def __create_selinuxfs(self):
# if selinux exists on the host we need to lie to the chroot
if os.path.exists("/selinux/enforce"):
selinux_dir = self._instroot + "/selinux"
# enforce=0 tells the chroot selinux is not enforcing
# policyvers=999 tell the chroot to make the highest version of policy it can
files = [('/enforce', '0'),
('/policyvers', '999'),
('/commit_pending_bools', ''),
('/mls', str(selinux.is_selinux_mls_enabled()))]
for (file, value) in files + self.__getbooleans():
fd = os.open(selinux_dir + file, os.O_WRONLY | os.O_TRUNC | os.O_CREAT)
os.write(fd, value)
os.close(fd)
# we steal mls from the host system for now, might be best to always set it to 1????
# make /load -> /dev/null so chroot policy loads don't hurt anything
os.mknod(selinux_dir + "/load", 0666 | stat.S_IFCHR, os.makedev(1, 3))
# selinux is on in the kickstart, so clean up as best we can to start
if kickstart.selinux_enabled(self.ks):
# label the fs like it is a root before the bind mounting
arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot]
subprocess.call(arglist, close_fds = True)
# these dumb things don't get magically fixed, so make the user generic
for f in ("/proc", "/sys", "/selinux"):
arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f]
subprocess.call(arglist, close_fds = True)
def __create_selinuxfs(self):
if not os.path.exists(self.__selinux_mountpoint):
return
arglist = [
"/bin/mount", "--bind", "/dev/null",
self._instroot + self.__selinux_mountpoint + "/load"
]
subprocess.call(arglist, close_fds=True)
if kickstart.selinux_enabled(self.ks):
# label the fs like it is a root before the bind mounting
arglist = [
"/sbin/setfiles", "-F", "-r", self._instroot,
selinux.selinux_file_context_path(), self._instroot
]
subprocess.call(arglist, close_fds=True)
# these dumb things don't get magically fixed, so make the user generic
# if selinux exists on the host we need to lie to the chroot
if selinux.is_selinux_enabled():
for f in ("/proc", "/sys"):
arglist = [
"/usr/bin/chcon", "-u", "system_u", self._instroot + f
]
subprocess.call(arglist, close_fds=True)
def __getbooleans(self):
booleans = []
if not kickstart.selinux_enabled(self.ks) or not os.path.exists("/selinux/enforce"):
return booleans
for i in selinux.security_get_boolean_names()[1]:
on = selinux.security_get_boolean_active(i)
booleans.append(("/booleans/%s" % i, "%d %d" % (on, on)))
return booleans
def __can_handle_selinux(self, ayum):
file = "/usr/sbin/lokkit"
if not kickstart.selinux_enabled(
self.ks) and selinux.is_selinux_enabled(
) and not ayum.installHasFile(file):
raise CreatorError(
"Unable to disable SELinux because the installed package set did not include the file %s"
% (file))
def __create_selinuxfs(self):
arglist = ["/bin/mount", "--bind", "/dev/null", self._instroot + self.__selinux_mountpoint + "/load"]
subprocess.call(arglist, close_fds = True)
if kickstart.selinux_enabled(self.ks):
# label the fs like it is a root before the bind mounting
arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot]
subprocess.call(arglist, close_fds = True)
# these dumb things don't get magically fixed, so make the user generic
# if selinux exists on the host we need to lie to the chroot
if selinux.is_selinux_enabled():
for f in ("/proc", "/sys"):
arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f]
subprocess.call(arglist, close_fds = True)
def install(self, repo_urls={}):
"""Install packages into the install root.
This function installs the packages listed in the supplied kickstart
into the install root. By default, the packages are installed from the
repository URLs specified in the kickstart.
repo_urls -- a dict which maps a repository name to a repository URL;
if supplied, this causes any repository URLs specified in
the kickstart to be overridden.
"""
yum_conf = self._mktemp(prefix="yum.conf-")
ayum = LiveCDYum(releasever=self.releasever,
useplugins=self.useplugins)
ayum.setup(yum_conf, self._instroot, cacheonly=self.cacheonly)
for repo in kickstart.get_repos(self.ks, repo_urls):
(name, baseurl, mirrorlist, proxy, inc, exc, cost,
sslverify) = repo
yr = ayum.addRepository(name, baseurl, mirrorlist)
if inc:
yr.includepkgs = inc
if exc:
yr.exclude = exc
if proxy:
yr.proxy = proxy
if cost is not None:
yr.cost = cost
yr.sslverify = sslverify
ayum.setup(yum_conf, self._instroot)
if kickstart.exclude_docs(self.ks):
rpm.addMacro("_excludedocs", "1")
if not kickstart.selinux_enabled(self.ks):
rpm.addMacro("__file_context_path", "%{nil}")
if kickstart.inst_langs(self.ks) != None:
rpm.addMacro("_install_langs", kickstart.inst_langs(self.ks))
try:
self.__select_packages(ayum)
self.__select_groups(ayum)
self.__deselect_packages(ayum)
ayum.runInstall()
except yum.Errors.RepoError, e:
raise CreatorError("Unable to download from repo : %s" % (e, ))
def install(self, repo_urls = {}):
"""Install packages into the install root.
This function installs the packages listed in the supplied kickstart
into the install root. By default, the packages are installed from the
repository URLs specified in the kickstart.
repo_urls -- a dict which maps a repository name to a repository URL;
if supplied, this causes any repository URLs specified in
the kickstart to be overridden.
"""
yum_conf = self._mktemp(prefix = "yum.conf-")
ayum = LiveCDYum(releasever=self.releasever, useplugins=self.useplugins)
ayum.setup(yum_conf, self._instroot, cacheonly=self.cacheonly)
for repo in kickstart.get_repos(self.ks, repo_urls):
(name, baseurl, mirrorlist, proxy, inc, exc, cost, sslverify) = repo
yr = ayum.addRepository(name, baseurl, mirrorlist)
if inc:
yr.includepkgs = inc
if exc:
yr.exclude = exc
if proxy:
yr.proxy = proxy
if cost is not None:
yr.cost = cost
yr.sslverify = sslverify
ayum.setup(yum_conf, self._instroot)
if kickstart.exclude_docs(self.ks):
rpm.addMacro("_excludedocs", "1")
if not kickstart.selinux_enabled(self.ks):
rpm.addMacro("__file_context_path", "%{nil}")
if kickstart.inst_langs(self.ks) != None:
rpm.addMacro("_install_langs", kickstart.inst_langs(self.ks))
try:
self.__select_packages(ayum)
self.__select_groups(ayum)
self.__deselect_packages(ayum)
ayum.runInstall()
except yum.Errors.RepoError, e:
raise CreatorError("Unable to download from repo : %s" % (e,))
def install(self, repo_urls = {}):
"""Install packages into the install root.
This function installs the packages listed in the supplied kickstart
into the install root. By default, the packages are installed from the
repository URLs specified in the kickstart.
repo_urls -- a dict which maps a repository name to a repository URL;
if supplied, this causes any repository URLs specified in
the kickstart to be overridden.
"""
dnf_conf = self._mktemp(prefix = "dnf.conf-")
dbo = DnfLiveCD(releasever=self.releasever, useplugins=self.useplugins)
dbo.setup(dnf_conf, self._instroot, cacheonly=self.cacheonly,
excludeWeakdeps=self.excludeWeakdeps)
for repo in kickstart.get_repos(self.ks, repo_urls):
(name, baseurl, mirrorlist, proxy, inc, exc, cost, sslverify) = repo
yr = dbo.addRepository(name, baseurl, mirrorlist)
if inc:
yr.includepkgs = inc
if exc:
yr.exclude = exc
if proxy:
yr.proxy = proxy
if cost is not None:
yr.cost = cost
yr.sslverify = sslverify
if kickstart.exclude_docs(self.ks):
rpm.addMacro("_excludedocs", "1")
if not kickstart.selinux_enabled(self.ks):
rpm.addMacro("__file_context_path", "%{nil}")
if kickstart.inst_langs(self.ks) != None:
rpm.addMacro("_install_langs", kickstart.inst_langs(self.ks))
dbo.fill_sack(load_system_repo = os.path.exists(self._instroot + "/var/lib/rpm/Packages"))
dbo.read_comps()
try:
self.__apply_selections(dbo)
dbo.runInstall()
except (dnf.exceptions.DownloadError, dnf.exceptions.RepoError) as e:
raise CreatorError("Unable to download from repo : %s" % (e,))
except dnf.exceptions.Error as e:
raise CreatorError("Unable to install: %s" % (e,))
finally:
dbo.close()
os.unlink(dnf_conf)
# do some clean up to avoid lvm info leakage. this sucks.
for subdir in ("cache", "backup", "archive"):
lvmdir = self._instroot + "/etc/lvm/" + subdir
try:
for f in os.listdir(lvmdir):
os.unlink(lvmdir + "/" + f)
except:
pass
def __can_handle_selinux(self, ayum):
file = "/usr/sbin/lokkit"
if not kickstart.selinux_enabled(self.ks) and selinux.is_selinux_enabled() and not ayum.installHasFile(file):
raise CreatorError("Unable to disable SELinux because the installed package set did not include the file %s" % (file))