anaconda indirectly creates this directory tree when it creates a Yum object
chrooted under /mnt/sysimage, so we need to ensure it gets the proper selinux
label.
While I'm at it, fix a couple stupid things in how file context setting didn't
work:
(1) Make directory handling recursive, since who knows how much stuff is in
/var/cache/yum.
(2) Make globs check against /mnt/sysimage instead of /. Before, we were just
getting lucky with contexts since the networking files were all the same.
But we shouldn't rely on that luck continuing.
(3) Move the file lists into constants.py.
---
pyanaconda/constants.py | 16 ++++++++++++
pyanaconda/packages.py | 63 ++++++++++++++++++++++++-----------------------
2 files changed, 48 insertions(+), 31 deletions(-)
diff --git a/pyanaconda/constants.py b/pyanaconda/constants.py
index e033966..43e3209 100644
--- a/pyanaconda/constants.py
+++ b/pyanaconda/constants.py
@@ -91,3 +91,19 @@ DD_FIRMWARE = "/tmp/DD/lib/firmware"
DD_RPMS = "/tmp/DD-*"
TRANSLATIONS_UPDATE_DIR="/tmp/updates/po"
+
+relabelFiles = ["/etc/rpm/macros", "/etc/dasd.conf", "/etc/zfcp.conf",
+ "/etc/lilo.conf.anaconda", "/lib64", "/usr/lib64",
+ "/etc/blkid.tab", "/etc/blkid.tab.old",
+ "/etc/mtab", "/etc/fstab", "/etc/resolv.conf",
+ "/etc/modprobe.conf", "/etc/modprobe.conf~",
+ "/var/log/wtmp", "/var/run/utmp", "/etc/crypttab",
+ "/dev/log", "/var/lib/rpm", "/", "/etc/raidtab",
+ "/etc/mdadm.conf", "/etc/sysconfig/network",
+ "/etc/udev/rules.d/70-persistent-net.rules",
+ "/root/install.log", "/root/install.log.syslog",
+ "/etc/shadow", "/etc/shadow-", "/etc/gshadow",
+ "/etc/dhcp/dhclient-*.conf"]
+relabelDirs = ["/etc/sysconfig/network-scripts", "/var/lib/rpm", "/etc/lvm",
+ "/dev/mapper", "/etc/iscsi", "/var/lib/iscsi", "/root",
+ "/var/log", "/etc/modprobe.d", "/etc/sysconfig", "/var/cache/yum" ]
diff --git a/pyanaconda/packages.py b/pyanaconda/packages.py
index 7d88d06..232e329 100644
--- a/pyanaconda/packages.py
+++ b/pyanaconda/packages.py
@@ -23,6 +23,7 @@
# Jeremy Katz <katzj@xxxxxxxxxx>
#
+import itertools
import glob
import iutil
import isys
@@ -186,41 +187,41 @@ def setupTimezone(anaconda):
# FIXME: this is a huge gross hack. hard coded list of files
# created by anaconda so that we can not be killed by selinux
def setFileCons(anaconda):
+ def contextCB(arg, directory, files):
+ for file in files:
+ path = os.path.join(directory, file)
+
+ if not os.access(path, os.R_OK):
+ log.warning("%s doesn't exist" % path)
+ continue
+
+ # If the path begins with rootPath, matchPathCon will never match
+ # anything because policy doesn't contain that path.
+ if path.startswith(anaconda.rootPath):
+ path = path.replace(anaconda.rootPath, "")
+
+ ret = isys.resetFileContext(path, anaconda.rootPath)
+ log.info("set fc of %s to %s" % (path, ret))
+
if flags.selinux:
log.info("setting SELinux contexts for anaconda created files")
- files = ["/etc/rpm/macros", "/etc/dasd.conf", "/etc/zfcp.conf",
- "/etc/lilo.conf.anaconda", "/lib64", "/usr/lib64",
- "/etc/blkid.tab", "/etc/blkid.tab.old",
- "/etc/mtab", "/etc/fstab", "/etc/resolv.conf",
- "/etc/modprobe.conf", "/etc/modprobe.conf~",
- "/var/log/wtmp", "/var/run/utmp", "/etc/crypttab",
- "/dev/log", "/var/lib/rpm", "/", "/etc/raidtab",
- "/etc/mdadm.conf", "/etc/sysconfig/network",
- "/etc/udev/rules.d/70-persistent-net.rules",
- "/root/install.log", "/root/install.log.syslog",
- "/etc/shadow", "/etc/shadow-", "/etc/gshadow"] + \
- glob.glob('/etc/dhcp/dhclient-*.conf')
-
- vgs = ["/dev/%s" % vg.name for vg in anaconda.storage.vgs]
-
- # ugh, this is ugly
- for dir in ["/etc/sysconfig/network-scripts", "/var/lib/rpm", "/etc/lvm", "/dev/mapper", "/etc/iscsi", "/var/lib/iscsi", "/root", "/var/log", "/etc/modprobe.d", "/etc/sysconfig" ] + vgs:
- def addpath(x): return dir + "/" + x
-
- if not os.path.isdir(anaconda.rootPath + dir):
- continue
- dirfiles = os.listdir(anaconda.rootPath + dir)
- files.extend(map(addpath, dirfiles))
- files.append(dir)
+ # Add "/mnt/sysimage" to the front of every path so the glob works.
+ # Then run glob on each element of the list and flatten it into a
+ # single list we can run contextCB across.
+ files = itertools.chain(*map(lambda f: glob.glob("%s/%s" % (anaconda.rootPath, f)),
+ relabelFiles))
+ contextCB(None, "", files)
- for f in files:
- if not os.access("%s/%s" %(anaconda.rootPath, f), os.R_OK):
- log.warning("%s doesn't exist" %(f,))
- continue
- ret = isys.resetFileContext(os.path.normpath(f),
- anaconda.rootPath)
- log.info("set fc of %s to %s" %(f, ret))
+ for dir in relabelDirs + ["/dev/%s" % vg.name for vg in anaconda.storage.vgs]:
+ # Add "/mnt/sysimage" for similar reasons to above.
+ dir = "%s/%s" % (anaconda.rootPath, dir)
+
+ os.path.walk(dir, contextCB, None)
+
+ # os.path.walk won't include the directory we start walking at,
+ # so that needs its context set separtely.
+ contextCB(None, "", [dir])
return
--
1.7.1.1
_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
