Ejemplo n.º 1
0
    def __create_selinuxfs(self):
        # if selinux exists on the host we need to lie to the chroot
        if os.path.exists("/selinux/enforce"):
            selinux_dir = self._instroot + "/selinux"

            # enforce=0 tells the chroot selinux is not enforcing
            # policyvers=999 tell the chroot to make the highest version of policy it can

            files = [('/enforce', '0'),
                     ('/policyvers', '999'),
                     ('/commit_pending_bools', ''),
                     ('/mls', str(selinux.is_selinux_mls_enabled()))]

            for (file, value) in files + self.__getbooleans():
                fd = os.open(selinux_dir + file, os.O_WRONLY | os.O_TRUNC | os.O_CREAT)
                os.write(fd, value)
                os.close(fd)

            # we steal mls from the host system for now, might be best to always set it to 1????
            # make /load -> /dev/null so chroot policy loads don't hurt anything
            os.mknod(selinux_dir + "/load", 0666 | stat.S_IFCHR, os.makedev(1, 3))

        # selinux is on in the kickstart, so clean up as best we can to start
        if kickstart.selinux_enabled(self.ks):
            # label the fs like it is a root before the bind mounting
            arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot]
            subprocess.call(arglist, close_fds = True)
            # these dumb things don't get magically fixed, so make the user generic
            for f in ("/proc", "/sys", "/selinux"):
                arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f]
                subprocess.call(arglist, close_fds = True)
Ejemplo n.º 2
0
    def __create_selinuxfs(self):
        if not os.path.exists(self.__selinux_mountpoint):
            return

        arglist = [
            "/bin/mount", "--bind", "/dev/null",
            self._instroot + self.__selinux_mountpoint + "/load"
        ]
        subprocess.call(arglist, close_fds=True)

        if kickstart.selinux_enabled(self.ks):
            # label the fs like it is a root before the bind mounting
            arglist = [
                "/sbin/setfiles", "-F", "-r", self._instroot,
                selinux.selinux_file_context_path(), self._instroot
            ]
            subprocess.call(arglist, close_fds=True)
            # these dumb things don't get magically fixed, so make the user generic
        # if selinux exists on the host we need to lie to the chroot
        if selinux.is_selinux_enabled():
            for f in ("/proc", "/sys"):
                arglist = [
                    "/usr/bin/chcon", "-u", "system_u", self._instroot + f
                ]
                subprocess.call(arglist, close_fds=True)
Ejemplo n.º 3
0
 def __getbooleans(self):
     booleans = []
     if not kickstart.selinux_enabled(self.ks) or not os.path.exists("/selinux/enforce"):
         return booleans
     for i in  selinux.security_get_boolean_names()[1]:
         on = selinux.security_get_boolean_active(i)
         booleans.append(("/booleans/%s" % i, "%d %d" % (on, on)))
     return booleans
Ejemplo n.º 4
0
 def __can_handle_selinux(self, ayum):
     file = "/usr/sbin/lokkit"
     if not kickstart.selinux_enabled(
             self.ks) and selinux.is_selinux_enabled(
             ) and not ayum.installHasFile(file):
         raise CreatorError(
             "Unable to disable SELinux because the installed package set did not include the file %s"
             % (file))
Ejemplo n.º 5
0
    def __create_selinuxfs(self):
        arglist = ["/bin/mount", "--bind", "/dev/null", self._instroot + self.__selinux_mountpoint + "/load"]
        subprocess.call(arglist, close_fds = True)

        if kickstart.selinux_enabled(self.ks):
            # label the fs like it is a root before the bind mounting
            arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot]
            subprocess.call(arglist, close_fds = True)
            # these dumb things don't get magically fixed, so make the user generic
        # if selinux exists on the host we need to lie to the chroot
        if selinux.is_selinux_enabled():
            for f in ("/proc", "/sys"):
                arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f]
                subprocess.call(arglist, close_fds = True)
Ejemplo n.º 6
0
    def install(self, repo_urls={}):
        """Install packages into the install root.

        This function installs the packages listed in the supplied kickstart
        into the install root. By default, the packages are installed from the
        repository URLs specified in the kickstart.

        repo_urls -- a dict which maps a repository name to a repository URL;
                     if supplied, this causes any repository URLs specified in
                     the kickstart to be overridden.

        """
        yum_conf = self._mktemp(prefix="yum.conf-")

        ayum = LiveCDYum(releasever=self.releasever,
                         useplugins=self.useplugins)
        ayum.setup(yum_conf, self._instroot, cacheonly=self.cacheonly)

        for repo in kickstart.get_repos(self.ks, repo_urls):
            (name, baseurl, mirrorlist, proxy, inc, exc, cost,
             sslverify) = repo

            yr = ayum.addRepository(name, baseurl, mirrorlist)
            if inc:
                yr.includepkgs = inc
            if exc:
                yr.exclude = exc
            if proxy:
                yr.proxy = proxy
            if cost is not None:
                yr.cost = cost
            yr.sslverify = sslverify
        ayum.setup(yum_conf, self._instroot)

        if kickstart.exclude_docs(self.ks):
            rpm.addMacro("_excludedocs", "1")
        if not kickstart.selinux_enabled(self.ks):
            rpm.addMacro("__file_context_path", "%{nil}")
        if kickstart.inst_langs(self.ks) != None:
            rpm.addMacro("_install_langs", kickstart.inst_langs(self.ks))

        try:
            self.__select_packages(ayum)
            self.__select_groups(ayum)
            self.__deselect_packages(ayum)

            ayum.runInstall()
        except yum.Errors.RepoError, e:
            raise CreatorError("Unable to download from repo : %s" % (e, ))
Ejemplo n.º 7
0
    def install(self, repo_urls = {}):
        """Install packages into the install root.

        This function installs the packages listed in the supplied kickstart
        into the install root. By default, the packages are installed from the
        repository URLs specified in the kickstart.

        repo_urls -- a dict which maps a repository name to a repository URL;
                     if supplied, this causes any repository URLs specified in
                     the kickstart to be overridden.

        """
        yum_conf = self._mktemp(prefix = "yum.conf-")

        ayum = LiveCDYum(releasever=self.releasever, useplugins=self.useplugins)
        ayum.setup(yum_conf, self._instroot, cacheonly=self.cacheonly)

        for repo in kickstart.get_repos(self.ks, repo_urls):
            (name, baseurl, mirrorlist, proxy, inc, exc, cost, sslverify) = repo

            yr = ayum.addRepository(name, baseurl, mirrorlist)
            if inc:
                yr.includepkgs = inc
            if exc:
                yr.exclude = exc
            if proxy:
                yr.proxy = proxy
            if cost is not None:
                yr.cost = cost
            yr.sslverify = sslverify
        ayum.setup(yum_conf, self._instroot)

        if kickstart.exclude_docs(self.ks):
            rpm.addMacro("_excludedocs", "1")
        if not kickstart.selinux_enabled(self.ks):
            rpm.addMacro("__file_context_path", "%{nil}")
        if kickstart.inst_langs(self.ks) != None:
            rpm.addMacro("_install_langs", kickstart.inst_langs(self.ks))

        try:
            self.__select_packages(ayum)
            self.__select_groups(ayum)
            self.__deselect_packages(ayum)

            ayum.runInstall()
        except yum.Errors.RepoError, e:
            raise CreatorError("Unable to download from repo : %s" % (e,))
Ejemplo n.º 8
0
    def install(self, repo_urls = {}):
        """Install packages into the install root.

        This function installs the packages listed in the supplied kickstart
        into the install root. By default, the packages are installed from the
        repository URLs specified in the kickstart.

        repo_urls -- a dict which maps a repository name to a repository URL;
                     if supplied, this causes any repository URLs specified in
                     the kickstart to be overridden.

        """
        dnf_conf = self._mktemp(prefix = "dnf.conf-")

        dbo = DnfLiveCD(releasever=self.releasever, useplugins=self.useplugins)
        dbo.setup(dnf_conf, self._instroot, cacheonly=self.cacheonly,
                   excludeWeakdeps=self.excludeWeakdeps)

        for repo in kickstart.get_repos(self.ks, repo_urls):
            (name, baseurl, mirrorlist, proxy, inc, exc, cost, sslverify) = repo

            yr = dbo.addRepository(name, baseurl, mirrorlist)
            if inc:
                yr.includepkgs = inc
            if exc:
                yr.exclude = exc
            if proxy:
                yr.proxy = proxy
            if cost is not None:
                yr.cost = cost
            yr.sslverify = sslverify

        if kickstart.exclude_docs(self.ks):
            rpm.addMacro("_excludedocs", "1")
        if not kickstart.selinux_enabled(self.ks):
            rpm.addMacro("__file_context_path", "%{nil}")
        if kickstart.inst_langs(self.ks) != None:
            rpm.addMacro("_install_langs", kickstart.inst_langs(self.ks))

        dbo.fill_sack(load_system_repo = os.path.exists(self._instroot + "/var/lib/rpm/Packages"))
        dbo.read_comps()

        try:
            self.__apply_selections(dbo)

            dbo.runInstall()
        except (dnf.exceptions.DownloadError, dnf.exceptions.RepoError) as e:
            raise CreatorError("Unable to download from repo : %s" % (e,))
        except dnf.exceptions.Error as e:
            raise CreatorError("Unable to install: %s" % (e,))
        finally:
            dbo.close()
            os.unlink(dnf_conf)

        # do some clean up to avoid lvm info leakage.  this sucks.
        for subdir in ("cache", "backup", "archive"):
            lvmdir = self._instroot + "/etc/lvm/" + subdir
            try:
                for f in os.listdir(lvmdir):
                    os.unlink(lvmdir + "/" + f)
            except:
                pass
Ejemplo n.º 9
0
 def __can_handle_selinux(self, ayum):
     file = "/usr/sbin/lokkit"
     if not kickstart.selinux_enabled(self.ks) and selinux.is_selinux_enabled() and not ayum.installHasFile(file):
         raise CreatorError("Unable to disable SELinux because the installed package set did not include the file %s" % (file))