FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-16-2008, 07:19 PM
Eric Paris
 
Default livecd-creator and selinux, status at the end of week 1

I've spent pretty much all week flailing around try to get
livecd-creator working with selinux enforcing with F10 as both the host
and the image. Next week begins the journey of working on making old
composes work on F10. Where do I stand? Well, it seems to work! I
booted an image and logged in.

Changes I've made so far (doesn't look like a whole lot for basically a
week of work....)

policycoreutils got some updates to allow users to be created in the
chroot (already built and in koji) and to make relabeling a little
better.

libselinux has no changes with my current approach. I do not want rpm
running inside the chroot to transition to rpm_t, nor do I want
scriptlets to run as rpm_script_t as then those scriptlets can cause
transitions to things like depmod_t which isn't going to have
permissions necessary to run with the possibly screwy labels inside the
chroot.

I added one rule to policy to allow hal to respond back to chroot
allow hald_t unconfined_notrans_t:dbus send_msg;

Create a fake /selinux inside the chroot it contains:
mls -> copy from host
poliyver -> copy from host
enforce -> 0
load -> /dev/null
This means that from the point of view of the inside of the chroot
selinux is "on" but not enforcing. The not enforcing part is important
because some programs (passwd for example) try to determine if selinux
is going to permit something before it actually tries it. If passwd
realizes that selinux is enforcing but then it doesn't have a
real /selinux to make those decisions it gets mad. So I'm lieing to the
chroot.

Changes to livecd-creator:
diff -Naupr imgcreate/creator.py imgcreate.new/creator.py
--- imgcreate/creator.py 2008-05-06 12:16:08.000000000 -0400
+++ imgcreate.new/creator.py 2008-05-16 13:01:05.000000000 -0400
@@ -22,6 +22,7 @@ import stat
import sys
import tempfile
import shutil
+import selinux

import yum
import rpm
@@ -427,7 +428,7 @@ class ImageCreator(object):

self._mount_instroot(base_on)

- for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum"):
+ for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum", "/sys", "/proc"):
makedirs(self._instroot + d)

cachesrc = cachedir or (self.__builddir + "/yum-cache")
@@ -439,10 +440,6 @@ class ImageCreator(object):
(cachesrc, "/var/cache/yum")]:
self.__bindmounts.append(BindChrootMount(f, self._instroot, dest))

- # /selinux should only be mounted if selinux is enabled (enforcing or permissive)
- if kickstart.selinux_enabled(self.ks):
- self.__bindmounts.append(BindChrootMount("/selinux", self._instroot, None))
-
# Create minimum /dev
origumask = os.umask(0000)
devices = [('null', 1, 3, 0666),
@@ -460,6 +457,20 @@ class ImageCreator(object):
os.symlink('/proc/self/fd/2', self._instroot + "/dev/stderr")
os.umask(origumask)

+ # selinux whoo hooo
+ if kickstart.selinux_enabled(self.ks):
+ makedirs(self._instroot + "/selinux")
+ # this should actually create our new fake /selinux, not bind from the host, though i haven't decided how
+ self.__bindmounts.append(BindChrootMount("/selinux1", self._instroot, "/selinux"))
+
+ # label the fs like it is a root before the bind mounting
+ cmd = "/sbin/setfiles -F -r %s %s %s" % (self._instroot, selinux.selinux_file_context_path(), self._instroot)
+ os.system(cmd)
+ # these dumb things don't get magically fixed, so make the user generic
+ for f in ["/proc", "/sys", "/selinux"]:
+ cmd = "chcon -u system_u %s" % (self._instroot + f)
+ os.system(cmd)
+
self._do_bindmounts()

os.symlink("../proc/mounts", self._instroot + "/etc/mtab")
diff -Naupr imgcreate/kickstart.py imgcreate.new/kickstart.py
--- imgcreate/kickstart.py 2008-05-06 12:16:08.000000000 -0400
+++ imgcreate.new/kickstart.py 2008-05-15 10:10:40.000000000 -0400
@@ -372,11 +372,11 @@ class SelinuxConfig(KickstartConfig):

if ksselinux.selinux == ksconstants.SELINUX_DISABLED:
return
- if not os.path.exists(self.path("/sbin/restorecon")):
+ if os.path.exists(self.path("/sbin/restorecon")):
+ self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
+ else:
return

- self.call(["/sbin/restorecon", "-l", "-v", "-r", "/"])
-
def apply(self, ksselinux):
if os.path.exists(self.path("/usr/sbin/lokkit")):
args = ["/usr/sbin/lokkit", "-f", "--quiet", "--nostart"]


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-16-2008, 07:19 PM
Eric Paris
 
Default livecd-creator and selinux, status at the end of week 1

I've spent pretty much all week flailing around try to get
livecd-creator working with selinux enforcing with F10 as both the host
and the image. Next week begins the journey of working on making old
composes work on F10. Where do I stand? Well, it seems to work! I
booted an image and logged in.

Changes I've made so far (doesn't look like a whole lot for basically a
week of work....)

policycoreutils got some updates to allow users to be created in the
chroot (already built and in koji) and to make relabeling a little
better.

libselinux has no changes with my current approach. I do not want rpm
running inside the chroot to transition to rpm_t, nor do I want
scriptlets to run as rpm_script_t as then those scriptlets can cause
transitions to things like depmod_t which isn't going to have
permissions necessary to run with the possibly screwy labels inside the
chroot.

I added one rule to policy to allow hal to respond back to chroot
allow hald_t unconfined_notrans_t:dbus send_msg;

Create a fake /selinux inside the chroot it contains:
mls -> copy from host
poliyver -> copy from host
enforce -> 0
load -> /dev/null
This means that from the point of view of the inside of the chroot
selinux is "on" but not enforcing. The not enforcing part is important
because some programs (passwd for example) try to determine if selinux
is going to permit something before it actually tries it. If passwd
realizes that selinux is enforcing but then it doesn't have a
real /selinux to make those decisions it gets mad. So I'm lieing to the
chroot.

Changes to livecd-creator:
diff -Naupr imgcreate/creator.py imgcreate.new/creator.py
--- imgcreate/creator.py 2008-05-06 12:16:08.000000000 -0400
+++ imgcreate.new/creator.py 2008-05-16 13:01:05.000000000 -0400
@@ -22,6 +22,7 @@ import stat
import sys
import tempfile
import shutil
+import selinux

import yum
import rpm
@@ -427,7 +428,7 @@ class ImageCreator(object):

self._mount_instroot(base_on)

- for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum"):
+ for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum", "/sys", "/proc"):
makedirs(self._instroot + d)

cachesrc = cachedir or (self.__builddir + "/yum-cache")
@@ -439,10 +440,6 @@ class ImageCreator(object):
(cachesrc, "/var/cache/yum")]:
self.__bindmounts.append(BindChrootMount(f, self._instroot, dest))

- # /selinux should only be mounted if selinux is enabled (enforcing or permissive)
- if kickstart.selinux_enabled(self.ks):
- self.__bindmounts.append(BindChrootMount("/selinux", self._instroot, None))
-
# Create minimum /dev
origumask = os.umask(0000)
devices = [('null', 1, 3, 0666),
@@ -460,6 +457,20 @@ class ImageCreator(object):
os.symlink('/proc/self/fd/2', self._instroot + "/dev/stderr")
os.umask(origumask)

+ # selinux whoo hooo
+ if kickstart.selinux_enabled(self.ks):
+ makedirs(self._instroot + "/selinux")
+ # this should actually create our new fake /selinux, not bind from the host, though i haven't decided how
+ self.__bindmounts.append(BindChrootMount("/selinux1", self._instroot, "/selinux"))
+
+ # label the fs like it is a root before the bind mounting
+ cmd = "/sbin/setfiles -F -r %s %s %s" % (self._instroot, selinux.selinux_file_context_path(), self._instroot)
+ os.system(cmd)
+ # these dumb things don't get magically fixed, so make the user generic
+ for f in ["/proc", "/sys", "/selinux"]:
+ cmd = "chcon -u system_u %s" % (self._instroot + f)
+ os.system(cmd)
+
self._do_bindmounts()

os.symlink("../proc/mounts", self._instroot + "/etc/mtab")
diff -Naupr imgcreate/kickstart.py imgcreate.new/kickstart.py
--- imgcreate/kickstart.py 2008-05-06 12:16:08.000000000 -0400
+++ imgcreate.new/kickstart.py 2008-05-15 10:10:40.000000000 -0400
@@ -372,11 +372,11 @@ class SelinuxConfig(KickstartConfig):

if ksselinux.selinux == ksconstants.SELINUX_DISABLED:
return
- if not os.path.exists(self.path("/sbin/restorecon")):
+ if os.path.exists(self.path("/sbin/restorecon")):
+ self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
+ else:
return

- self.call(["/sbin/restorecon", "-l", "-v", "-r", "/"])
-
def apply(self, ksselinux):
if os.path.exists(self.path("/usr/sbin/lokkit")):
args = ["/usr/sbin/lokkit", "-f", "--quiet", "--nostart"]


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 01:20 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org