Re: lorax - selinux limitation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Dec 16, 2015 at 04:32:51PM +0100, Dominique Martinet wrote:
> Hi,
> 
> in el7, in /usr/lib/python2.7/site-packages/pylorax/__init__.py we have
> this comment/code:
> # is selinux disabled?
> # With selinux in enforcing mode the rpcbind package required for
> # dracut nfs module, which is in turn required by anaconda module,
> # will not get installed, because it's preinstall scriptlet fails,
> # resulting in an incomplete initial ramdisk image.
> # The reason is that the scriptlet runs tools from the shadow-utils
> # package in chroot, particularly groupadd and useradd to add the
> # required rpc group and rpc user. This operation fails, because
> # the selinux context on files in the chroot, that the shadow-utils
> # tools need to access (/etc/group, /etc/passwd, /etc/shadow etc.),
> # is wrong and selinux therefore disallows access to these files.
> logger.info("checking the selinux mode")
> if selinux.is_selinux_enabled() and selinux.security_getenforce():
>     logger.critical("selinux must be disabled or in Permissive mode")
>     sys.exit(1)
> 
> 
> I've just generated new images on a centos7.1 box with selinux enabled
> and it didn't seem to run into any selinux-related trouble after
> disabling this check - in particular, /etc/passwd in the LiveOS image
> does contain rpcuser and there wasn't any obvious error message in the
> whole lorax process.
> 
> Would it be possible to remove this now?
> (do you want me to send a trivial patch that just removes this bunch of
> lines so my name is on it for future complains?)

I think it's better to leave it and run it in permissive mode. The
results always get labeled properly, the problems you hit while leaving
it enabled is selinux blocking the package installation in the
installroot. Depending on the host version and selinux rules this may
work for you, but not for others.

-- 
Brian C. Lane | Anaconda Team | IRC: bcl #anaconda | Port Orchard, WA (PST8PDT)

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
[Index of Archives]     [Kickstart]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]
  Powered by Linux