[Ovirt-devel] [PATCH node-image] enable SELinux in the node

Jim Meyering jim at meyering.net
Wed Sep 17 14:25:09 UTC 2008 

Here are 5 change sets.

The first enables SELinux in the node.
However, the resulting .iso image size went up to 72M.
The following 4 patches pare that back down to 51M, which is 1M below
the original size of 52M.

>From db6be7aeae14812a0642b85c1f7ee10dedac2810 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering at redhat.com>
Date: Tue, 16 Sep 2008 15:52:20 +0200
Subject: [PATCH node-image] Enable SELinux in the node.

* common-install.ks: Use selinux --enforcing
* common-pkgs.ks: Don't exclude the following, required for SELinux:
      policycoreutils
      libsemanage
      selinux-policy-targeted
      selinux-policy
* ovirt-node-image.ks (%post): touch /.autorelabel so the node automatically
  relabels all files.  Otherwise at least the following would be unlabeled_t:
      /etc/hosts
      /etc/shadow
      /etc/gshadow
      /etc/sysconfig/iptables
---
 common-install.ks   |    2 +-
 common-pkgs.ks      |    4 ----
 ovirt-node-image.ks |    2 ++
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/common-install.ks b/common-install.ks
index b7671e9..f535323 100644
--- a/common-install.ks
+++ b/common-install.ks
@@ -2,7 +2,7 @@ lang C
 keyboard us
 timezone --utc UTC
 auth --useshadow --enablemd5
-selinux --disabled
+selinux --enforcing
 firewall --disabled
 part / --size 550 --fstype ext2
 services --enabled=ntpd,ntpdate,collectd,iptables,network
diff --git a/common-pkgs.ks b/common-pkgs.ks
index 70707fc..29d3cf7 100644
--- a/common-pkgs.ks
+++ b/common-pkgs.ks
@@ -29,10 +29,8 @@ syslinux
 cronie
 hal
 ovirt-node
--policycoreutils
 -audit-libs-python
 -hdparm
--libsemanage
 -ustr
 -authconfig
 -rhpl
@@ -41,8 +39,6 @@ ovirt-node
 -prelink
 -newt-python
 -newt
--selinux-policy-targeted
--selinux-policy
 -kudzu
 -libselinux-python
 -rhpl
diff --git a/ovirt-node-image.ks b/ovirt-node-image.ks
index 9ec0b50..f5695d8 100644
--- a/ovirt-node-image.ks
+++ b/ovirt-node-image.ks
@@ -10,6 +10,8 @@
 %post
 %include common-post.ks

+touch /.autorelabel
+
 %end

 %post --nochroot
--
1.6.0.1.308.gede4c


>From e3d27bd525ecc5f833db60ae4c7088ec3be9ee81 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering at redhat.com>
Date: Tue, 16 Sep 2008 21:32:03 +0200
Subject: [PATCH node-image] common-post.ks: prune blacklisted packages with rpm -e --nodeps

Otherwise, they were not being removed.
---
 common-post.ks |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/common-post.ks b/common-post.ks
index e234249..d14c790 100644
--- a/common-post.ks
+++ b/common-post.ks
@@ -49,12 +49,14 @@ echo "Removing excess RPMs"
 # and livecd-tools needs lokkit to disable SELinux.
 # However, this is just an install-time dependency; we can remove
 # it afterwards, which we do here
-rpm -e system-config-firewall-tui system-config-network-tui rhpl \
+$RPM -e system-config-firewall-tui system-config-network-tui rhpl \
     rpm-python dbus-python kudzu newt-python newt
-rpm -e qemu kpartx mkinitrd isomd5sum dmraid python python-libs

 RPM="rpm -v -e --nodeps"

+$RPM -e qemu kpartx mkinitrd isomd5sum dmraid python python-libs
+$RPM -e checkpolicy
+
 # Remove additional RPMs forcefully
 $RPM gamin pm-utils kbd libuser passwd usermode \
     vbetool ConsoleKit hdparm \
--
1.6.0.1.308.gede4c


>From 047ae89c284087ae3d3a373bf8cbab9540217b1a Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering at redhat.com>
Date: Wed, 17 Sep 2008 13:56:15 +0200
Subject: [PATCH node-image] allow for {,lib64} constructs in blacklist variables

---
 common-post.ks |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/common-post.ks b/common-post.ks
index d14c790..a2a8630 100644
--- a/common-post.ks
+++ b/common-post.ks
@@ -142,8 +142,8 @@ docs_blacklist="/usr/share/omf /usr/share/gnome /usr/share/doc \
     /usr/share/locale /usr/share/libthai /usr/share/man /usr/share/terminfo \
     /usr/share/X11 /usr/share/i18n"

-$RM $blacklist $blacklist_lib $blacklist_pango $blacklist_hal $blacklist_ssh \
-    $docs_blacklist
+eval $RM $blacklist $blacklist_lib $blacklist_pango $blacklist_hal \
+    $blacklist_ssh $docs_blacklist

 echo "Cleanup empty directory structures in /usr/share"
 find /usr/share -type d -exec rmdir {} \; > /dev/null 2>&1
--
1.6.0.1.308.gede4c


>From 817655c2b4f0c200a929caddad69b1f8f52295c6 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering at redhat.com>
Date: Wed, 17 Sep 2008 14:12:25 +0200
Subject: [PATCH node-image] remove big /usr/sbin binaries

remove system-config-* etc with --nodeps, too
---
 common-post.ks |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/common-post.ks b/common-post.ks
index a2a8630..ea5b1b7 100644
--- a/common-post.ks
+++ b/common-post.ks
@@ -45,6 +45,8 @@ EOF

 echo "Removing excess RPMs"

+RPM="rpm -v -e --nodeps"
+
 # kernel pulls in mkinitrd which pulls in isomd5sum which pulls in python,
 # and livecd-tools needs lokkit to disable SELinux.
 # However, this is just an install-time dependency; we can remove
@@ -122,7 +124,7 @@ blacklist="/boot /etc/alsa /etc/pki /usr/share/hwdata/MonitorsDB \
     /usr/share/tabset /usr/share/libvirt /usr/share/augeas/lenses/tests \
     /usr/share/tc /usr/share/emacs /usr/share/info /usr/kerberos \
     /usr/src /usr/etc /usr/games /usr/include /usr/local \
-    /usr/sbin/dell*"
+    /usr/sbin/{dell*,sasldblistusers2,build-locale-archive,glibc_post_upgrade.*}"
 blacklist_lib="/usr/lib{,64}/python2.5 /usr/lib{,64}/gconv \
     /usr/{,lib64}/tc /usr/lib{,64}/tls /usr/lib{,64}/sse2 \
     /usr/lib{,64}/pkgconfig /usr/lib{,64}/nss /usr/lib{,64}/X11 \
--
1.6.0.1.308.gede4c


>From a570566201f06108c9eabd6a588c329a8a59e55e Mon Sep 17 00:00:00 2001
From: Daniel P. Berrange <berrange at redhat.com>
Date: Wed, 17 Sep 2008 15:15:10 +0200
Subject: [PATCH node-image] exclude qemu cleanly, by explicitly including qemu-img

Work around YUM dep solver problem: explicitly include qemu-img
http://thread.gmane.org/gmane.comp.emulators.libvirt.ovirt/1984/focus=1985

[I had already removed qemu with the "rpm -e --nodeps" sledgehammer,
 but Dan P. Berrange found this cleaner way to do it.  -jmm]
---
 common-pkgs.ks |    5 ++++-
 common-post.ks |    2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/common-pkgs.ks b/common-pkgs.ks
index 29d3cf7..0149956 100644
--- a/common-pkgs.ks
+++ b/common-pkgs.ks
@@ -28,6 +28,10 @@ bind-utils
 syslinux
 cronie
 hal
+# Stupid yum dep solver pulls in older 'qemu' to resolve
+# /usr/bin/qemu-img dep. This forces it to pick the new
+# qemu-img RPM.
+qemu-img
 ovirt-node
 -audit-libs-python
 -hdparm
@@ -58,6 +62,5 @@ ovirt-node
 -cpio
 -hwdata
 -file
--qemu
 -libvirt-python
 /usr/sbin/lokkit
diff --git a/common-post.ks b/common-post.ks
index ea5b1b7..dfc6418 100644
--- a/common-post.ks
+++ b/common-post.ks
@@ -56,7 +56,7 @@ $RPM -e system-config-firewall-tui system-config-network-tui rhpl \

 RPM="rpm -v -e --nodeps"

-$RPM -e qemu kpartx mkinitrd isomd5sum dmraid python python-libs
+$RPM -e kpartx mkinitrd isomd5sum dmraid python python-libs
 $RPM -e checkpolicy

 # Remove additional RPMs forcefully
--
1.6.0.1.308.gede4c

More information about the ovirt-devel mailing list