FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 05-16-2008, 07:31 PM
Jesse Keating
 
Default livecd-creator and selinux, status at the end of week 1

On Fri, 2008-05-16 at 15:19 -0400, Eric Paris wrote:
> I've spent pretty much all week flailing around try to get
> livecd-creator working with selinux enforcing with F10 as both the host
> and the image. Next week begins the journey of working on making old
> composes work on F10. Where do I stand? Well, it seems to work! I
> booted an image and logged in.

This is pretty awesome Eric, I'm glad the work is going on for this.

I'll have to admit though, or biggest target right now is to be able to
use RHEL5 to create F10 live images, as well as using RHEL5 to create
f10 traditional install trees. For the latter, we currently /have/ to
use mock so that the userland package set matches that which we're
trying to compose (IE F10's yum is used, F10's anaconda is used, etc...)

Let me know how we can help!

--
Jesse Keating
Fedora -- Freedom˛ is a feature!
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 05-19-2008, 01:11 PM
David Huff
 
Default livecd-creator and selinux, status at the end of week 1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eric Paris wrote:
| I've spent pretty much all week flailing around try to get
| livecd-creator working with selinux enforcing with F10 as both the host
| and the image. Next week begins the journey of working on making old
| composes work on F10. Where do I stand? Well, it seems to work! I
| booted an image and logged in.
|


I have seen similar issues with the appliance-tools Im working on
(thincrust.net). On thing I have noticed is that kickstart.py only
likes crypted passwds, so make sure you use the --iscrytped option in
the ks file.

I have also noticed another problem, if you set selinux disabled via the
kickstart and try to set no root passwd, by excluding a rootpw
line in the ks, you get an error similar too:

"only root can do that"

I think this is due to selinux context on the host you are
building the image on. I saw this running a F9 client on a F9 host,
from your post on Friday, I will try generating a rwahide image on a
rawhide host and see if I have similar results.

- -D


- --
David Huff
Red Hat, Raleigh, NC
Mobile: 919-796-3553
Office: 919-754-4129

GPG Key ID: 6A20BBF7
GPG Fingerprint: FE13 8AF6 0E58 D92E A4E1 2D0A 71C1 CADF 6A20 BBF7

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFIMXyMccHK32ogu/cRAqHBAJ9/wy2a9+iVt86IXsJ9Qa8ZgChRYwCfaF5b
i6DfEG3ZIXpb6IOsH5BBlxE=
=BEb4
-----END PGP SIGNATURE-----

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 05-19-2008, 01:34 PM
Eric Paris
 
Default livecd-creator and selinux, status at the end of week 1

On Mon, 2008-05-19 at 09:11 -0400, David Huff wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Eric Paris wrote:
> | I've spent pretty much all week flailing around try to get
> | livecd-creator working with selinux enforcing with F10 as both the host
> | and the image. Next week begins the journey of working on making old
> | composes work on F10. Where do I stand? Well, it seems to work! I
> | booted an image and logged in.
> |
>
>
> I have seen similar issues with the appliance-tools Im working on
> (thincrust.net). On thing I have noticed is that kickstart.py only
> likes crypted passwds, so make sure you use the --iscrytped option in
> the ks file.
>
> I have also noticed another problem, if you set selinux disabled via the
> kickstart and try to set no root passwd, by excluding a rootpw
> line in the ks, you get an error similar too:
>
> "only root can do that"
>
> I think this is due to selinux context on the host you are
> building the image on. I saw this running a F9 client on a F9 host,
> from your post on Friday, I will try generating a rwahide image on a
> rawhide host and see if I have similar results.

If you wouldn't mind opening a BZ, for now lets open it against
libselinux assign it to me and let me know all of the problems you have
run into involving passwd. I think I understand all of that cruft now.
-Eric

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 05-19-2008, 01:34 PM
Eric Paris
 
Default livecd-creator and selinux, status at the end of week 1

On Mon, 2008-05-19 at 09:11 -0400, David Huff wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Eric Paris wrote:
> | I've spent pretty much all week flailing around try to get
> | livecd-creator working with selinux enforcing with F10 as both the host
> | and the image. Next week begins the journey of working on making old
> | composes work on F10. Where do I stand? Well, it seems to work! I
> | booted an image and logged in.
> |
>
>
> I have seen similar issues with the appliance-tools Im working on
> (thincrust.net). On thing I have noticed is that kickstart.py only
> likes crypted passwds, so make sure you use the --iscrytped option in
> the ks file.
>
> I have also noticed another problem, if you set selinux disabled via the
> kickstart and try to set no root passwd, by excluding a rootpw
> line in the ks, you get an error similar too:
>
> "only root can do that"
>
> I think this is due to selinux context on the host you are
> building the image on. I saw this running a F9 client on a F9 host,
> from your post on Friday, I will try generating a rwahide image on a
> rawhide host and see if I have similar results.

If you wouldn't mind opening a BZ, for now lets open it against
libselinux assign it to me and let me know all of the problems you have
run into involving passwd. I think I understand all of that cruft now.
-Eric

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-19-2008, 07:14 PM
Eric Paris
 
Default livecd-creator and selinux, status at the end of week 1

On Fri, 2008-05-16 at 15:19 -0400, Eric Paris wrote:
> I've spent pretty much all week flailing around try to get
> livecd-creator working with selinux enforcing with F10 as both the host
> and the image. Next week begins the journey of working on making old
> composes work on F10. Where do I stand? Well, it seems to work! I
> booted an image and logged in.

Today I tried flipped my repos to point at F7 and tried to build.
Didn't see any selinux messages but crap still hit the fan on boot
(eventual kernel panic complaining about no root and killing init)

Anyway, I also decided to see what would happen if I flipped my
kickstart file to selinux --disabled while leaving the system enforcing.
Sorta boom. Installing selinux-policy-targeted got really pissed off:

libsepol.policydb_write: Discarding booleans and conditional rules
libsepol.policydb_write: Discarding booleans and conditional rules
libsepol.context_read_and_validate: invalid security context
libsepol.policydb_to_image: new policy image is invalid
libsepol.policydb_to_image: could not create policy image
/usr/sbin/load_policy: Can't load policy: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
libsemanage.semanage_install_active: Could not
copy /etc/selinux/targeted/modules/active/policy.kern
to /etc/selinux/targeted/policy/policy.21.

But something tells me its still going to work just fine once the build
finishes. Anyway.

-Eric

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-19-2008, 07:14 PM
Eric Paris
 
Default livecd-creator and selinux, status at the end of week 1

On Fri, 2008-05-16 at 15:19 -0400, Eric Paris wrote:
> I've spent pretty much all week flailing around try to get
> livecd-creator working with selinux enforcing with F10 as both the host
> and the image. Next week begins the journey of working on making old
> composes work on F10. Where do I stand? Well, it seems to work! I
> booted an image and logged in.

Today I tried flipped my repos to point at F7 and tried to build.
Didn't see any selinux messages but crap still hit the fan on boot
(eventual kernel panic complaining about no root and killing init)

Anyway, I also decided to see what would happen if I flipped my
kickstart file to selinux --disabled while leaving the system enforcing.
Sorta boom. Installing selinux-policy-targeted got really pissed off:

libsepol.policydb_write: Discarding booleans and conditional rules
libsepol.policydb_write: Discarding booleans and conditional rules
libsepol.context_read_and_validate: invalid security context
libsepol.policydb_to_image: new policy image is invalid
libsepol.policydb_to_image: could not create policy image
/usr/sbin/load_policy: Can't load policy: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
libsemanage.semanage_install_active: Could not
copy /etc/selinux/targeted/modules/active/policy.kern
to /etc/selinux/targeted/policy/policy.21.

But something tells me its still going to work just fine once the build
finishes. Anyway.

-Eric

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 05-19-2008, 07:30 PM
Stephen Smalley
 
Default livecd-creator and selinux, status at the end of week 1

On Mon, 2008-05-19 at 15:14 -0400, Eric Paris wrote:
> On Fri, 2008-05-16 at 15:19 -0400, Eric Paris wrote:
> > I've spent pretty much all week flailing around try to get
> > livecd-creator working with selinux enforcing with F10 as both the host
> > and the image. Next week begins the journey of working on making old
> > composes work on F10. Where do I stand? Well, it seems to work! I
> > booted an image and logged in.
>
> Today I tried flipped my repos to point at F7 and tried to build.
> Didn't see any selinux messages but crap still hit the fan on boot
> (eventual kernel panic complaining about no root and killing init)

So the interesting question there is whether the image was missing files
or just mislabeled?

> Anyway, I also decided to see what would happen if I flipped my
> kickstart file to selinux --disabled while leaving the system enforcing.
> Sorta boom. Installing selinux-policy-targeted got really pissed off:
>
> libsepol.policydb_write: Discarding booleans and conditional rules
> libsepol.policydb_write: Discarding booleans and conditional rules
> libsepol.context_read_and_validate: invalid security context
> libsepol.policydb_to_image: new policy image is invalid
> libsepol.policydb_to_image: could not create policy image
> /usr/sbin/load_policy: Can't load policy: No such file or directory
> libsemanage.semanage_reload_policy: load_policy returned error code 2.
> libsemanage.semanage_install_active: Could not
> copy /etc/selinux/targeted/modules/active/policy.kern
> to /etc/selinux/targeted/policy/policy.21.

If you are going to build a selinux disabled image, then I assume you'd
want to fake the chroot into seeing SELinux as disabled too so that it
doesn't try to do things like load policy (as above). Which would mean
bind mounting a file over /proc/filesystems in the chroot to obscure the
presence of selinuxfs.

> But something tells me its still going to work just fine once the build
> finishes. Anyway.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-19-2008, 07:30 PM
Stephen Smalley
 
Default livecd-creator and selinux, status at the end of week 1

On Mon, 2008-05-19 at 15:14 -0400, Eric Paris wrote:
> On Fri, 2008-05-16 at 15:19 -0400, Eric Paris wrote:
> > I've spent pretty much all week flailing around try to get
> > livecd-creator working with selinux enforcing with F10 as both the host
> > and the image. Next week begins the journey of working on making old
> > composes work on F10. Where do I stand? Well, it seems to work! I
> > booted an image and logged in.
>
> Today I tried flipped my repos to point at F7 and tried to build.
> Didn't see any selinux messages but crap still hit the fan on boot
> (eventual kernel panic complaining about no root and killing init)

So the interesting question there is whether the image was missing files
or just mislabeled?

> Anyway, I also decided to see what would happen if I flipped my
> kickstart file to selinux --disabled while leaving the system enforcing.
> Sorta boom. Installing selinux-policy-targeted got really pissed off:
>
> libsepol.policydb_write: Discarding booleans and conditional rules
> libsepol.policydb_write: Discarding booleans and conditional rules
> libsepol.context_read_and_validate: invalid security context
> libsepol.policydb_to_image: new policy image is invalid
> libsepol.policydb_to_image: could not create policy image
> /usr/sbin/load_policy: Can't load policy: No such file or directory
> libsemanage.semanage_reload_policy: load_policy returned error code 2.
> libsemanage.semanage_install_active: Could not
> copy /etc/selinux/targeted/modules/active/policy.kern
> to /etc/selinux/targeted/policy/policy.21.

If you are going to build a selinux disabled image, then I assume you'd
want to fake the chroot into seeing SELinux as disabled too so that it
doesn't try to do things like load policy (as above). Which would mean
bind mounting a file over /proc/filesystems in the chroot to obscure the
presence of selinuxfs.

> But something tells me its still going to work just fine once the build
> finishes. Anyway.

--
Stephen Smalley
National Security Agency

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 05-19-2008, 07:41 PM
Eric Paris
 
Default livecd-creator and selinux, status at the end of week 1

On Mon, 2008-05-19 at 15:30 -0400, Stephen Smalley wrote:
> On Mon, 2008-05-19 at 15:14 -0400, Eric Paris wrote:
> > On Fri, 2008-05-16 at 15:19 -0400, Eric Paris wrote:
> > > I've spent pretty much all week flailing around try to get
> > > livecd-creator working with selinux enforcing with F10 as both the host
> > > and the image. Next week begins the journey of working on making old
> > > composes work on F10. Where do I stand? Well, it seems to work! I
> > > booted an image and logged in.
> >
> > Today I tried flipped my repos to point at F7 and tried to build.
> > Didn't see any selinux messages but crap still hit the fan on boot
> > (eventual kernel panic complaining about no root and killing init)
>
> So the interesting question there is whether the image was missing files
> or just mislabeled?

Well in the F8 example kickstart I see this bit of craziness:

# make the initrd we care about
rm -f /boot/initrd*.img
cp /etc/sysconfig/mkinitrd /etc/mayflower.conf
ver=`ls /boot/vmlinuz* |head -n 1 |sed -e 's;/boot/vmlinuz-;;'`
/usr/lib/livecd-creator/mayflower -f /boot/initrd-$ver.img $ver
rm -f /etc/mayflower.conf

which leads me to believe F7 probably needs something similar that I
don't have with my basically blank kickstart file.

-Eric

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-19-2008, 07:41 PM
Eric Paris
 
Default livecd-creator and selinux, status at the end of week 1

On Mon, 2008-05-19 at 15:30 -0400, Stephen Smalley wrote:
> On Mon, 2008-05-19 at 15:14 -0400, Eric Paris wrote:
> > On Fri, 2008-05-16 at 15:19 -0400, Eric Paris wrote:
> > > I've spent pretty much all week flailing around try to get
> > > livecd-creator working with selinux enforcing with F10 as both the host
> > > and the image. Next week begins the journey of working on making old
> > > composes work on F10. Where do I stand? Well, it seems to work! I
> > > booted an image and logged in.
> >
> > Today I tried flipped my repos to point at F7 and tried to build.
> > Didn't see any selinux messages but crap still hit the fan on boot
> > (eventual kernel panic complaining about no root and killing init)
>
> So the interesting question there is whether the image was missing files
> or just mislabeled?

Well in the F8 example kickstart I see this bit of craziness:

# make the initrd we care about
rm -f /boot/initrd*.img
cp /etc/sysconfig/mkinitrd /etc/mayflower.conf
ver=`ls /boot/vmlinuz* |head -n 1 |sed -e 's;/boot/vmlinuz-;;'`
/usr/lib/livecd-creator/mayflower -f /boot/initrd-$ver.img $ver
rm -f /etc/mayflower.conf

which leads me to believe F7 probably needs something similar that I
don't have with my basically blank kickstart file.

-Eric

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 08:49 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org