir)
|
logger.debug("using work directory %s", self.workdir)
|
||||||
logger.debug("using log directory %s", logdir)
|
logger.debug("using log directory %s", logdir)
|
||||||
|
|
||||||
@ -209,22 +211,6 @@ class Lorax(BaseLoraxClass):
|
|||||||
logger.critical("no root privileges")
|
logger.critical("no root privileges")
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
# is selinux disabled?
|
|
||||||
# With selinux in enforcing mode the rpcbind package required for
|
|
||||||
# dracut nfs module, which is in turn required by anaconda module,
|
|
||||||
# will not get installed, because it's preinstall scriptlet fails,
|
|
||||||
# resulting in an incomplete initial ramdisk image.
|
|
||||||
# The reason is that the scriptlet runs tools from the shadow-utils
|
|
||||||
# package in chroot, particularly groupadd and useradd to add the
|
|
||||||
# required rpc group and rpc user. This operation fails, because
|
|
||||||
# the selinux context on files in the chroot, that the shadow-utils
|
|
||||||
# tools need to access (/etc/group, /etc/passwd, /etc/shadow etc.),
|
|
||||||
# is wrong and selinux therefore disallows access to these files.
|
|
||||||
logger.info("checking the selinux mode")
|
|
||||||
if selinux.is_selinux_enabled() and selinux.security_getenforce():
|
|
||||||
logger.critical("selinux must be disabled or in Permissive mode")
|
|
||||||
sys.exit(1)
|
|
||||||
|
|
||||||
# do we have a proper yum base object?
|
# do we have a proper yum base object?
|
||||||
logger.info("checking yum base object")
|
logger.info("checking yum base object")
|
||||||
if not isinstance(ybo, yum.YumBase):
|
if not isinstance(ybo, yum.YumBase):
|
||||||
@ -384,3 +370,13 @@ def get_buildarch(ybo):
|
|||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
return buildarch
|
return buildarch
|
||||||
|
|
||||||
|
def log_selinux_state():
|
||||||
|
"""Log the current state of selinux"""
|
||||||
|
if selinux.is_selinux_enabled():
|
||||||
|
if selinux.security_getenforce():
|
||||||
|
logger.info("selinux is enabled and in Enforcing mode")
|
||||||
|
else:
|
||||||
|
logger.info("selinux is enabled and in Permissive mode")
|
||||||
|
else:
|
||||||
|
logger.info("selinux is Disabled")
|
||||||
|
|||||||
@ -238,13 +238,13 @@ def novirt_install(opts, disk_img, disk_size, repo_url, callback_func=None):
|
|||||||
"""
|
"""
|
||||||
Use Anaconda to install to a disk image
|
Use Anaconda to install to a disk image
|
||||||
"""
|
"""
|
||||||
import selinux
|
# import selinux
|
||||||
|
|
||||||
# Set selinux to Permissive if it is Enforcing
|
# Set selinux to Permissive if it is Enforcing
|
||||||
selinux_enforcing = False
|
# selinux_enforcing = False
|
||||||
if selinux.is_selinux_enabled() and selinux.security_getenforce():
|
# if selinux.is_selinux_enabled() and selinux.security_getenforce():
|
||||||
selinux_enforcing = True
|
# selinux_enforcing = True
|
||||||
selinux.security_setenforce(0)
|
# selinux.security_setenforce(0)
|
||||||
|
|
||||||
# Clean up /tmp/ from previous runs to prevent stale info from being used
|
# Clean up /tmp/ from previous runs to prevent stale info from being used
|
||||||
for path in ["/tmp/yum.repos.d/", "/tmp/yum.cache/", "/tmp/yum.root/", "/tmp/yum.pluginconf.d/"]:
|
for path in ["/tmp/yum.repos.d/", "/tmp/yum.cache/", "/tmp/yum.root/", "/tmp/yum.pluginconf.d/"]:
|
||||||
@ -311,8 +311,8 @@ def novirt_install(opts, disk_img, disk_size, repo_url, callback_func=None):
|
|||||||
dm_detach(dm_path)
|
dm_detach(dm_path)
|
||||||
loop_detach(get_loop_name(disk_img))
|
loop_detach(get_loop_name(disk_img))
|
||||||
|
|
||||||
if selinux_enforcing:
|
# if selinux_enforcing:
|
||||||
selinux.security_setenforce(1)
|
# selinux.security_setenforce(1)
|
||||||
|
|
||||||
if rc:
|
if rc:
|
||||||
raise InstallError("novirt_install failed")
|
raise InstallError("novirt_install failed")
|
||||||
|
|||||||
@ -27,7 +27,7 @@ import os
|
|||||||
import sys
|
import sys
|
||||||
import tempfile
|
import tempfile
|
||||||
|
|
||||||
from pylorax import vernum
|
from pylorax import vernum, log_selinux_state
|
||||||
from pylorax.creator import DRACUT_DEFAULT, run_creator
|
from pylorax.creator import DRACUT_DEFAULT, run_creator
|
||||||
from pylorax.imgutils import default_image_name
|
from pylorax.imgutils import default_image_name
|
||||||
from pylorax.sysutils import joinpaths
|
from pylorax.sysutils import joinpaths
|
||||||
@ -225,6 +225,7 @@ def main():
|
|||||||
setup_logging(opts)
|
setup_logging(opts)
|
||||||
|
|
||||||
log.info("livemedia-creator %s", vernum)
|
log.info("livemedia-creator %s", vernum)
|
||||||
|
log_selinux_state()
|
||||||
log.debug( opts )
|
log.debug( opts )
|
||||||
|
|
||||||
if os.getuid() != 0:
|
if os.getuid() != 0:
|
||||||
|
|||||||
@ -42,7 +42,7 @@ import yum
|
|||||||
# handler setup. We already set one up so we don't need it to run.
|
# handler setup. We already set one up so we don't need it to run.
|
||||||
yum.logginglevels._added_handlers = True
|
yum.logginglevels._added_handlers = True
|
||||||
import pylorax
|
import pylorax
|
||||||
from pylorax import DRACUT_DEFAULT
|
from pylorax import DRACUT_DEFAULT, log_selinux_state
|
||||||
|
|
||||||
VERSION = "{0}-{1}".format(os.path.basename(sys.argv[0]), pylorax.vernum)
|
VERSION = "{0}-{1}".format(os.path.basename(sys.argv[0]), pylorax.vernum)
|
||||||
|
|
||||||
@ -195,6 +195,7 @@ def main(args):
|
|||||||
setup_logging(opts)
|
setup_logging(opts)
|
||||||
|
|
||||||
log.info("Lorax %s", pylorax.vernum)
|
log.info("Lorax %s", pylorax.vernum)
|
||||||
|
log_selinux_state()
|
||||||
tempfile.tempdir = opts.tmp
|
tempfile.tempdir = opts.tmp
|
||||||
|
|
||||||
# create the temporary directory for lorax
|
# create the temporary directory for lorax
|
||||||
|
|||||||
@ -35,7 +35,7 @@ from threading import Lock
|
|||||||
from gevent import socket
|
from gevent import socket
|
||||||
from gevent.pywsgi import WSGIServer
|
from gevent.pywsgi import WSGIServer
|
||||||
|
|
||||||
from pylorax import vernum
|
from pylorax import vernum, log_selinux_state
|
||||||
from pylorax.api.config import configure, make_yum_dirs, make_queue_dirs
|
from pylorax.api.config import configure, make_yum_dirs, make_queue_dirs
|
||||||
from pylorax.api.compose import test_templates
|
from pylorax.api.compose import test_templates
|
||||||
from pylorax.api.queue import start_queue_monitor
|
from pylorax.api.queue import start_queue_monitor
|
||||||
@ -170,6 +170,7 @@ if __name__ == '__main__':
|
|||||||
os.makedirs(logpath)
|
os.makedirs(logpath)
|
||||||
setup_logging(opts.logfile)
|
setup_logging(opts.logfile)
|
||||||
log.debug("opts=%s", opts)
|
log.debug("opts=%s", opts)
|
||||||
|
log_selinux_state()
|
||||||
|
|
||||||
if not make_pidfile():
|
if not make_pidfile():
|
||||||
log.error("PID file exists, lorax-composer already running. Quitting.")
|
log.error("PID file exists, lorax-composer already running. Quitting.")
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user