Perry Myers
2008-Nov-21 01:39 UTC
[Ovirt-devel] [PATCH node-image] Use minimal selinux configuration and add modules selectively
Signed-off-by: Perry Myers <pmyers at redhat.com>
---
common-blacklist.ks | 3 ---
common-pkgs.ks | 2 +-
common-post.ks | 20 ++++++++++++++++++++
3 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/common-blacklist.ks b/common-blacklist.ks
index 48702da..3c89236 100644
--- a/common-blacklist.ks
+++ b/common-blacklist.ks
@@ -118,9 +118,6 @@ find /usr/share -type d -exec rmdir {} \; > /dev/null
2>&1
echo "Cleanup excess selinux modules"
$RM /usr/share/selinux
-# FIXME: We shouldn't remove all of the modules, just selected ones
-# need to do more fine grained black/white listing for this
-#$RM /etc/selinux/targeted/modules/active/modules/*
echo "Running image-minimizer..."
%end
diff --git a/common-pkgs.ks b/common-pkgs.ks
index a35519f..80993d6 100644
--- a/common-pkgs.ks
+++ b/common-pkgs.ks
@@ -12,7 +12,7 @@ kvm
syslinux
ovirt-node
ovirt-node-selinux
-selinux-policy-targeted
+selinux-policy-minimum
vim-minimal
-audit-libs-python
-hdparm
diff --git a/common-post.ks b/common-post.ks
index 7497b20..2d4ce15 100644
--- a/common-post.ks
+++ b/common-post.ks
@@ -3,6 +3,26 @@ echo "Starting Kickstart Post"
PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH
+# Import SELinux Modules
+echo "Enabling selinux modules"
+SEMODULES="base automount avahi consolekit cyrus dhcp dnsmasq guest hal
ipsec \
+iscsi kerberos kerneloops ldap lockdev logadm mozilla ntp polkit portmap qemu \
+rpcbind sasl snmp stunnel sysstat tcpd unprivuser unconfined usbmodules \
+userhelper virt"
+
+lokkit -v --selinuxtype=minimum
+tmpdir=$(mktemp -d)
+
+for semodule in $SEMODULES; do
+ mv /usr/share/selinux/minimum/$semodule.pp.bz2 $tmpdir
+ bunzip2 $tmpdir/$semodule.pp.bz2
+done
+
+ls $tmpdir/*.pp | grep -Ev "base.pp|enableaudit.pp" \
+ | xargs semodule -v -b $tmpdir/base.pp -i
+semodule -v -B
+rm -Rf $tmpdir
+
echo "Running ovirt-install-host stateless"
/usr/sbin/ovirt-install-node stateless
--
1.6.0.3
Alan Pevec
2008-Nov-21 12:31 UTC
[Ovirt-devel] Re: [PATCH node-image] Use minimal selinux configuration and add modules selectively
> -selinux-policy-targeted > +selinux-policy-minimum-minimum subpkg doesn't exist for F9. What are the chances to get this in f9-updates or should be we just switch to F10 completely for the Node image? I'll check how does building with F10 repos on F9 build host work.