Alan Pevec
2008-Sep-23 17:23 UTC
[Ovirt-devel] [PATCH ovirt-node-image] do not require SELinux build host if disabled in kickstart
Signed-off-by: Alan Pevec <apevec at redhat.com>
---
ovirt-node-image.spec.in | 18 +++++++++++++-----
1 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/ovirt-node-image.spec.in b/ovirt-node-image.spec.in
index 6483fe4..838ff43 100644
--- a/ovirt-node-image.spec.in
+++ b/ovirt-node-image.spec.in
@@ -59,15 +59,23 @@ mkdir -p %{ovirt_cache_dir}/node-image-tmp
mkdir -p %{ovirt_cache_dir}/yum
sudo su - -c "cd $(pwd) &&
- case $(cat /selinux/enforce 2>/dev/null) in
- 1) enforcing=1 ; setenforce 0 ;;
- 0) enforcing=0 ;;
- *) echo SELinux must be enabled; exit 1 ;;
+ enforcing=$(cat /selinux/enforce 2>/dev/null)
+ case x\$enforcing in
+ x1) setenforce 0 ;;
+ x0) ;;
+ *) if ksflatten %{name}.ks 2>/dev/null \
+ | grep -q 'selinux --disabled'; then
+ echo WARNING: SELinux disabled in kickstart
+ else
+ echo ERROR: SELinux enabled in kickstart, \
+ but disabled on the build machine
+ exit 1
+ fi ;;
esac
livecd-creator --skip-minimize -c %{name}.ks -f %{name} \
--tmpdir='%{ovirt_cache_dir}/node-image-tmp' \
--cache='%{ovirt_cache_dir}/yum'
- setenforce \$enforcing"
+ setenforce \$enforcing 2>/dev/null"
sudo su - -c "cd $(pwd) && ./ovirt-pxe %{name}.iso"
sudo su - -c "cd $(pwd) && chown -R $USER ."
--
1.5.5.1
Jim Meyering
2008-Sep-23 18:38 UTC
[Ovirt-devel] [PATCH ovirt-node-image] do not require SELinux build host if disabled in kickstart
Alan Pevec <apevec at redhat.com> wrote:> Signed-off-by: Alan Pevec <apevec at redhat.com> > --- > ovirt-node-image.spec.in | 18 +++++++++++++----- > 1 files changed, 13 insertions(+), 5 deletions(-) > > diff --git a/ovirt-node-image.spec.in b/ovirt-node-image.spec.in > index 6483fe4..838ff43 100644 > --- a/ovirt-node-image.spec.in > +++ b/ovirt-node-image.spec.in > @@ -59,15 +59,23 @@ mkdir -p %{ovirt_cache_dir}/node-image-tmp > mkdir -p %{ovirt_cache_dir}/yum > > sudo su - -c "cd $(pwd) && > - case $(cat /selinux/enforce 2>/dev/null) in > - 1) enforcing=1 ; setenforce 0 ;; > - 0) enforcing=0 ;; > - *) echo SELinux must be enabled; exit 1 ;; > + enforcing=$(cat /selinux/enforce 2>/dev/null) > + case x\$enforcing in > + x1) setenforce 0 ;; > + x0) ;; > + *) if ksflatten %{name}.ks 2>/dev/null \ > + | grep -q 'selinux --disabled'; thenProbably won't ever matter, but... you could add '^[[:space:]]', in case there's ever leading spaces, it's #-commented (if ksflatten doesn't eliminate those), or that string happens to occur within some other construct, like a grep argument ;-) | grep -q '^[[:space:]]*selinux[[:space:]]*--disabled'; then> + echo WARNING: SELinux disabled in kickstart > + else > + echo ERROR: SELinux enabled in kickstart, \ > + but disabled on the build machine > + exit 1 > + fi ;; > esac > livecd-creator --skip-minimize -c %{name}.ks -f %{name} \ > --tmpdir='%{ovirt_cache_dir}/node-image-tmp' \ > --cache='%{ovirt_cache_dir}/yum' > - setenforce \$enforcing" > + setenforce \$enforcing 2>/dev/null"I'd prefer not to discard setenforce diagnostics, and to run it only if necessary, so how about invoking it only when $enforcing is 1 ? test x\$enforcing = x1 && setenforce 1"
Perry N. Myers
2008-Sep-23 19:12 UTC
[Ovirt-devel] [PATCH ovirt-node-image] do not require SELinux build host if disabled in kickstart
Alan Pevec wrote:> Signed-off-by: Alan Pevec <apevec at redhat.com> > --- > ovirt-node-image.spec.in | 18 +++++++++++++----- > 1 files changed, 13 insertions(+), 5 deletions(-) > > diff --git a/ovirt-node-image.spec.in b/ovirt-node-image.spec.in > index 6483fe4..838ff43 100644 > --- a/ovirt-node-image.spec.in > +++ b/ovirt-node-image.spec.in > @@ -59,15 +59,23 @@ mkdir -p %{ovirt_cache_dir}/node-image-tmp > mkdir -p %{ovirt_cache_dir}/yum > > sudo su - -c "cd $(pwd) && > - case $(cat /selinux/enforce 2>/dev/null) in > - 1) enforcing=1 ; setenforce 0 ;; > - 0) enforcing=0 ;; > - *) echo SELinux must be enabled; exit 1 ;; > + enforcing=$(cat /selinux/enforce 2>/dev/null) > + case x\$enforcing in > + x1) setenforce 0 ;; > + x0) ;; > + *) if ksflatten %{name}.ks 2>/dev/null \ > + | grep -q 'selinux --disabled'; then > + echo WARNING: SELinux disabled in kickstart > + else > + echo ERROR: SELinux enabled in kickstart, \ > + but disabled on the build machine > + exit 1 > + fi ;; > esac > livecd-creator --skip-minimize -c %{name}.ks -f %{name} \ > --tmpdir='%{ovirt_cache_dir}/node-image-tmp' \ > --cache='%{ovirt_cache_dir}/yum' > - setenforce \$enforcing" > + setenforce \$enforcing 2>/dev/null" > sudo su - -c "cd $(pwd) && ./ovirt-pxe %{name}.iso" > sudo su - -c "cd $(pwd) && chown -R $USER ."This seems to work as is, so ACK. But if you want to refactor a bit due to Jim's comments go ahead. Perry -- |=- Red Hat, Engineering, Emerging Technologies, Boston -=| |=- Email: pmyers at redhat.com -=| |=- Office: +1 412 474 3552 Mobile: +1 703 362 9622 -=| |=- GnuPG: E65E4F3D 88F9 F1C9 C2F3 1303 01FE 817C C5D2 8B91 E65E 4F3D -=|