Merge "Make sure selinux permissions are correct on ~/.ssh."

This commit is contained in:
Zuul 2017-11-16 07:31:13 +00:00 committed by Gerrit Code Review
commit 7f887736e2
2 changed files with 37 additions and 0 deletions

View File

@ -25,6 +25,16 @@ fi
cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
if [ -e /usr/sbin/getenforce ]; then
if [ "$(getenforce)" == "Enforcing" ]; then
selinux_wrong_permission="$(find /home/.ssh/ -exec ls -lZ {} \; | grep -v 'ssh_home_t')"
if [ -n "${selinux_wrong_permission}" ]; then
semanage fcontext -a -t ssh_home_t '/root/.ssh(/.*)?'
restorecon -R /root/.ssh/
fi
fi
fi
UNDERCLOUD_IP=$(os-apply-config --key local-ip --type netaddress)
export UNDERCLOUD_IP

View File

@ -1390,6 +1390,32 @@ def _configure_ssh_keys(nova):
nova.keypairs.create('default', pubkey.read().rstrip())
def _ensure_ssh_selinux_permission():
ssh_path = os.path.expanduser('~/.ssh')
try:
enforcing = _run_command(['getenforce'])
if os.path.isdir(ssh_path):
if 'Enforcing' in enforcing:
file_perms = _run_command(
['find', ssh_path, '-exec', 'ls', '-lZ', '{}', ';'])
wrong_perm = False
for line in file_perms.splitlines():
if 'ssh_home_t' not in line:
wrong_perm = True
break
if wrong_perm:
cmd = ['semanage',
'fcontext', '-a', '-t', 'ssh_home_t',
"{}(/.*)?".format(ssh_path)]
_run_command(cmd)
_run_command(['restorecon', '-R', ssh_path])
except OSError as e:
if e.errno == os.errno.ENOENT:
LOG.debug("Not a SeLinux platform")
else:
raise
def _delete_default_flavors(nova):
"""Delete the default flavors from Nova
@ -1678,6 +1704,7 @@ def _post_config(instack_env, upgrade):
os_ironic_api_version='1.21')
_configure_ssh_keys(nova)
_ensure_ssh_selinux_permission()
_delete_default_flavors(nova)
_ensure_node_resource_classes(ironic)