summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2017-07-24 02:04:21 +0000
committerGerrit Code Review <review@openstack.org>2017-07-24 02:04:21 +0000
commita6da39acb8c2c661fb15f0c2a9fae16ec1b0eea7 (patch)
tree29a58091e33eb466dc31af87cf8f528dd07c91c2
parent55971717b690928fa935e9d8fbe10273d3bedfea (diff)
parent5089e4e54117473e6d5ae37ac1ae629552e385ed (diff)
Merge "Move setfiles to outside chroot with runcon"2.7.0
-rwxr-xr-xdiskimage_builder/elements/ironic-agent/finalise.d/99-remove-extra-packages2
-rwxr-xr-xdiskimage_builder/elements/rpm-distro/cleanup.d/99-selinux-fixfiles-restore74
-rwxr-xr-xdiskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore38
3 files changed, 75 insertions, 39 deletions
diff --git a/diskimage_builder/elements/ironic-agent/finalise.d/99-remove-extra-packages b/diskimage_builder/elements/ironic-agent/finalise.d/99-remove-extra-packages
index 4a09298..c4d7600 100755
--- a/diskimage_builder/elements/ironic-agent/finalise.d/99-remove-extra-packages
+++ b/diskimage_builder/elements/ironic-agent/finalise.d/99-remove-extra-packages
@@ -19,7 +19,7 @@ if [ $DISTRO_NAME = 'fedora' ] ; then
19 install-packages -e kernel-debug-devel gcc fedora-logos \ 19 install-packages -e kernel-debug-devel gcc fedora-logos \
20 rsync pykickstart \ 20 rsync pykickstart \
21 make genisoimage tcpdump \ 21 make genisoimage tcpdump \
22 man-db policycoreutils kbd-misc \ 22 man-db kbd-misc \
23 plymouth cronie ${_remove_yum} 23 plymouth cronie ${_remove_yum}
24 24
25 ${YUM:-yum} clean all 25 ${YUM:-yum} clean all
diff --git a/diskimage_builder/elements/rpm-distro/cleanup.d/99-selinux-fixfiles-restore b/diskimage_builder/elements/rpm-distro/cleanup.d/99-selinux-fixfiles-restore
new file mode 100755
index 0000000..c4b1e1e
--- /dev/null
+++ b/diskimage_builder/elements/rpm-distro/cleanup.d/99-selinux-fixfiles-restore
@@ -0,0 +1,74 @@
1#!/bin/bash
2
3if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
4 set -x
5fi
6set -eu
7set -o pipefail
8
9# parser isn't smart enough to figure out \
10# dib-lint: disable=safe_sudo
11
12# Here be dragons ... a previous dragon slayer helpfully pointed out in
13# http://www.spinics.net/lists/selinux/msg17379.html
14#
15# Not all of the contexts defined by the offline system's
16# file_contexts may be valid under the policy of the host on which
17# you are running (e.g. if they run different distributions or even
18# different releases of the same distribution), which will normally
19# prevent setting those contexts (the kernel won't recognize them).
20# If you have this issue, you'll need to run setfiles as root in a
21# special domain, setfiles_mac_t, that is allowed to set contexts
22# unknown to the host policy, and likely chrooted so that it doesn't
23# ask the kernel whether the contexts are valid via
24# /sys/fs/selinux/context. That is how livecd-creator supported
25# creating images for other releases.
26
27# One issue you might see without fixing selinux file labels is sshd
28# will run in the kernel_t domain instead of the sshd_t domain, making
29# ssh connections fail with "Unable to get valid context for <user>"
30# error message. Other failures will occur too.
31
32# XXX: is it really valid to build rpm-distros without this?
33if [[ ! -f ${TARGET_ROOT}/etc/selinux/targeted/contexts/files/file_contexts ]]; then
34 echo "No selinux policy found in chroot, skipping..."
35 exit 0
36fi
37
38if [[ ! -x ${TARGET_ROOT}/usr/sbin/setfiles ]]; then
39 echo "Can not find setfiles in chroot!"
40 exit 1
41fi
42
43# If we're on a selinux system, enable permissive mode for
44# setfiles_mac_t so we can relabel within the chroot without concern
45# for whatever policy is in the host kernel. We will run under
46# "runcon" to specifically allow this
47_runcon=""
48if [[ -x /usr/sbin/semanage ]]; then
49 sudo semanage permissive -a setfiles_mac_t
50 _runcon="runcon -t setfiles_mac_t -- "
51fi
52
53# setfiles in > Fedora 26 added this flag:
54# do not read /proc/mounts to obtain a list of
55# non-seclabel mounts to be excluded from relabeling
56# checks. Setting this option is useful where there is
57# a non-seclabel fs mounted with a seclabel fs
58# this describes our situation of being on a loopback device on
59# an ubuntu system, say. See also
60# https://bugzilla.redhat.com/show_bug.cgi?id=1472709
61_dash_m=""
62if [[ $DISTRO_NAME == "fedora" && $DIB_RELEASE -ge 26 ]]; then
63 _dash_m+="-m"
64fi
65
66IFS='|' read -ra SPLIT_MOUNTS <<< "$DIB_MOUNTPOINTS"
67for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do
68 if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then
69 sudo ${_runcon} chroot ${TARGET_ROOT} \
70 /usr/sbin/setfiles -F ${_dash_m} \
71 /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
72 fi
73done
74
diff --git a/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore b/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore
deleted file mode 100755
index ebe6ddf..0000000
--- a/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore
+++ /dev/null
@@ -1,38 +0,0 @@
1#!/bin/bash
2
3if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
4 set -x
5fi
6set -eu
7set -o pipefail
8
9SETFILES=$(type -p setfiles || true)
10if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then
11 # get all mounpoints in the system
12 IFS='|' read -ra SPLIT_MOUNTS <<< "$DIB_MOUNTPOINTS"
13 for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do
14 # Without fixing selinux file labels, sshd will run in the kernel_t domain
15 # instead of the sshd_t domain, making ssh connections fail with
16 # "Unable to get valid context for <user>" error message
17 if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then
18 # setfiles in > Fedora 26 added this flag:
19 # do not read /proc/mounts to obtain a list of
20 # non-seclabel mounts to be excluded from relabeling
21 # checks. Setting this option is useful where there is
22 # a non-seclabel fs mounted with a seclabel fs
23 # this describes our situation of being on a loopback device on
24 # an ubuntu system, say. See also
25 # https://bugzilla.redhat.com/show_bug.cgi?id=1472709
26 _dash_m=""
27 if [[ $DISTRO_NAME == "fedora" && $DIB_RELEASE -ge 26 ]]; then
28 _dash_m+="-m"
29 fi
30 $SETFILES ${_dash_m} /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
31 fi
32 done
33else
34 echo "Skipping SELinux relabel, since setfiles is not available."
35 echo "Touching /.autorelabel to schedule a relabel when the image boots."
36 touch /.autorelabel
37fi
38