def testMountingXFS(self):
an_fs = fs.XFS(device=self.loopDevices[0], label="test")
self.assertIsNone(an_fs.create())
blivet.flags.installer_mode = False
mountpoint = tempfile.mkdtemp("test.selinux")
an_fs.mount(mountpoint=mountpoint)
root_selinux_context = selinux.getfilecon(mountpoint)
lost_and_found = os.path.join(mountpoint, "lost+found")
self.assertFalse(os.path.exists(lost_and_found))
an_fs.unmount()
os.rmdir(mountpoint)
self.assertEqual(root_selinux_context[1], 'system_u:object_r:unlabeled_t:s0')
blivet.flags.installer_mode = True
mountpoint = tempfile.mkdtemp("test.selinux")
an_fs.mount(mountpoint=mountpoint)
root_selinux_context = selinux.getfilecon(mountpoint)
lost_and_found = os.path.join(mountpoint, "lost+found")
self.assertFalse(os.path.exists(lost_and_found))
an_fs.unmount()
os.rmdir(mountpoint)
self.assertEqual(root_selinux_context[1], 'system_u:object_r:file_t:s0')
def get_init_transtype(path):
entrypoint = selinux.getfilecon(path)[1].split(":")[2]
try:
entrypoints = list(filter(lambda x: x['target'] == entrypoint, search([TRANSITION], {'source': "init_t", 'class': 'process'})))
return entrypoints[0]["transtype"]
except (TypeError, AttributeError, IndexError):
pass
return None
def get_file_level(file_name):
try:
context = selinux.getfilecon(file_name)
context_array = context[1].split(":")
range = context_array[3]
range_array = range.split("-")
level = range_array[0]
except Exception, ex:
return "Cancel - getting file level for %s exception: %s" % (file_name, ex)
def overwrite_safely(path, content, preserve_mode=True, preserve_context=True):
"""Safely overwrite a file by creating a temporary file in the same
directory, writing it, moving it over the original file, eventually
preserving file mode and SELinux context."""
path = os.path.realpath(path)
dir_ = os.path.dirname(path)
base = os.path.basename(path)
fd = None
f = None
tmpname = None
exists = os.path.exists(path)
if preserve_context and selinux.is_selinux_enabled() <= 0:
preserve_context = False
try:
fd, tmpname = tempfile.mkstemp(prefix=base + os.path.extsep,
dir=dir_)
if exists and preserve_mode:
shutil.copymode(path, tmpname)
if exists and preserve_context:
ret, ctx = selinux.getfilecon(path)
if ret < 0:
raise RuntimeError("getfilecon(%r) failed" % path)
f = os.fdopen(fd, "w")
fd = None
f.write(content)
f.close()
f = None
os.rename(tmpname, path)
if preserve_context:
if exists:
selinux.setfilecon(path, ctx)
else:
selinux.restorecon(path)
finally:
if f:
f.close()
elif fd:
os.close(fd)
if tmpname and os.path.isfile(tmpname):
try:
os.unlink(tmpname)
except:
pass
def get_selinux_context(path):
"""
When selinux is enabled, return the context of ``path``
:param path: Full or relative path to a file or directory
:return: SELinux context as a string
:raises IOError: As per usual. Documented here as it's
a behavior difference from ``set_selinux_context()``.
"""
# First list item is null-terminated string length
return selinux.getfilecon(path)[1]
def get_init_transtype(path):
entrypoint = selinux.getfilecon(path)[1].split(":")[2]
try:
entrypoints = [x for x in search([TRANSITION],{'source':"init_t", 'class':'process'}) if x['target'] == entrypoint]
if len(entrypoints) == 0:
return None
return entrypoints[0]["transtype"]
except TypeError:
pass
return None
def testMountingExt2FS(self):
_LOOP_DEV0 = self._loopMap[self._LOOP_DEVICES[0]]
an_fs = fs.Ext2FS(device=_LOOP_DEV0, label="test")
self.assertIsNone(an_fs.create())
blivet.flags.installer_mode = False
mountpoint = tempfile.mkdtemp("test.selinux")
an_fs.mount(mountpoint=mountpoint)
root_selinux_context = selinux.getfilecon(mountpoint)
lost_and_found = os.path.join(mountpoint, "lost+found")
self.assertTrue(os.path.exists(lost_and_found))
lost_and_found_selinux_context = selinux.getfilecon(lost_and_found)
an_fs.unmount()
os.rmdir(mountpoint)
self.assertEqual(root_selinux_context[1], 'system_u:object_r:file_t:s0')
self.assertEqual(lost_and_found_selinux_context[1],
'system_u:object_r:file_t:s0')
blivet.flags.installer_mode = True
mountpoint = tempfile.mkdtemp("test.selinux")
an_fs.mount(mountpoint=mountpoint)
root_selinux_context = selinux.getfilecon(mountpoint)
lost_and_found = os.path.join(mountpoint, "lost+found")
self.assertTrue(os.path.exists(lost_and_found))
lost_and_found_selinux_context = selinux.getfilecon(lost_and_found)
an_fs.unmount()
os.rmdir(mountpoint)
self.assertEqual(root_selinux_context[1], 'system_u:object_r:file_t:s0')
self.assertEqual(lost_and_found_selinux_context[1],
'system_u:object_r:lost_found_t:s0')
def _gather_data(self, path):
""" Get data on the existing state of <path> -- e.g., whether
or not it exists, owner, group, permissions, etc. """
try:
ondisk = os.stat(path)
except OSError:
self.logger.debug("POSIX: %s does not exist" % path)
return (False, None, None, None, None, None)
try:
owner = str(ondisk[stat.ST_UID])
except OSError:
err = sys.exc_info()[1]
self.logger.debug("POSIX: Could not get current owner of %s: %s" %
(path, err))
owner = None
except KeyError:
self.logger.error('POSIX: User resolution failed for %s' % path)
owner = None
try:
group = str(ondisk[stat.ST_GID])
except (OSError, KeyError):
err = sys.exc_info()[1]
self.logger.debug("POSIX: Could not get current group of %s: %s" %
(path, err))
group = None
except KeyError:
self.logger.error('POSIX: Group resolution failed for %s' % path)
group = None
try:
mode = oct_mode(ondisk[stat.ST_MODE])[-4:]
except (OSError, KeyError, TypeError):
err = sys.exc_info()[1]
self.logger.debug("POSIX: Could not get current permissions of "
"%s: %s" % (path, err))
mode = None
if HAS_SELINUX:
try:
secontext = selinux.getfilecon(path)[1].split(":")[2]
except (OSError, KeyError):
err = sys.exc_info()[1]
self.logger.debug("POSIX: Could not get current SELinux "
"context of %s: %s" % (path, err))
secontext = None
else:
secontext = None
if HAS_ACLS:
acls = self._list_file_acls(path)
else:
acls = None
return (ondisk, owner, group, mode, secontext, acls)
def _gather_data(self, path):
try:
ondisk = os.stat(path)
except OSError:
self.logger.debug("POSIX: %s does not exist" % path)
return (False, None, None, None, None, None)
try:
owner = str(ondisk[stat.ST_UID])
except OSError:
err = sys.exc_info()[1]
self.logger.debug("POSIX: Could not get current owner of %s: %s" %
(path, err))
owner = None
except KeyError:
self.logger.error('POSIX: User resolution failed for %s' % path)
owner = None
try:
group = str(ondisk[stat.ST_GID])
except (OSError, KeyError):
err = sys.exc_info()[1]
self.logger.debug("POSIX: Could not get current group of %s: %s" %
(path, err))
group = None
except KeyError:
self.logger.error('POSIX: Group resolution failed for %s' % path)
group = None
try:
perms = oct(ondisk[stat.ST_MODE])[-4:]
except (OSError, KeyError, TypeError):
err = sys.exc_info()[1]
self.logger.debug("POSIX: Could not get current permissions of %s: "
"%s" % (path, err))
perms = None
if has_selinux:
try:
secontext = selinux.getfilecon(path)[1].split(":")[2]
except (OSError, KeyError):
err = sys.exc_info()[1]
self.logger.debug("POSIX: Could not get current SELinux "
"context of %s: %s" % (path, err))
secontext = None
else:
secontext = None
if has_acls:
acls = self._list_file_acls(path)
else:
acls = None
return (ondisk, owner, group, perms, secontext, acls)
def test_mounting_ext2fs(self):
""" Test that lost+found directory gets assigned correct SELinux
context if selinux_set_fcon is True, and retains some random old
context if selinux_set_fcon is False.
"""
LOST_AND_FOUND_CONTEXT = "system_u:object_r:lost_found_t:s0"
an_fs = fs.Ext2FS(device=self.loop_devices[0], label="test")
if not an_fs.formattable or not an_fs.mountable:
self.skipTest("can not create or mount filesystem %s" % an_fs.name)
self.assertIsNone(an_fs.create())
blivet.flags.selinux_reset_fcon = False
mountpoint = tempfile.mkdtemp("test.selinux")
an_fs.mount(mountpoint=mountpoint)
lost_and_found = os.path.join(mountpoint, "lost+found")
self.assertTrue(os.path.exists(lost_and_found))
lost_and_found_selinux_context = selinux.getfilecon(lost_and_found)
an_fs.unmount()
os.rmdir(mountpoint)
self.assertNotEqual(lost_and_found_selinux_context[1], LOST_AND_FOUND_CONTEXT)
blivet.flags.selinux_reset_fcon = True
mountpoint = tempfile.mkdtemp("test.selinux")
an_fs.mount(mountpoint=mountpoint)
lost_and_found = os.path.join(mountpoint, "lost+found")
self.assertTrue(os.path.exists(lost_and_found))
lost_and_found_selinux_context = selinux.getfilecon(lost_and_found)
an_fs.unmount()
os.rmdir(mountpoint)
self.assertEqual(lost_and_found_selinux_context[1], LOST_AND_FOUND_CONTEXT)
def make_polydir_name(dir_name, context):
(rc, dircon) = selinux.getfilecon(dir_name)
if rc < 0:
raise Exception("Error in getting directory context: %s " % (dir_name))
context_array = dircon.split(":")
# Only generate polyinstantiated name based on the level not the range
context_array[3] = get_level(context)
newcontext = ':'.join(context_array)
(rc, full_dir) = selinux.selinux_trans_to_raw_context(newcontext)
if rc < 0:
raise Exception("Error translating context: %s " % (newcontext))
m = md5.new()
m.update(full_dir)
return dir_name + ".inst/" + m.hexdigest()
def mkdir(target, refdir):
target = _native_string(target, encoding=_encodings['fs'], errors='strict')
refdir = _native_string(refdir, encoding=_encodings['fs'], errors='strict')
(rc, ctx) = selinux.getfilecon(refdir)
if rc < 0:
raise OSError(
_("mkdir: Failed getting context of reference directory \"%s\".") \
% refdir)
setfscreate(ctx)
try:
os.mkdir(target)
finally:
setfscreate()
def get_init_transtype(path):
entrypoint = selinux.getfilecon(path)[1].split(":")[2]
try:
entrypoints = list(
filter(
lambda x: x['target'] == entrypoint,
search([TRANSITION], {
'source': "init_t",
'class': 'process'
})))
return entrypoints[0]["transtype"]
except (TypeError, AttributeError, IndexError):
pass
return None
def make_polydir_name(dir_name, context):
(rc, dircon) = selinux.getfilecon(dir_name)
if rc < 0:
raise Exception("Error in getting directory context: %s " % (dir_name))
context_array = dircon.split(":")
# Only generate polyinstantiated name based on the level not the range
context_array[3] = get_level(context)
newcontext = ':'.join(context_array)
(rc, full_dir) = selinux.selinux_trans_to_raw_context(newcontext)
if rc < 0:
raise Exception("Error translating context: %s " % (newcontext))
m = md5.new()
m.update(full_dir)
return dir_name + ".inst/" + m.hexdigest()
def get_init_transtype(path):
entrypoint = selinux.getfilecon(path)[1].split(":")[2]
try:
entrypoints = filter(
lambda x: x['target'] == entrypoint,
search([TRANSITION], {
'source': "init_t",
'class': 'process'
}))
if len(entrypoints) == 0:
return None
return entrypoints[0]["transtype"]
except TypeError:
pass
return None
def analyze(self, avc):
if not avc.query_environment: return None
if avc.spath is None: return None
if avc.spath[0] != '/': return None
try:
mcon = selinux.matchpathcon(avc.spath.strip('"'), S_IFREG)[1]
mcon_type = mcon.split(":")[2]
gcon = selinux.getfilecon(avc.spath.strip('"'))[1]
gcon_type = gcon.split(":")[2]
if mcon_type != gcon_type:
return self.report((0, mcon_type))
except OSError:
pass
return None
def analyze(self, avc):
if not avc.query_environment: return None
if avc.spath is None: return None
if avc.spath[0] != '/': return None
try:
mcon = selinux.matchpathcon(avc.spath.strip('"'), S_IFREG)[1]
mcon_type=mcon.split(":")[2]
gcon = selinux.getfilecon(avc.spath.strip('"'))[1]
gcon_type = gcon.split(":")[2]
if mcon_type != gcon_type:
return self.report((0, mcon_type))
except OSError:
pass
return None
def mkdir(target, refdir):
target = _unicode_encode(target, encoding=_encodings['fs'], errors='strict')
refdir = _unicode_encode(refdir, encoding=_encodings['fs'], errors='strict')
(rc, ctx) = selinux.getfilecon(refdir)
if rc < 0:
refdir = _unicode_decode(refdir, encoding=_encodings['fs'],
errors='replace')
raise OSError(
_("mkdir: Failed getting context of reference directory \"%s\".") \
% refdir)
setfscreate(ctx)
try:
os.mkdir(target)
finally:
setfscreate()
def _copyfile(selinux_hnd, src, dest, try_hardlink=False):
if selinux_hnd is not None:
mode = 0o755
try:
mode = os.stat(src).st_mode
except OSError:
pass
ctx = selinux.selabel_lookup_raw(selinux_hnd, str(dest), mode)
selinux.setfscreatecon_raw(ctx[1])
if os.path.isdir(src):
# add the directory only if it is empty, so we don't delete directories that
# weren't added by us. Anyway a non empty directory would be created by
# its children.
if len(os.listdir(src)) == 0:
os.mkdir(dest)
return True
elif os.path.islink(src):
linkto = os.readlink(src)
os.symlink(linkto, dest)
return True
else:
file_copied = False
# newer version of Skopeo/SELinux use the same SELinux context for system containers
# files as the host files at the same location i.e. /exports/hostfs/foo -> /foo.
if try_hardlink and selinux_hnd is not None:
src_label = selinux.getfilecon(src)
# Files have the same label, we can use a hard link.
if src_label[1] == ctx[1]:
try:
os.link(src, dest)
file_copied = True
except: # pylint: disable=bare-except
pass
# fallback to file copy.
if not file_copied:
# we cannot use shutil.copy2() or shutil.copystat() here as it would override the
# security.selinux xattr.
shutil.copy(src, dest)
shutil.copymode(src, dest)
return True
return False
def check_permission(path):
#check selinux context_t
if selinux.is_selinux_enabled():
context_t = selinux.getfilecon(path)[1].split(":")[2]
#openstack-selinux already supports /var/run folder with var_run_t context.
#for other folder, we expect virt_cache_t context.
if not (((path == '/var/run' or path.startswith('/var/run/'))
and context_t == 'var_run_t') or context_t == 'virt_cache_t'):
msg = "selinux context is not properly configured on %s" % (path)
return False, msg
#check rx permission for qemu-kvm-user
##user that the (libvirt managed) QEMU VM(process)s are run as: that utimately requires permission on vhost sockets.
##The default user is "qemu" for RHEL7.5 (the comment in /etc/libvirt/qemu.conf seems wrong, which says default is root)
##ps -ef shows |grep qemu, confirms the user.
##We are checking "libvirt capabilities" to find out the user.
qemu_kvm_user = get_qemu_process_user()
if qemu_kvm_user is None:
msg = "qemu_kvm_user couldnot be found."
return False, msg
uid_qemu_kvm_user = pwd.getpwnam(qemu_kvm_user).pw_uid
gid_groups_qemu_kvm_user = [
g.gr_gid for g in grp.getgrall() if qemu_kvm_user in g.gr_mem
]
stat_obj = os.stat(path)
uid_path = stat_obj.st_uid
gid_path = stat_obj.st_gid
chmod_path = oct(stat_obj.st_mode)[-3:] #e.g. '755'
#user falls in user/group/other
if uid_path == uid_qemu_kvm_user:
index = 0
elif gid_path in gid_groups_qemu_kvm_user:
index = 1
else:
index = 2
#check rx permission
if chmod_path[index] in ['5', '7']:
return True, ''
else:
msg = "%s does not have read/execute permission set on %s" % (
qemu_kvm_user, path)
return False, msg
def list_contexts(directory):
directory_len = len(directory)
handle = semanage.semanage_handle_create()
semanage.semanage_connect(handle)
(rc, fclist) = semanage.semanage_fcontext_list(handle)
(rc, fclocal) = semanage.semanage_fcontext_list_local(handle)
(rc, fchome) = semanage.semanage_fcontext_list_homedirs(handle)
contexts = []
for fcontext in fclist + fclocal + fchome:
expression = semanage.semanage_fcontext_get_expr(fcontext)
if expression[0:directory_len] == directory:
context = semanage.semanage_fcontext_get_con(fcontext)
if context:
contexts.append(semanage.semanage_context_get_type(context))
selabel = selinux.selabel_open(selinux.SELABEL_CTX_FILE, None, 0)
try:
(rc, context) = selinux.selabel_lookup(selabel, directory, 0)
except FileNotFoundError:
# File context definition containing "<<none>>" triggers exception
context = None
if context:
contexts.append(context.split(":")[2])
# Get the real label (ls -lZ) - may differ from what selabel_lookup returns
try:
context = selinux.getfilecon(directory)[1]
except FileNotFoundError:
context = None
if context:
contexts.append(context.split(":")[2])
return contexts
def set_password(user, password):
"""Set the password for a particular user"""
for filename in PASSWD_FILES:
if not os.path.exists(filename):
continue
# Get the selinux file context before we do anything with the file
if SELINUX:
selinux_context = selinux.getfilecon(filename)
tmpfile = _create_temp_password_file(user, password, filename)
bakfile = '{0}.bak.{1}'.format(filename, os.getpid())
os.rename(filename, bakfile)
os.rename(tmpfile, filename)
os.remove(bakfile)
# Update selinux context after the file replace
if SELINUX:
selinux.setfilecon(filename, selinux_context[1])
return
raise PasswordError((500, "No password file found"))
def get_selinux_label(path: str) -> str:
"""Get file's SELinux label."""
return selinux.getfilecon(path)[-1]
def default_ro_container_context():
if selinux.is_selinux_enabled() != 0:
return selinux.getfilecon("/usr")[1]
return ""
def getcon(self, abspath):
""" Return context of file, symlink or dir """
try:
return selinux.getfilecon(abspath)[1]
except OSError:
self._logger.warning('Cannot get selinux context: "%s"', abspath)
def upgradeMountFilesystems(anaconda):
# mount everything and turn on swap
try:
mountExistingSystem(anaconda, anaconda.id.upgradeRoot[0], allowDirty=0)
except ValueError as e:
log.error("Error mounting filesystem: %s" % e)
anaconda.intf.messageWindow(
_("Mount failed"),
_("The following error occurred when mounting the file "
"systems listed in /etc/fstab. Please fix this problem "
"and try to upgrade again.\n%s" % e))
sys.exit(0)
except IndexError as e:
# The upgrade root is search earlier but we give the message here.
log.debug("No upgrade root was found.")
if anaconda.isKickstart and anaconda.id.ksdata.upgrade.upgrade:
anaconda.intf.messageWindow(
_("Upgrade root not found"),
_("The root for the previously installed system was not "
"found."),
type="custom",
custom_icon="info",
custom_buttons=[_("Exit installer")])
sys.exit(0)
else:
rc = anaconda.intf.messageWindow(
_("Upgrade root not found"),
_("The root for the previously installed system was not "
"found. You can exit installer or backtrack to choose "
"installation instead of upgrade."),
type="custom",
custom_buttons=[_("_Back"), _("_Exit installer")],
custom_icon="question")
if rc == 0:
return DISPATCH_BACK
elif rc == 1:
sys.exit(0)
checkLinks = ('/etc', '/var', '/var/lib', '/var/lib/rpm', '/boot', '/tmp',
'/var/tmp', '/root', '/bin/sh', '/usr/tmp')
badLinks = []
for n in checkLinks:
if not os.path.islink(anaconda.rootPath + n): continue
l = os.readlink(anaconda.rootPath + n)
if l[0] == '/':
badLinks.append(n)
if badLinks:
message = _("The following files are absolute symbolic "
"links, which we do not support during an "
"upgrade. Please change them to relative "
"symbolic links and restart the upgrade.\n\n")
for n in badLinks:
message = message + '\t' + n + '\n'
anaconda.intf.messageWindow(_("Absolute Symlinks"), message)
sys.exit(0)
# fix for 80446
badLinks = []
mustBeLinks = ('/usr/tmp', )
for n in mustBeLinks:
if not os.path.islink(anaconda.rootPath + n):
badLinks.append(n)
if badLinks:
message = _("The following are directories which should instead "
"be symbolic links, which will cause problems with the "
"upgrade. Please return them to their original state "
"as symbolic links and restart the upgrade.\n\n")
for n in badLinks:
message = message + '\t' + n + '\n'
anaconda.intf.messageWindow(_("Invalid Directories"), message)
sys.exit(0)
anaconda.id.storage.turnOnSwap(upgrading=True)
anaconda.id.storage.mkDevRoot()
# Move /etc/rpm/platform out of the way.
if os.path.exists(anaconda.rootPath + "/etc/rpm/platform"):
shutil.move(anaconda.rootPath + "/etc/rpm/platform",
anaconda.rootPath + "/etc/rpm/platform.rpmsave")
# if they've been booting with selinux disabled, then we should
# disable it during the install as well (#242510)
try:
if os.path.exists(anaconda.rootPath + "/.autorelabel"):
ctx = selinux.getfilecon(anaconda.rootPath + "/.autorelabel")[1]
if not ctx or ctx == "unlabeled":
flags.selinux = False
log.info("Disabled SELinux for upgrade based on /.autorelabel")
except Exception, e:
log.warning("error checking selinux state: %s" % (e, ))
def getcon(self, abspath):
""" Return context of file, symlink or dir """
try:
return selinux.getfilecon(abspath.encode("utf-8"))[1]
except OSError:
self._logger.warning('Cannot get selinux context: "%s"', abspath)
def selinux_getfilecon(path):
if have_selinux():
return selinux.getfilecon(path)[1]
return None
def default_ro_container_context():
if selinux.is_selinux_enabled() != 0:
return selinux.getfilecon("/usr")[1]
return ""
def validateEnv(env: Env) -> None:
"""Sanity check and warn user about missing setting"""
def warn(msg: str) -> None:
print(f"\033[93m{msg}\033[m")
# Check if SELinux will block socket access
if env.capabilities.get("selinux"):
for cap in ("x11", "tun", "pulseaudio"):
if env.capabilities.get(cap):
warn(
f"SELinux is disabled because capability '{cap}' need "
"extra type enforcement that are not currently supported.")
selinuxCap(False, env.ctx, env)
env.capabilities["selinux"] = False
# Check for uid permissions
if not env.capabilities.get("root") and not env.capabilities.get("uidmap"):
for cap in ("x11", "pulseaudio", "ssh", "gpg"):
if env.capabilities.get(cap):
warn(f"UIDMap is required because '{cap}' need "
"DAC access to the host file")
uidmapCap(True, env.ctx, env)
break
# Check for system capabilities
if env.capabilities.get("tun") and "NET_ADMIN" not in env.ctx.syscaps:
warn(f"NET_ADMIN capability is needed by the tun device")
env.ctx.syscaps.append("NET_ADMIN")
# Check mount points labels
if env.capabilities.get("selinux") and HAS_SELINUX:
label = "container_file_t"
for hostPath in env.ctx.mounts.values():
hostPath = hostPath.expanduser().resolve()
if hostPath.exists() and \
selinux.getfilecon(str(hostPath))[1].split(':')[2] != label:
warn(f"SELinux is disabled because {hostPath} doesn't have "
f"the {label} label. To set the label run: "
f"chcon -Rt {label} {hostPath}")
selinuxCap(False, env.ctx, env)
# Check mount points permissions
for hostPath in env.ctx.mounts.values():
hostPath = hostPath.expanduser().resolve()
if hostPath.exists() and not os.access(str(hostPath), os.R_OK):
warn(f"{hostPath} is not readable by the current user.")
# Check for home mount point
if env.overlays and not env.ctx.mounts.get(env.ctx.home):
warn(f"overlay needs a home mount point, "
"mountRun capability is enabled.")
mountRunCap(True, env.ctx, env)
if env.capabilities.get(
"mount-home") and not env.capabilities.get("uidmap"):
warn("UIDMap is required for mount-home")
uidmapCap(True, env.ctx, env)
# Check for image management
if not env.manageImage:
if env.packages:
warn("manage-image capability is required for packages")
manageImageCap(True, env.ctx, env)
if env.imageCustomizations or env.imageTasks:
warn("manage-image capability is required for image tasks")
manageImageCap(True, env.ctx, env)
if env.branchImage:
warn("branch-image capability is incompatible with manage-image")
def upgradeMountFilesystems(anaconda):
# mount everything and turn on swap
try:
mountExistingSystem(anaconda, anaconda.upgradeRoot[0], allowDirty = 0)
except ValueError as e:
log.error("Error mounting filesystem: %s" % e)
anaconda.intf.messageWindow(_("Mount failed"),
_("The following error occurred when mounting the file "
"systems listed in /etc/fstab. Please fix this problem "
"and try to upgrade again.\n%s" % e))
sys.exit(0)
except IndexError as e:
# The upgrade root is search earlier but we give the message here.
log.debug("No upgrade root was found.")
if anaconda.ksdata and anaconda.ksdata.upgrade.upgrade:
anaconda.intf.messageWindow(_("Upgrade root not found"),
_("The root for the previously installed system was not "
"found."), type="custom",
custom_icon="info",
custom_buttons=[_("Exit installer")])
sys.exit(0)
else:
rc = anaconda.intf.messageWindow(_("Upgrade root not found"),
_("The root for the previously installed system was not "
"found. You can exit installer or backtrack to choose "
"installation instead of upgrade."),
type="custom",
custom_buttons = [ _("_Back"),
_("_Exit installer") ],
custom_icon="question")
if rc == 0:
return DISPATCH_BACK
elif rc == 1:
sys.exit(0)
checkLinks = ( '/etc', '/var', '/var/lib', '/var/lib/rpm',
'/boot', '/tmp', '/var/tmp', '/root',
'/bin/sh', '/usr/tmp')
badLinks = []
for n in checkLinks:
if not os.path.islink(anaconda.rootPath + n): continue
l = os.readlink(anaconda.rootPath + n)
if l[0] == '/':
badLinks.append(n)
if badLinks:
message = _("The following files are absolute symbolic "
"links, which we do not support during an "
"upgrade. Please change them to relative "
"symbolic links and restart the upgrade.\n\n")
for n in badLinks:
message = message + '\t' + n + '\n'
anaconda.intf.messageWindow(_("Absolute Symlinks"), message)
sys.exit(0)
# fix for 80446
badLinks = []
mustBeLinks = ( '/usr/tmp', )
for n in mustBeLinks:
if not os.path.islink(anaconda.rootPath + n):
badLinks.append(n)
if badLinks:
message = _("The following are directories which should instead "
"be symbolic links, which will cause problems with the "
"upgrade. Please return them to their original state "
"as symbolic links and restart the upgrade.\n\n")
for n in badLinks:
message = message + '\t' + n + '\n'
anaconda.intf.messageWindow(_("Invalid Directories"), message)
sys.exit(0)
anaconda.storage.turnOnSwap(upgrading=True)
anaconda.storage.mkDevRoot()
# Move /etc/rpm/platform out of the way.
if os.path.exists(anaconda.rootPath + "/etc/rpm/platform"):
shutil.move(anaconda.rootPath + "/etc/rpm/platform",
anaconda.rootPath + "/etc/rpm/platform.rpmsave")
# if they've been booting with selinux disabled, then we should
# disable it during the install as well (#242510)
try:
if os.path.exists(anaconda.rootPath + "/.autorelabel"):
ctx = selinux.getfilecon(anaconda.rootPath + "/.autorelabel")[1]
if not ctx or ctx == "unlabeled":
flags.selinux = False
log.info("Disabled SELinux for upgrade based on /.autorelabel")
except Exception, e:
log.warning("error checking selinux state: %s" %(e,))
def get_selinux_context(self, path):
try:
(rc, c) = selinux.getfilecon(path)
return c
except Exception:
return None
def selinux_getfilecon(path):
if have_selinux():
return selinux.getfilecon(path)[1]
return None
def get_selinux_context(self, path):
try:
(rc, c) = selinux.getfilecon(path)
return c
except:
return None
raise AutoUpdateError(msg)
# Ok, we need to try and fix the SELinux context of the relevant files. We'll
# copy the existing context of known libraries, since we know we can
# call them from the current context already.
# If any call here fails, silently skip the rest and keep running.
if selinuxIsEnabled:
try:
# not sure at this point if we're updating Security Blanket or OS Lockdown, so
# do a quick check...
# If upgrading Security Blanket start with *that* contexts, otherwise use OS Lockdown context.
if os.path.isfile(
'/usr/share/security-blanket/sb_utils/auth/Affirm.pyo'):
startingContext = selinux.getfilecon(
"/usr/share/security-blanket")[1]
else:
startingContext = selinux.getfilecon(
"/usr/share/oslockdown")[1]
selinux.setfilecon(candidate1,
startingContext.replace("_rw_t", "_py_t"))
selinux.setfilecon(candidate2,
startingContext.replace("_rw_t", "_licso_t"))
os.chmod(candidate1, 0700)
os.chmod(candidate2, 0700)
except (NameError, AttributeError), e:
logging.getLogger('AutoUpdate').error(e)
sys.path.append(candidatedir)
