anaconda indirectly creates this directory tree when it creates a Yum object
chrooted under /mnt/sysimage, so we need to ensure it gets the proper selinux
label.
---
pyanaconda/packages.py | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/pyanaconda/packages.py b/pyanaconda/packages.py
index 7d88d06..1384d1c 100644
--- a/pyanaconda/packages.py
+++ b/pyanaconda/packages.py
@@ -205,7 +205,7 @@ def setFileCons(anaconda):
vgs = ["/dev/%s" % vg.name for vg in anaconda.storage.vgs]
# ugh, this is ugly
- for dir in ["/etc/sysconfig/network-scripts", "/var/lib/rpm", "/etc/lvm", "/dev/mapper", "/etc/iscsi", "/var/lib/iscsi", "/root", "/var/log", "/etc/modprobe.d", "/etc/sysconfig" ] + vgs:
+ for dir in ["/etc/sysconfig/network-scripts", "/var/lib/rpm", "/etc/lvm", "/dev/mapper", "/etc/iscsi", "/var/lib/iscsi", "/root", "/var/log", "/etc/modprobe.d", "/etc/sysconfig", "/var/cache/yum" ] + vgs:
def addpath(x): return dir + "/" + x
if not os.path.isdir(anaconda.rootPath + dir):
--
1.7.1.1
_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
08-18-2010, 07:01 PM
Reset labels on /var/cache/yum as well (#623434).
> diff --git a/pyanaconda/packages.py b/pyanaconda/packages.py
> index 7d88d06..1384d1c 100644
> --- a/pyanaconda/packages.py
> +++ b/pyanaconda/packages.py
> @@ -205,7 +205,7 @@ def setFileCons(anaconda):
> vgs = ["/dev/%s" % vg.name for vg in anaconda.storage.vgs]
>
> # ugh, this is ugly
> - for dir in ["/etc/sysconfig/network-scripts", "/var/lib/rpm", "/etc/lvm", "/dev/mapper", "/etc/iscsi", "/var/lib/iscsi", "/root", "/var/log", "/etc/modprobe.d", "/etc/sysconfig" ] + vgs:
> + for dir in ["/etc/sysconfig/network-scripts", "/var/lib/rpm", "/etc/lvm", "/dev/mapper", "/etc/iscsi", "/var/lib/iscsi", "/root", "/var/log", "/etc/modprobe.d", "/etc/sysconfig", "/var/cache/yum" ] + vgs:
> def addpath(x): return dir + "/" + x
>
> if not os.path.isdir(anaconda.rootPath + dir):
This version won't recurse down through whatever's in /var/cache/yum.
Hold on, reworking.
- Chris
_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
08-19-2010, 06:34 PM
Chris Lumens
Reset labels on /var/cache/yum as well (#623434).
anaconda indirectly creates this directory tree when it creates a Yum object
chrooted under /mnt/sysimage, so we need to ensure it gets the proper selinux
label.
While I'm at it, fix a couple stupid things in how file context setting didn't
work:
(1) Make directory handling recursive, since who knows how much stuff is in
/var/cache/yum.
(2) Make globs check against /mnt/sysimage instead of /. Before, we were just
getting lucky with contexts since the networking files were all the same.
But we shouldn't rely on that luck continuing.
+import itertools
import glob
import iutil
import isys
@@ -186,41 +187,41 @@ def setupTimezone(anaconda):
# FIXME: this is a huge gross hack. hard coded list of files
# created by anaconda so that we can not be killed by selinux
def setFileCons(anaconda):
+ def contextCB(arg, directory, files):
+ for file in files:
+ path = os.path.join(directory, file)
+
+ if not os.access(path, os.R_OK):
+ log.warning("%s doesn't exist" % path)
+ continue
+
+ # If the path begins with rootPath, matchPathCon will never match
+ # anything because policy doesn't contain that path.
+ if path.startswith(anaconda.rootPath):
+ path = path.replace(anaconda.rootPath, "")
+
+ ret = isys.resetFileContext(path, anaconda.rootPath)
+ log.info("set fc of %s to %s" % (path, ret))
+
if flags.selinux:
log.info("setting SELinux contexts for anaconda created files")
- files = ["/etc/rpm/macros", "/etc/dasd.conf", "/etc/zfcp.conf",
- "/etc/lilo.conf.anaconda", "/lib64", "/usr/lib64",
- "/etc/blkid.tab", "/etc/blkid.tab.old",
- "/etc/mtab", "/etc/fstab", "/etc/resolv.conf",
- "/etc/modprobe.conf", "/etc/modprobe.conf~",
- "/var/log/wtmp", "/var/run/utmp", "/etc/crypttab",
- "/dev/log", "/var/lib/rpm", "/", "/etc/raidtab",
- "/etc/mdadm.conf", "/etc/sysconfig/network",
- "/etc/udev/rules.d/70-persistent-net.rules",
- "/root/install.log", "/root/install.log.syslog",
- "/etc/shadow", "/etc/shadow-", "/etc/gshadow"] +
- glob.glob('/etc/dhcp/dhclient-*.conf')
-
- vgs = ["/dev/%s" % vg.name for vg in anaconda.storage.vgs]
-
- # ugh, this is ugly
- for dir in ["/etc/sysconfig/network-scripts", "/var/lib/rpm", "/etc/lvm", "/dev/mapper", "/etc/iscsi", "/var/lib/iscsi", "/root", "/var/log", "/etc/modprobe.d", "/etc/sysconfig" ] + vgs:
- def addpath(x): return dir + "/" + x
-
- if not os.path.isdir(anaconda.rootPath + dir):
- continue
- dirfiles = os.listdir(anaconda.rootPath + dir)
- files.extend(map(addpath, dirfiles))
- files.append(dir)
+ # Add "/mnt/sysimage" to the front of every path so the glob works.
+ # Then run glob on each element of the list and flatten it into a
+ # single list we can run contextCB across.
+ files = itertools.chain(*map(lambda f: glob.glob("%s/%s" % (anaconda.rootPath, f)),
+ relabelFiles))
+ contextCB(None, "", files)
- for f in files:
- if not os.access("%s/%s" %(anaconda.rootPath, f), os.R_OK):
- log.warning("%s doesn't exist" %(f,))
- continue
- ret = isys.resetFileContext(os.path.normpath(f),
- anaconda.rootPath)
- log.info("set fc of %s to %s" %(f, ret))
+ for dir in relabelDirs + ["/dev/%s" % vg.name for vg in anaconda.storage.vgs]:
+ # Add "/mnt/sysimage" for similar reasons to above.
+ dir = "%s/%s" % (anaconda.rootPath, dir)
+
+ os.path.walk(dir, contextCB, None)
+
+ # os.path.walk won't include the directory we start walking at,
+ # so that needs its context set separtely.
+ contextCB(None, "", [dir])
return
--
1.7.1.1
_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
08-19-2010, 06:51 PM
"Brian C. Lane"
Reset labels on /var/cache/yum as well (#623434).
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/19/2010 11:34 AM, Chris Lumens wrote:
> anaconda indirectly creates this directory tree when it creates a Yum object
> chrooted under /mnt/sysimage, so we need to ensure it gets the proper selinux
> label.
>
> While I'm at it, fix a couple stupid things in how file context setting didn't
> work:
>
> (1) Make directory handling recursive, since who knows how much stuff is in
> /var/cache/yum.
>
> (2) Make globs check against /mnt/sysimage instead of /. Before, we were just
> getting lucky with contexts since the networking files were all the same.
> But we shouldn't rely on that luck continuing.
>
> (3) Move the file lists into constants.py.
Ack
- --
Brian C. Lane <bcl@redhat.com>
Red Hat / Port Orchard, WA
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Remember Lexington Green!
Reset labels on /var/cache/yum as well (#623434).
