Jim Meyering
2008-Sep-17 14:25 UTC
[Ovirt-devel] [PATCH node-image] enable SELinux in the node
Here are 5 change sets. The first enables SELinux in the node. However, the resulting .iso image size went up to 72M. The following 4 patches pare that back down to 51M, which is 1M below the original size of 52M.>From db6be7aeae14812a0642b85c1f7ee10dedac2810 Mon Sep 17 00:00:00 2001From: Jim Meyering <meyering at redhat.com> Date: Tue, 16 Sep 2008 15:52:20 +0200 Subject: [PATCH node-image] Enable SELinux in the node. * common-install.ks: Use selinux --enforcing * common-pkgs.ks: Don't exclude the following, required for SELinux: policycoreutils libsemanage selinux-policy-targeted selinux-policy * ovirt-node-image.ks (%post): touch /.autorelabel so the node automatically relabels all files. Otherwise at least the following would be unlabeled_t: /etc/hosts /etc/shadow /etc/gshadow /etc/sysconfig/iptables --- common-install.ks | 2 +- common-pkgs.ks | 4 ---- ovirt-node-image.ks | 2 ++ 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/common-install.ks b/common-install.ks index b7671e9..f535323 100644 --- a/common-install.ks +++ b/common-install.ks @@ -2,7 +2,7 @@ lang C keyboard us timezone --utc UTC auth --useshadow --enablemd5 -selinux --disabled +selinux --enforcing firewall --disabled part / --size 550 --fstype ext2 services --enabled=ntpd,ntpdate,collectd,iptables,network diff --git a/common-pkgs.ks b/common-pkgs.ks index 70707fc..29d3cf7 100644 --- a/common-pkgs.ks +++ b/common-pkgs.ks @@ -29,10 +29,8 @@ syslinux cronie hal ovirt-node --policycoreutils -audit-libs-python -hdparm --libsemanage -ustr -authconfig -rhpl @@ -41,8 +39,6 @@ ovirt-node -prelink -newt-python -newt --selinux-policy-targeted --selinux-policy -kudzu -libselinux-python -rhpl diff --git a/ovirt-node-image.ks b/ovirt-node-image.ks index 9ec0b50..f5695d8 100644 --- a/ovirt-node-image.ks +++ b/ovirt-node-image.ks @@ -10,6 +10,8 @@ %post %include common-post.ks +touch /.autorelabel + %end %post --nochroot -- 1.6.0.1.308.gede4c>From e3d27bd525ecc5f833db60ae4c7088ec3be9ee81 Mon Sep 17 00:00:00 2001From: Jim Meyering <meyering at redhat.com> Date: Tue, 16 Sep 2008 21:32:03 +0200 Subject: [PATCH node-image] common-post.ks: prune blacklisted packages with rpm -e --nodeps Otherwise, they were not being removed. --- common-post.ks | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) diff --git a/common-post.ks b/common-post.ks index e234249..d14c790 100644 --- a/common-post.ks +++ b/common-post.ks @@ -49,12 +49,14 @@ echo "Removing excess RPMs" # and livecd-tools needs lokkit to disable SELinux. # However, this is just an install-time dependency; we can remove # it afterwards, which we do here -rpm -e system-config-firewall-tui system-config-network-tui rhpl \ +$RPM -e system-config-firewall-tui system-config-network-tui rhpl \ rpm-python dbus-python kudzu newt-python newt -rpm -e qemu kpartx mkinitrd isomd5sum dmraid python python-libs RPM="rpm -v -e --nodeps" +$RPM -e qemu kpartx mkinitrd isomd5sum dmraid python python-libs +$RPM -e checkpolicy + # Remove additional RPMs forcefully $RPM gamin pm-utils kbd libuser passwd usermode \ vbetool ConsoleKit hdparm \ -- 1.6.0.1.308.gede4c>From 047ae89c284087ae3d3a373bf8cbab9540217b1a Mon Sep 17 00:00:00 2001From: Jim Meyering <meyering at redhat.com> Date: Wed, 17 Sep 2008 13:56:15 +0200 Subject: [PATCH node-image] allow for {,lib64} constructs in blacklist variables --- common-post.ks | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/common-post.ks b/common-post.ks index d14c790..a2a8630 100644 --- a/common-post.ks +++ b/common-post.ks @@ -142,8 +142,8 @@ docs_blacklist="/usr/share/omf /usr/share/gnome /usr/share/doc \ /usr/share/locale /usr/share/libthai /usr/share/man /usr/share/terminfo \ /usr/share/X11 /usr/share/i18n" -$RM $blacklist $blacklist_lib $blacklist_pango $blacklist_hal $blacklist_ssh \ - $docs_blacklist +eval $RM $blacklist $blacklist_lib $blacklist_pango $blacklist_hal \ + $blacklist_ssh $docs_blacklist echo "Cleanup empty directory structures in /usr/share" find /usr/share -type d -exec rmdir {} \; > /dev/null 2>&1 -- 1.6.0.1.308.gede4c>From 817655c2b4f0c200a929caddad69b1f8f52295c6 Mon Sep 17 00:00:00 2001From: Jim Meyering <meyering at redhat.com> Date: Wed, 17 Sep 2008 14:12:25 +0200 Subject: [PATCH node-image] remove big /usr/sbin binaries remove system-config-* etc with --nodeps, too --- common-post.ks | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/common-post.ks b/common-post.ks index a2a8630..ea5b1b7 100644 --- a/common-post.ks +++ b/common-post.ks @@ -45,6 +45,8 @@ EOF echo "Removing excess RPMs" +RPM="rpm -v -e --nodeps" + # kernel pulls in mkinitrd which pulls in isomd5sum which pulls in python, # and livecd-tools needs lokkit to disable SELinux. # However, this is just an install-time dependency; we can remove @@ -122,7 +124,7 @@ blacklist="/boot /etc/alsa /etc/pki /usr/share/hwdata/MonitorsDB \ /usr/share/tabset /usr/share/libvirt /usr/share/augeas/lenses/tests \ /usr/share/tc /usr/share/emacs /usr/share/info /usr/kerberos \ /usr/src /usr/etc /usr/games /usr/include /usr/local \ - /usr/sbin/dell*" + /usr/sbin/{dell*,sasldblistusers2,build-locale-archive,glibc_post_upgrade.*}" blacklist_lib="/usr/lib{,64}/python2.5 /usr/lib{,64}/gconv \ /usr/{,lib64}/tc /usr/lib{,64}/tls /usr/lib{,64}/sse2 \ /usr/lib{,64}/pkgconfig /usr/lib{,64}/nss /usr/lib{,64}/X11 \ -- 1.6.0.1.308.gede4c>From a570566201f06108c9eabd6a588c329a8a59e55e Mon Sep 17 00:00:00 2001From: Daniel P. Berrange <berrange at redhat.com> Date: Wed, 17 Sep 2008 15:15:10 +0200 Subject: [PATCH node-image] exclude qemu cleanly, by explicitly including qemu-img Work around YUM dep solver problem: explicitly include qemu-img http://thread.gmane.org/gmane.comp.emulators.libvirt.ovirt/1984/focus=1985 [I had already removed qemu with the "rpm -e --nodeps" sledgehammer, but Dan P. Berrange found this cleaner way to do it. -jmm] --- common-pkgs.ks | 5 ++++- common-post.ks | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/common-pkgs.ks b/common-pkgs.ks index 29d3cf7..0149956 100644 --- a/common-pkgs.ks +++ b/common-pkgs.ks @@ -28,6 +28,10 @@ bind-utils syslinux cronie hal +# Stupid yum dep solver pulls in older 'qemu' to resolve +# /usr/bin/qemu-img dep. This forces it to pick the new +# qemu-img RPM. +qemu-img ovirt-node -audit-libs-python -hdparm @@ -58,6 +62,5 @@ ovirt-node -cpio -hwdata -file --qemu -libvirt-python /usr/sbin/lokkit diff --git a/common-post.ks b/common-post.ks index ea5b1b7..dfc6418 100644 --- a/common-post.ks +++ b/common-post.ks @@ -56,7 +56,7 @@ $RPM -e system-config-firewall-tui system-config-network-tui rhpl \ RPM="rpm -v -e --nodeps" -$RPM -e qemu kpartx mkinitrd isomd5sum dmraid python python-libs +$RPM -e kpartx mkinitrd isomd5sum dmraid python python-libs $RPM -e checkpolicy # Remove additional RPMs forcefully -- 1.6.0.1.308.gede4c
Jim Meyering
2008-Sep-17 14:53 UTC
[Ovirt-devel] [PATCH node-image] enable SELinux in the node
Jim Meyering <jim at meyering.net> wrote:> Here are 5 change sets. > > The first enables SELinux in the node. > However, the resulting .iso image size went up to 72M. > The following 4 patches pare that back down to 51M, which is 1M below > the original size of 52M. >...>>From e3d27bd525ecc5f833db60ae4c7088ec3be9ee81 Mon Sep 17 00:00:00 2001 > From: Jim Meyering <meyering at redhat.com> > Date: Tue, 16 Sep 2008 21:32:03 +0200 > Subject: [PATCH node-image] common-post.ks: prune blacklisted packages with rpm -e --nodeps > > Otherwise, they were not being removed. > --- > common-post.ks | 6 ++++-- > 1 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/common-post.ks b/common-post.ks > index e234249..d14c790 100644 > --- a/common-post.ks > +++ b/common-post.ks > @@ -49,12 +49,14 @@ echo "Removing excess RPMs" > # and livecd-tools needs lokkit to disable SELinux. > # However, this is just an install-time dependency; we can remove > # it afterwards, which we do here > -rpm -e system-config-firewall-tui system-config-network-tui rhpl \ > +$RPM -e system-config-firewall-tui system-config-network-tui rhpl \ > rpm-python dbus-python kudzu newt-python newt > -rpm -e qemu kpartx mkinitrd isomd5sum dmraid python python-libs > > RPM="rpm -v -e --nodeps" > > +$RPM -e qemu kpartx mkinitrd isomd5sum dmraid python python-libsAlan Pevec noticed the above weirdness. In fact, it's not a use-before-definition of $RPM, but rather an unnecessary (duplicate) definition. This incremental change (about to be folded in) removes it. Thanks, Alan!
Perry N. Myers
2008-Sep-21 06:28 UTC
[Ovirt-devel] [PATCH node-image] enable SELinux in the node
Jim Meyering wrote:> Here are 5 change sets. > > The first enables SELinux in the node. > However, the resulting .iso image size went up to 72M. > The following 4 patches pare that back down to 51M, which is 1M below > the original size of 52M.Found a problem with iSCSI storage pools via libvirt with selinux turned on. The pool can be created but when you try to access it the following shows up in /var/log/messages:> type=1400 audit(1221978037.915:24): avc: denied { getattr } for pid=2597 comm="qemu-kvm" path="/dev/sdd" dev=tmpfs ino=9171 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file > type=1400 audit(1221978037.915:25): avc: denied { read } for pid=2597 comm="qemu-kvm" name="sdd" dev=tmpfs ino=9171 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_fileLooks like selinux is prohibiting access for qemu to the block devices. Not sure how to fix this. Dan or Jim you guys have any suggestions? NFS disk image access is not affected by this since that is just access to an img file provided over an nfs mount. Perry