def __create_selinuxfs(self): # if selinux exists on the host we need to lie to the chroot if os.path.exists("/selinux/enforce"): selinux_dir = self._instroot + "/selinux" # enforce=0 tells the chroot selinux is not enforcing # policyvers=999 tell the chroot to make the highest version of policy it can files = [('/enforce', '0'), ('/policyvers', '999'), ('/commit_pending_bools', ''), ('/mls', str(selinux.is_selinux_mls_enabled()))] for (file, value) in files + self.__getbooleans(): fd = os.open(selinux_dir + file, os.O_WRONLY | os.O_TRUNC | os.O_CREAT) os.write(fd, value) os.close(fd) # we steal mls from the host system for now, might be best to always set it to 1???? # make /load -> /dev/null so chroot policy loads don't hurt anything os.mknod(selinux_dir + "/load", 0666 | stat.S_IFCHR, os.makedev(1, 3)) # selinux is on in the kickstart, so clean up as best we can to start if kickstart.selinux_enabled(self.ks): # label the fs like it is a root before the bind mounting arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot] subprocess.call(arglist, close_fds = True) # these dumb things don't get magically fixed, so make the user generic for f in ("/proc", "/sys", "/selinux"): arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f] subprocess.call(arglist, close_fds = True)
def __create_selinuxfs(self): if not os.path.exists(self.__selinux_mountpoint): return arglist = [ "/bin/mount", "--bind", "/dev/null", self._instroot + self.__selinux_mountpoint + "/load" ] subprocess.call(arglist, close_fds=True) if kickstart.selinux_enabled(self.ks): # label the fs like it is a root before the bind mounting arglist = [ "/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot ] subprocess.call(arglist, close_fds=True) # these dumb things don't get magically fixed, so make the user generic # if selinux exists on the host we need to lie to the chroot if selinux.is_selinux_enabled(): for f in ("/proc", "/sys"): arglist = [ "/usr/bin/chcon", "-u", "system_u", self._instroot + f ] subprocess.call(arglist, close_fds=True)
def __getbooleans(self): booleans = [] if not kickstart.selinux_enabled(self.ks) or not os.path.exists("/selinux/enforce"): return booleans for i in selinux.security_get_boolean_names()[1]: on = selinux.security_get_boolean_active(i) booleans.append(("/booleans/%s" % i, "%d %d" % (on, on))) return booleans
def __can_handle_selinux(self, ayum): file = "/usr/sbin/lokkit" if not kickstart.selinux_enabled( self.ks) and selinux.is_selinux_enabled( ) and not ayum.installHasFile(file): raise CreatorError( "Unable to disable SELinux because the installed package set did not include the file %s" % (file))
def __create_selinuxfs(self): arglist = ["/bin/mount", "--bind", "/dev/null", self._instroot + self.__selinux_mountpoint + "/load"] subprocess.call(arglist, close_fds = True) if kickstart.selinux_enabled(self.ks): # label the fs like it is a root before the bind mounting arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot] subprocess.call(arglist, close_fds = True) # these dumb things don't get magically fixed, so make the user generic # if selinux exists on the host we need to lie to the chroot if selinux.is_selinux_enabled(): for f in ("/proc", "/sys"): arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f] subprocess.call(arglist, close_fds = True)
def install(self, repo_urls={}): """Install packages into the install root. This function installs the packages listed in the supplied kickstart into the install root. By default, the packages are installed from the repository URLs specified in the kickstart. repo_urls -- a dict which maps a repository name to a repository URL; if supplied, this causes any repository URLs specified in the kickstart to be overridden. """ yum_conf = self._mktemp(prefix="yum.conf-") ayum = LiveCDYum(releasever=self.releasever, useplugins=self.useplugins) ayum.setup(yum_conf, self._instroot, cacheonly=self.cacheonly) for repo in kickstart.get_repos(self.ks, repo_urls): (name, baseurl, mirrorlist, proxy, inc, exc, cost, sslverify) = repo yr = ayum.addRepository(name, baseurl, mirrorlist) if inc: yr.includepkgs = inc if exc: yr.exclude = exc if proxy: yr.proxy = proxy if cost is not None: yr.cost = cost yr.sslverify = sslverify ayum.setup(yum_conf, self._instroot) if kickstart.exclude_docs(self.ks): rpm.addMacro("_excludedocs", "1") if not kickstart.selinux_enabled(self.ks): rpm.addMacro("__file_context_path", "%{nil}") if kickstart.inst_langs(self.ks) != None: rpm.addMacro("_install_langs", kickstart.inst_langs(self.ks)) try: self.__select_packages(ayum) self.__select_groups(ayum) self.__deselect_packages(ayum) ayum.runInstall() except yum.Errors.RepoError, e: raise CreatorError("Unable to download from repo : %s" % (e, ))
def install(self, repo_urls = {}): """Install packages into the install root. This function installs the packages listed in the supplied kickstart into the install root. By default, the packages are installed from the repository URLs specified in the kickstart. repo_urls -- a dict which maps a repository name to a repository URL; if supplied, this causes any repository URLs specified in the kickstart to be overridden. """ yum_conf = self._mktemp(prefix = "yum.conf-") ayum = LiveCDYum(releasever=self.releasever, useplugins=self.useplugins) ayum.setup(yum_conf, self._instroot, cacheonly=self.cacheonly) for repo in kickstart.get_repos(self.ks, repo_urls): (name, baseurl, mirrorlist, proxy, inc, exc, cost, sslverify) = repo yr = ayum.addRepository(name, baseurl, mirrorlist) if inc: yr.includepkgs = inc if exc: yr.exclude = exc if proxy: yr.proxy = proxy if cost is not None: yr.cost = cost yr.sslverify = sslverify ayum.setup(yum_conf, self._instroot) if kickstart.exclude_docs(self.ks): rpm.addMacro("_excludedocs", "1") if not kickstart.selinux_enabled(self.ks): rpm.addMacro("__file_context_path", "%{nil}") if kickstart.inst_langs(self.ks) != None: rpm.addMacro("_install_langs", kickstart.inst_langs(self.ks)) try: self.__select_packages(ayum) self.__select_groups(ayum) self.__deselect_packages(ayum) ayum.runInstall() except yum.Errors.RepoError, e: raise CreatorError("Unable to download from repo : %s" % (e,))
def install(self, repo_urls = {}): """Install packages into the install root. This function installs the packages listed in the supplied kickstart into the install root. By default, the packages are installed from the repository URLs specified in the kickstart. repo_urls -- a dict which maps a repository name to a repository URL; if supplied, this causes any repository URLs specified in the kickstart to be overridden. """ dnf_conf = self._mktemp(prefix = "dnf.conf-") dbo = DnfLiveCD(releasever=self.releasever, useplugins=self.useplugins) dbo.setup(dnf_conf, self._instroot, cacheonly=self.cacheonly, excludeWeakdeps=self.excludeWeakdeps) for repo in kickstart.get_repos(self.ks, repo_urls): (name, baseurl, mirrorlist, proxy, inc, exc, cost, sslverify) = repo yr = dbo.addRepository(name, baseurl, mirrorlist) if inc: yr.includepkgs = inc if exc: yr.exclude = exc if proxy: yr.proxy = proxy if cost is not None: yr.cost = cost yr.sslverify = sslverify if kickstart.exclude_docs(self.ks): rpm.addMacro("_excludedocs", "1") if not kickstart.selinux_enabled(self.ks): rpm.addMacro("__file_context_path", "%{nil}") if kickstart.inst_langs(self.ks) != None: rpm.addMacro("_install_langs", kickstart.inst_langs(self.ks)) dbo.fill_sack(load_system_repo = os.path.exists(self._instroot + "/var/lib/rpm/Packages")) dbo.read_comps() try: self.__apply_selections(dbo) dbo.runInstall() except (dnf.exceptions.DownloadError, dnf.exceptions.RepoError) as e: raise CreatorError("Unable to download from repo : %s" % (e,)) except dnf.exceptions.Error as e: raise CreatorError("Unable to install: %s" % (e,)) finally: dbo.close() os.unlink(dnf_conf) # do some clean up to avoid lvm info leakage. this sucks. for subdir in ("cache", "backup", "archive"): lvmdir = self._instroot + "/etc/lvm/" + subdir try: for f in os.listdir(lvmdir): os.unlink(lvmdir + "/" + f) except: pass
def __can_handle_selinux(self, ayum): file = "/usr/sbin/lokkit" if not kickstart.selinux_enabled(self.ks) and selinux.is_selinux_enabled() and not ayum.installHasFile(file): raise CreatorError("Unable to disable SELinux because the installed package set did not include the file %s" % (file))