[PATCH 2/2] LiveCD - add test for /sbin/lokkit if it is needed for selinux config

Stephen Smalley sds at tycho.nsa.gov
Mon Jun 9 14:14:23 UTC 2008 

On Fri, 2008-06-06 at 16:11 -0400, eparis at redhat.com wrote:
> From: Eric Paris <eparis at redhat.com>
> 
> This patch adds a new function ayum.installHasFile() which tells if the install
> image is going to contain a given file.  We then use this new function to make
> sure lokkit is going to be present so that we will be able to disable selinux
> inside the image if the kickstart was configured that way.  If we cannot
> accomidate the kickstart setting we error the build.

Do you really need lokkit or can you just manually
rewrite /etc/selinux/config (i.e. just sed -e
"s/SELINUX=enforcing/SELINUX=disabled/")?

> 
> Signed-off-by: Eric Paris <eparis at redhat.com>
> ---
>  imgcreate/creator.py |   12 +++++++++++-
>  imgcreate/yuminst.py |   10 ++++++++++
>  2 files changed, 21 insertions(+), 1 deletions(-)
> 
> diff --git a/imgcreate/creator.py b/imgcreate/creator.py
> index f65f7d4..c9ed60c 100644
> --- a/imgcreate/creator.py
> +++ b/imgcreate/creator.py
> @@ -594,7 +594,14 @@ class ImageCreator(object):
>          for pkg in kickstart.get_excluded(self.ks,
>                                            self._get_excluded_packages()):
>              ayum.deselectPackage(pkg)
> -        
> +
> +    # if the system is running selinux and the kickstart wants it disabled
> +    # we need /usr/sbin/lokkit
> +    def __can_handle_selinux(self, ayum):
> +        file = "/usr/sbin/lokkit"
> +        if not kickstart.selinux_enabled(self.ks) and os.path.exists("/selinux/enforce") and not ayum.installHasFile(file):
> +            raise CreatorError("Unable to disable SELinux because the installed package set did not include the file %s" % (file))
> +
>      def install(self, repo_urls = {}):
>          """Install packages into the install root.
>  
> @@ -630,6 +637,9 @@ class ImageCreator(object):
>              self.__select_packages(ayum)
>              self.__select_groups(ayum)
>              self.__deselect_packages(ayum)
> +
> +            self.__can_handle_selinux(ayum)
> +
>              ayum.runInstall()
>          except yum.Errors.RepoError, e:
>              raise CreatorError("Unable to download from repo : %s" % (e,))
> diff --git a/imgcreate/yuminst.py b/imgcreate/yuminst.py
> index aebb822..dd5b189 100644
> --- a/imgcreate/yuminst.py
> +++ b/imgcreate/yuminst.py
> @@ -139,6 +139,16 @@ class LiveCDYum(yum.YumBase):
>          repo.setCallback(TextProgress())
>          self.repos.add(repo)
>          return repo
> +
> +    def installHasFile(self, file):
> +        provides_pkg = self.whatProvides(file, None, None)
> +        dlpkgs = map(lambda x: x.po, filter(lambda txmbr: txmbr.ts_state in ("i", "u"), self.tsInfo.getMembers()))
> +        for p in dlpkgs:
> +            for q in provides_pkg:
> +                if (p == q):
> +                    return True
> +        return False
> +
>              
>      def runInstall(self):
>          os.environ["HOME"] = "/"
-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list