thr3ads.net - Ovirt devel - [Ovirt-devel] [PATCH REPOST node-image] Use minimal selinux configuration and add modules selectively [Nov 2008]

If this information is useful, please help other people find it:
Share via:

Perry Myers

2008-Nov-21 05:22 UTC

[Ovirt-devel] [PATCH REPOST node-image] Use minimal selinux configuration and add modules selectively

Repost of patch.  Original patch forgot to include ovirt-node-selinux.pp
in the list of selinux modules to install.

Signed-off-by: Perry Myers <pmyers at redhat.com>
---
 common-blacklist.ks |    3 ---
 common-pkgs.ks      |    2 +-
 common-post.ks      |   24 ++++++++++++++++++++++++
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/common-blacklist.ks b/common-blacklist.ks
index 48702da..3c89236 100644
--- a/common-blacklist.ks
+++ b/common-blacklist.ks
@@ -118,9 +118,6 @@ find /usr/share -type d -exec rmdir {} \; > /dev/null
2>&1
 
 echo "Cleanup excess selinux modules"
 $RM /usr/share/selinux
-# FIXME: We shouldn't remove all of the modules, just selected ones
-# need to do more fine grained black/white listing for this
-#$RM /etc/selinux/targeted/modules/active/modules/*
 
 echo "Running image-minimizer..."
 %end
diff --git a/common-pkgs.ks b/common-pkgs.ks
index a35519f..80993d6 100644
--- a/common-pkgs.ks
+++ b/common-pkgs.ks
@@ -12,7 +12,7 @@ kvm
 syslinux
 ovirt-node
 ovirt-node-selinux
-selinux-policy-targeted
+selinux-policy-minimum
 vim-minimal
 -audit-libs-python
 -hdparm
diff --git a/common-post.ks b/common-post.ks
index 7497b20..42c055f 100644
--- a/common-post.ks
+++ b/common-post.ks
@@ -3,6 +3,30 @@ echo "Starting Kickstart Post"
 PATH=/sbin:/usr/sbin:/bin:/usr/bin
 export PATH
 
+# Import SELinux Modules
+echo "Enabling selinux modules"
+SEMODULES="base automount avahi consolekit cyrus dhcp dnsmasq guest hal
ipsec \
+iscsi kerberos kerneloops ldap lockdev logadm mozilla ntp ovirt-node-selinux \
+polkit portmap qemu rpcbind sasl snmp stunnel sysstat tcpd unprivuser \
+unconfined usbmodules userhelper virt"
+
+lokkit -v --selinuxtype=minimum
+tmpdir=$(mktemp -d)
+
+for semodule in $SEMODULES; do
+    if [ -f /usr/share/selinux/minimum/$semodule.pp.bz2 ]; then
+        mv /usr/share/selinux/minimum/$semodule.pp.bz2 $tmpdir
+        bunzip2 $tmpdir/$semodule.pp.bz2
+    else
+        mv /usr/share/selinux/minimum/$semodule.pp $tmpdir
+    fi
+done
+
+ls $tmpdir/*.pp | grep -Ev "base.pp|enableaudit.pp" \
+    | xargs semodule -v -b $tmpdir/base.pp -i
+semodule -v -B
+rm -Rf $tmpdir
+
 echo "Running ovirt-install-host stateless"
 /usr/sbin/ovirt-install-node stateless
 
-- 
1.6.0.3

Perry Myers

2008-Nov-21 05:22 UTC

head link

[Ovirt-devel] [PATCH node] Add selinux policy .pp file to minimum selinux type

Signed-off-by: Perry Myers <pmyers at redhat.com>
---
 ovirt-node.spec.in |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ovirt-node.spec.in b/ovirt-node.spec.in
index 2a01b7c..1d3679f 100644
--- a/ovirt-node.spec.in
+++ b/ovirt-node.spec.in
@@ -6,7 +6,7 @@ Source0:        %{name}-%{version}.tar.gz
 License:        GPLv2+
 Group:          Applications/System
 
-%define selinux_variants mls strict targeted
+%define selinux_variants mls strict targeted minimum
 %define selinux_policyver %(sed -n
's,.*selinux-policy-\([^/]*\)/.*,\1,p'
/usr/share/selinux/devel/policyhelp)
 %define modulename %{name}-selinux
 Source1:        %{modulename}.te
-- 
1.6.0.3

Alan Pevec

2008-Nov-24 10:00 UTC

head link

[Ovirt-devel] Re: [PATCH REPOST node-image] Use minimal selinux configuration and add modules selectively

Perry Myers wrote:

ack - I'll push with one changes:> +for semodule in $SEMODULES; do
> +    if [ -f /usr/share/selinux/minimum/$semodule.pp.bz2 ]; then
> +        mv /usr/share/selinux/minimum/$semodule.pp.bz2 $tmpdir
> +        bunzip2 $tmpdir/$semodule.pp.bz2
> +    else
       elif [ -f /usr/share/selinux/minimum/$semodule.pp ]; then
to skip modules not present in F9
> +        mv /usr/share/selinux/minimum/$semodule.pp $tmpdir
> +    fi
> +done

Alan Pevec

2008-Nov-24 11:03 UTC

head link

[Ovirt-devel] Re: [PATCH REPOST node-image] Use minimal selinux configuration and add modules selectively

one more change before pusing:
> +++ b/common-pkgs.ksselinux-policy-targeted is included by @core group, need to exclude it
explicitly:> -selinux-policy-targeted
  +-selinux-policy-targeted> +selinux-policy-minimum
Otherwise, I get No space left (in instroot), first in selinux-policy-targeted
%post:
Installing: selinux-policy-targeted      ##################### [219/224]
libsemanage.semanage_make_sandbox: Could not copy files to sandbox
/etc/selinux/targeted/modules/tmp. (No space left on device).
/usr/sbin/semanage: Could not start semanage transaction
then by rpm:
rpmdb: write: 0x7f33f2875190, 4096: No space left on device
rpmdb:
/home/apevec/ovirt-cache/ovirt-node-image-tmp/imgcreate-Fze1gI/install_root/var/lib/rpm/Packages:
write failed for page 1624
rpmdb:
/home/apevec/ovirt-cache/ovirt-node-image-tmp/imgcreate-Fze1gI/install_root/var/lib/rpm/Packages:
unable to flush page: 1624
error: db4 error(28) from db->sync: No space left on device

livecd-creator didn't error out on that condition, afaict this error is
swallowed already by yum/rpm - yum.runTransaction returned code was 0

Ovirt devel - Nov 2008 - [PATCH REPOST node-image] Use minimal selinux configuration and add modules selectively

[Ovirt-devel] [PATCH REPOST node-image] Use minimal selinux configuration and add modules selectively

[Ovirt-devel] [PATCH node] Add selinux policy .pp file to minimum selinux type

[Ovirt-devel] Re: [PATCH REPOST node-image] Use minimal selinux configuration and add modules selectively

[Ovirt-devel] Re: [PATCH REPOST node-image] Use minimal selinux configuration and add modules selectively