Remove SELinux Permissive checks
Anaconda, Lorax, lorax-composer, and livemedia-creator can all now run
with SELinux in Enforcing mode. It does not need to be disabled and if
there are denials they should be reported as a bug.
Log the current state of SELinux when starting, update the
documentation.
Resolves: rhbz#1654795
(cherry picked from commit 482d6277e0
)
This commit is contained in:
parent
4f373dcc10
commit
69df5f2362
@ -194,6 +194,8 @@ class Lorax(BaseLoraxClass):
|
||||
self.init_file_logging(logdir)
|
||||
|
||||
logger.debug("version is %s", vernum)
|
||||
log_selinux_state()
|
||||
|
||||
logger.debug("using work directory %s", self.workdir)
|
||||
logger.debug("using log directory %s", logdir)
|
||||
|
||||
@ -209,22 +211,6 @@ class Lorax(BaseLoraxClass):
|
||||
logger.critical("no root privileges")
|
||||
sys.exit(1)
|
||||
|
||||
# is selinux disabled?
|
||||
# With selinux in enforcing mode the rpcbind package required for
|
||||
# dracut nfs module, which is in turn required by anaconda module,
|
||||
# will not get installed, because it's preinstall scriptlet fails,
|
||||
# resulting in an incomplete initial ramdisk image.
|
||||
# The reason is that the scriptlet runs tools from the shadow-utils
|
||||
# package in chroot, particularly groupadd and useradd to add the
|
||||
# required rpc group and rpc user. This operation fails, because
|
||||
# the selinux context on files in the chroot, that the shadow-utils
|
||||
# tools need to access (/etc/group, /etc/passwd, /etc/shadow etc.),
|
||||
# is wrong and selinux therefore disallows access to these files.
|
||||
logger.info("checking the selinux mode")
|
||||
if selinux.is_selinux_enabled() and selinux.security_getenforce():
|
||||
logger.critical("selinux must be disabled or in Permissive mode")
|
||||
sys.exit(1)
|
||||
|
||||
# do we have a proper yum base object?
|
||||
logger.info("checking yum base object")
|
||||
if not isinstance(ybo, yum.YumBase):
|
||||
@ -384,3 +370,13 @@ def get_buildarch(ybo):
|
||||
sys.exit(1)
|
||||
|
||||
return buildarch
|
||||
|
||||
def log_selinux_state():
|
||||
"""Log the current state of selinux"""
|
||||
if selinux.is_selinux_enabled():
|
||||
if selinux.security_getenforce():
|
||||
logger.info("selinux is enabled and in Enforcing mode")
|
||||
else:
|
||||
logger.info("selinux is enabled and in Permissive mode")
|
||||
else:
|
||||
logger.info("selinux is Disabled")
|
||||
|
@ -240,14 +240,6 @@ def novirt_install(opts, disk_img, disk_size, repo_url, cancel_func=None):
|
||||
"""
|
||||
Use Anaconda to install to a disk image
|
||||
"""
|
||||
import selinux
|
||||
|
||||
# Set selinux to Permissive if it is Enforcing
|
||||
selinux_enforcing = False
|
||||
if selinux.is_selinux_enabled() and selinux.security_getenforce():
|
||||
selinux_enforcing = True
|
||||
selinux.security_setenforce(0)
|
||||
|
||||
# Clean up /tmp/ from previous runs to prevent stale info from being used
|
||||
for path in ["/tmp/yum.repos.d/", "/tmp/yum.cache/", "/tmp/yum.root/", "/tmp/yum.pluginconf.d/"]:
|
||||
if os.path.isdir(path):
|
||||
@ -320,9 +312,6 @@ def novirt_install(opts, disk_img, disk_size, repo_url, cancel_func=None):
|
||||
log.debug("Removing loop device for %s", disk_img)
|
||||
loop_detach("/dev/"+get_loop_name(disk_img))
|
||||
|
||||
if selinux_enforcing:
|
||||
selinux.security_setenforce(1)
|
||||
|
||||
if rc:
|
||||
raise InstallError("novirt_install failed")
|
||||
|
||||
|
@ -27,7 +27,7 @@ import os
|
||||
import sys
|
||||
import tempfile
|
||||
|
||||
from pylorax import vernum
|
||||
from pylorax import vernum, log_selinux_state
|
||||
from pylorax.creator import DRACUT_DEFAULT, run_creator
|
||||
from pylorax.imgutils import default_image_name
|
||||
from pylorax.sysutils import joinpaths
|
||||
@ -225,6 +225,7 @@ def main():
|
||||
setup_logging(opts)
|
||||
|
||||
log.info("livemedia-creator %s", vernum)
|
||||
log_selinux_state()
|
||||
log.debug( opts )
|
||||
|
||||
if os.getuid() != 0:
|
||||
|
@ -45,7 +45,7 @@ import yum
|
||||
# handler setup. We already set one up so we don't need it to run.
|
||||
yum.logginglevels._added_handlers = True
|
||||
import pylorax
|
||||
from pylorax import DRACUT_DEFAULT
|
||||
from pylorax import DRACUT_DEFAULT, log_selinux_state
|
||||
|
||||
VERSION = "{0}-{1}".format(os.path.basename(sys.argv[0]), pylorax.vernum)
|
||||
|
||||
@ -239,6 +239,7 @@ def main(args):
|
||||
if not os.path.exists(opts.tmp):
|
||||
os.makedirs(opts.tmp)
|
||||
|
||||
log_selinux_state()
|
||||
tempfile.tempdir = opts.tmp
|
||||
|
||||
# Remove any orphaned lorax tempdirs
|
||||
|
Loading…
Reference in New Issue
Block a user