imgcreate/creator.py | 8 +++++++-
imgcreate/kickstart.py | 10 ++++++----
2 files changed, 13 insertions(+), 5 deletions(-)
New commits:
commit e98a30558acc58275ee2c4469e3c4f8bea9b566f
Author: Warren Togami <wtogami(a)redhat.com>
Date: Wed Feb 20 14:39:47 2008 -0500
selinux --disabled fixes
The attached patch seems to fix "selinux --disabled" and other parts
related to selinux. It ensures that if SELinux is disabled, no labels are
set on files as well as not running restorecon or bind-mounting /selinux
diff --git a/imgcreate/creator.py b/imgcreate/creator.py
index c7b1046..11fce2d 100644
--- a/imgcreate/creator.py
+++ b/imgcreate/creator.py
@@ -435,10 +435,14 @@ class ImageCreator(object):
# bind mount system directories into _instroot
for (f, dest) in [("/sys", None), ("/proc", None),
("/dev", None),
- ("/dev/pts", None), ("/selinux", None),
+ ("/dev/pts", None),
(cachesrc, "/var/cache/yum")]:
self.__bindmounts.append(BindChrootMount(f, self._instroot, dest))
+ # /selinux should only be mounted if selinux is enabled (enforcing or
permissive)
+ if kickstart.selinux_enabled(self.ks):
+ self.__bindmounts.append(BindChrootMount("/selinux",
self._instroot, None))
+
self._do_bindmounts()
os.symlink("../proc/mounts", self._instroot + "/etc/mtab")
@@ -551,6 +555,8 @@ class ImageCreator(object):
if kickstart.exclude_docs(self.ks):
rpm.addMacro("_excludedocs", "1")
+ if not kickstart.selinux_enabled(self.ks):
+ rpm.addMacro("__file_context_path", "%{nil}")
try:
self.__select_packages(ayum)
diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index a7e0723..30156d8 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -370,7 +370,7 @@ class SelinuxConfig(KickstartConfig):
f = file(path, "w+")
os.chmod(path, 0644)
- if not ksselinux.selinux:
+ if ksselinux.selinux == ksconstants.SELINUX_DISABLED:
return
if not os.path.exists(self.path("/sbin/restorecon")):
return
@@ -381,9 +381,11 @@ class SelinuxConfig(KickstartConfig):
if os.path.exists(self.path("/usr/sbin/lokkit")):
args = ["/usr/sbin/lokkit", "-f", "--quiet",
"--nostart"]
- if ksselinux.selinux:
+ if ksselinux.selinux == ksconstants.SELINUX_ENFORCING:
args.append("--selinux=enforcing")
- else:
+ if ksselinux.selinux == ksconstants.SELINUX_PERMISSIVE:
+ args.append("--selinux=permissive")
+ if ksselinux.selinux == ksconstants.SELINUX_DISABLED:
args.append("--selinux=disabled")
self.call(args)
@@ -483,4 +485,4 @@ def get_post_scripts(ks):
return scripts
def selinux_enabled(ks):
- return ks.handler.selinux.selinux
+ return ks.handler.selinux.selinux == ksconstants.SELINUX_ENFORCING
Show replies by date