[Ovirt-devel] [PATCH node-image] Use minimal selinux configuration and add modules selectively
Perry Myers
pmyers at redhat.com
Fri Nov 21 01:39:37 UTC 2008
Signed-off-by: Perry Myers <pmyers at redhat.com>
---
common-blacklist.ks | 3 ---
common-pkgs.ks | 2 +-
common-post.ks | 20 ++++++++++++++++++++
3 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/common-blacklist.ks b/common-blacklist.ks
index 48702da..3c89236 100644
--- a/common-blacklist.ks
+++ b/common-blacklist.ks
@@ -118,9 +118,6 @@ find /usr/share -type d -exec rmdir {} \; > /dev/null 2>&1
echo "Cleanup excess selinux modules"
$RM /usr/share/selinux
-# FIXME: We shouldn't remove all of the modules, just selected ones
-# need to do more fine grained black/white listing for this
-#$RM /etc/selinux/targeted/modules/active/modules/*
echo "Running image-minimizer..."
%end
diff --git a/common-pkgs.ks b/common-pkgs.ks
index a35519f..80993d6 100644
--- a/common-pkgs.ks
+++ b/common-pkgs.ks
@@ -12,7 +12,7 @@ kvm
syslinux
ovirt-node
ovirt-node-selinux
-selinux-policy-targeted
+selinux-policy-minimum
vim-minimal
-audit-libs-python
-hdparm
diff --git a/common-post.ks b/common-post.ks
index 7497b20..2d4ce15 100644
--- a/common-post.ks
+++ b/common-post.ks
@@ -3,6 +3,26 @@ echo "Starting Kickstart Post"
PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH
+# Import SELinux Modules
+echo "Enabling selinux modules"
+SEMODULES="base automount avahi consolekit cyrus dhcp dnsmasq guest hal ipsec \
+iscsi kerberos kerneloops ldap lockdev logadm mozilla ntp polkit portmap qemu \
+rpcbind sasl snmp stunnel sysstat tcpd unprivuser unconfined usbmodules \
+userhelper virt"
+
+lokkit -v --selinuxtype=minimum
+tmpdir=$(mktemp -d)
+
+for semodule in $SEMODULES; do
+ mv /usr/share/selinux/minimum/$semodule.pp.bz2 $tmpdir
+ bunzip2 $tmpdir/$semodule.pp.bz2
+done
+
+ls $tmpdir/*.pp | grep -Ev "base.pp|enableaudit.pp" \
+ | xargs semodule -v -b $tmpdir/base.pp -i
+semodule -v -B
+rm -Rf $tmpdir
+
echo "Running ovirt-install-host stateless"
/usr/sbin/ovirt-install-node stateless
--
1.6.0.3
More information about the ovirt-devel
mailing list