Remove SELinux Permissive checks

Anaconda, Lorax, lorax-composer, and livemedia-creator can all now run with SELinux in Enforcing mode. It does not need to be disabled and if there are denials they should be reported as a bug. Log the current state of SELinux when starting, update the documentation. Resolves: rhbz#1654795 (cherry picked from commit 482d6277e0)
2018-11-14 11:58:12 -08:00 · 2018-11-14 11:58:12 -08:00 · 69df5f2362
parent 4f373dcc10
commit 69df5f2362
4 changed files with 16 additions and 29 deletions
--- a/src/pylorax/init.py
+++ b/src/pylorax/init.py
@ -194,6 +194,8 @@ class Lorax(BaseLoraxClass):
        self.init_file_logging(logdir)

        logger.debug("version is %s", vernum)
+        log_selinux_state()
+
        logger.debug("using work directory %s", self.workdir)
        logger.debug("using log directory %s", logdir)

@ -209,22 +211,6 @@ class Lorax(BaseLoraxClass):
            logger.critical("no root privileges")
            sys.exit(1)

-        # is selinux disabled?
-        # With selinux in enforcing mode the rpcbind package required for
-        # dracut nfs module, which is in turn required by anaconda module,
-        # will not get installed, because it's preinstall scriptlet fails,
-        # resulting in an incomplete initial ramdisk image.
-        # The reason is that the scriptlet runs tools from the shadow-utils
-        # package in chroot, particularly groupadd and useradd to add the
-        # required rpc group and rpc user. This operation fails, because
-        # the selinux context on files in the chroot, that the shadow-utils
-        # tools need to access (/etc/group, /etc/passwd, /etc/shadow etc.),
-        # is wrong and selinux therefore disallows access to these files.
-        logger.info("checking the selinux mode")
-        if selinux.is_selinux_enabled() and selinux.security_getenforce():
-            logger.critical("selinux must be disabled or in Permissive mode")
-            sys.exit(1)
-
        # do we have a proper yum base object?
        logger.info("checking yum base object")
        if not isinstance(ybo, yum.YumBase):
@ -384,3 +370,13 @@ def get_buildarch(ybo):
        sys.exit(1)

    return buildarch
+
+def log_selinux_state():
+    """Log the current state of selinux"""
+    if selinux.is_selinux_enabled():
+        if selinux.security_getenforce():
+            logger.info("selinux is enabled and in Enforcing mode")
+        else:
+            logger.info("selinux is enabled and in Permissive mode")
+    else:
+        logger.info("selinux is Disabled")
--- a/src/pylorax/installer.py
+++ b/src/pylorax/installer.py
@ -240,14 +240,6 @@ def novirt_install(opts, disk_img, disk_size, repo_url, cancel_func=None):
    """
    Use Anaconda to install to a disk image
    """
-    import selinux
-
-    # Set selinux to Permissive if it is Enforcing
-    selinux_enforcing = False
-    if selinux.is_selinux_enabled() and selinux.security_getenforce():
-        selinux_enforcing = True
-        selinux.security_setenforce(0)
-
    # Clean up /tmp/ from previous runs to prevent stale info from being used
    for path in ["/tmp/yum.repos.d/", "/tmp/yum.cache/", "/tmp/yum.root/", "/tmp/yum.pluginconf.d/"]:
        if os.path.isdir(path):
@ -320,9 +312,6 @@ def novirt_install(opts, disk_img, disk_size, repo_url, cancel_func=None):
            log.debug("Removing loop device for %s", disk_img)
            loop_detach("/dev/"+get_loop_name(disk_img))

-    if selinux_enforcing:
-        selinux.security_setenforce(1)
-
    if rc:
        raise InstallError("novirt_install failed")

--- a/src/sbin/livemedia-creator
+++ b/src/sbin/livemedia-creator
@ -27,7 +27,7 @@ import os
 import sys
 import tempfile

-from pylorax import vernum
+from pylorax import vernum, log_selinux_state
 from pylorax.creator import DRACUT_DEFAULT, run_creator
 from pylorax.imgutils import default_image_name
 from pylorax.sysutils import joinpaths
@ -225,6 +225,7 @@ def main():
    setup_logging(opts)

    log.info("livemedia-creator %s", vernum)
+    log_selinux_state()
    log.debug( opts )

    if os.getuid() != 0:
--- a/src/sbin/lorax
+++ b/src/sbin/lorax
@ -45,7 +45,7 @@ import yum
 # handler setup.  We already set one up so we don't need it to run.
 yum.logginglevels._added_handlers = True
 import pylorax
-from pylorax import DRACUT_DEFAULT
+from pylorax import DRACUT_DEFAULT, log_selinux_state

 VERSION = "{0}-{1}".format(os.path.basename(sys.argv[0]), pylorax.vernum)

@ -239,6 +239,7 @@ def main(args):
    if not os.path.exists(opts.tmp):
        os.makedirs(opts.tmp)

+    log_selinux_state()
    tempfile.tempdir = opts.tmp

    # Remove any orphaned lorax tempdirs