From 69df5f2362f354a4dfbe238f95f52f5026cca6f0 Mon Sep 17 00:00:00 2001 From: "Brian C. Lane" Date: Wed, 14 Nov 2018 11:58:12 -0800 Subject: [PATCH] Remove SELinux Permissive checks Anaconda, Lorax, lorax-composer, and livemedia-creator can all now run with SELinux in Enforcing mode. It does not need to be disabled and if there are denials they should be reported as a bug. Log the current state of SELinux when starting, update the documentation. Resolves: rhbz#1654795 (cherry picked from commit 482d6277e0afa85f1a7ff7deb6976a078292224a) --- src/pylorax/__init__.py | 28 ++++++++++++---------------- src/pylorax/installer.py | 11 ----------- src/sbin/livemedia-creator | 3 ++- src/sbin/lorax | 3 ++- 4 files changed, 16 insertions(+), 29 deletions(-) diff --git a/src/pylorax/__init__.py b/src/pylorax/__init__.py index 04d13610..114ea505 100644 --- a/src/pylorax/__init__.py +++ b/src/pylorax/__init__.py @@ -194,6 +194,8 @@ class Lorax(BaseLoraxClass): self.init_file_logging(logdir) logger.debug("version is %s", vernum) + log_selinux_state() + logger.debug("using work directory %s", self.workdir) logger.debug("using log directory %s", logdir) @@ -209,22 +211,6 @@ class Lorax(BaseLoraxClass): logger.critical("no root privileges") sys.exit(1) - # is selinux disabled? - # With selinux in enforcing mode the rpcbind package required for - # dracut nfs module, which is in turn required by anaconda module, - # will not get installed, because it's preinstall scriptlet fails, - # resulting in an incomplete initial ramdisk image. - # The reason is that the scriptlet runs tools from the shadow-utils - # package in chroot, particularly groupadd and useradd to add the - # required rpc group and rpc user. This operation fails, because - # the selinux context on files in the chroot, that the shadow-utils - # tools need to access (/etc/group, /etc/passwd, /etc/shadow etc.), - # is wrong and selinux therefore disallows access to these files. - logger.info("checking the selinux mode") - if selinux.is_selinux_enabled() and selinux.security_getenforce(): - logger.critical("selinux must be disabled or in Permissive mode") - sys.exit(1) - # do we have a proper yum base object? logger.info("checking yum base object") if not isinstance(ybo, yum.YumBase): @@ -384,3 +370,13 @@ def get_buildarch(ybo): sys.exit(1) return buildarch + +def log_selinux_state(): + """Log the current state of selinux""" + if selinux.is_selinux_enabled(): + if selinux.security_getenforce(): + logger.info("selinux is enabled and in Enforcing mode") + else: + logger.info("selinux is enabled and in Permissive mode") + else: + logger.info("selinux is Disabled") diff --git a/src/pylorax/installer.py b/src/pylorax/installer.py index 91423692..486201a1 100644 --- a/src/pylorax/installer.py +++ b/src/pylorax/installer.py @@ -240,14 +240,6 @@ def novirt_install(opts, disk_img, disk_size, repo_url, cancel_func=None): """ Use Anaconda to install to a disk image """ - import selinux - - # Set selinux to Permissive if it is Enforcing - selinux_enforcing = False - if selinux.is_selinux_enabled() and selinux.security_getenforce(): - selinux_enforcing = True - selinux.security_setenforce(0) - # Clean up /tmp/ from previous runs to prevent stale info from being used for path in ["/tmp/yum.repos.d/", "/tmp/yum.cache/", "/tmp/yum.root/", "/tmp/yum.pluginconf.d/"]: if os.path.isdir(path): @@ -320,9 +312,6 @@ def novirt_install(opts, disk_img, disk_size, repo_url, cancel_func=None): log.debug("Removing loop device for %s", disk_img) loop_detach("/dev/"+get_loop_name(disk_img)) - if selinux_enforcing: - selinux.security_setenforce(1) - if rc: raise InstallError("novirt_install failed") diff --git a/src/sbin/livemedia-creator b/src/sbin/livemedia-creator index 555c007e..dd8027db 100755 --- a/src/sbin/livemedia-creator +++ b/src/sbin/livemedia-creator @@ -27,7 +27,7 @@ import os import sys import tempfile -from pylorax import vernum +from pylorax import vernum, log_selinux_state from pylorax.creator import DRACUT_DEFAULT, run_creator from pylorax.imgutils import default_image_name from pylorax.sysutils import joinpaths @@ -225,6 +225,7 @@ def main(): setup_logging(opts) log.info("livemedia-creator %s", vernum) + log_selinux_state() log.debug( opts ) if os.getuid() != 0: diff --git a/src/sbin/lorax b/src/sbin/lorax index eacdecc5..86f15d8b 100755 --- a/src/sbin/lorax +++ b/src/sbin/lorax @@ -45,7 +45,7 @@ import yum # handler setup. We already set one up so we don't need it to run. yum.logginglevels._added_handlers = True import pylorax -from pylorax import DRACUT_DEFAULT +from pylorax import DRACUT_DEFAULT, log_selinux_state VERSION = "{0}-{1}".format(os.path.basename(sys.argv[0]), pylorax.vernum) @@ -239,6 +239,7 @@ def main(args): if not os.path.exists(opts.tmp): os.makedirs(opts.tmp) + log_selinux_state() tempfile.tempdir = opts.tmp # Remove any orphaned lorax tempdirs