[Ovirt-devel] [PATCH node-image] enable SELinux in the node
Jim Meyering
jim at meyering.net
Wed Sep 17 14:25:09 UTC 2008
Here are 5 change sets.
The first enables SELinux in the node.
However, the resulting .iso image size went up to 72M.
The following 4 patches pare that back down to 51M, which is 1M below
the original size of 52M.
>From db6be7aeae14812a0642b85c1f7ee10dedac2810 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering at redhat.com>
Date: Tue, 16 Sep 2008 15:52:20 +0200
Subject: [PATCH node-image] Enable SELinux in the node.
* common-install.ks: Use selinux --enforcing
* common-pkgs.ks: Don't exclude the following, required for SELinux:
policycoreutils
libsemanage
selinux-policy-targeted
selinux-policy
* ovirt-node-image.ks (%post): touch /.autorelabel so the node automatically
relabels all files. Otherwise at least the following would be unlabeled_t:
/etc/hosts
/etc/shadow
/etc/gshadow
/etc/sysconfig/iptables
---
common-install.ks | 2 +-
common-pkgs.ks | 4 ----
ovirt-node-image.ks | 2 ++
3 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/common-install.ks b/common-install.ks
index b7671e9..f535323 100644
--- a/common-install.ks
+++ b/common-install.ks
@@ -2,7 +2,7 @@ lang C
keyboard us
timezone --utc UTC
auth --useshadow --enablemd5
-selinux --disabled
+selinux --enforcing
firewall --disabled
part / --size 550 --fstype ext2
services --enabled=ntpd,ntpdate,collectd,iptables,network
diff --git a/common-pkgs.ks b/common-pkgs.ks
index 70707fc..29d3cf7 100644
--- a/common-pkgs.ks
+++ b/common-pkgs.ks
@@ -29,10 +29,8 @@ syslinux
cronie
hal
ovirt-node
--policycoreutils
-audit-libs-python
-hdparm
--libsemanage
-ustr
-authconfig
-rhpl
@@ -41,8 +39,6 @@ ovirt-node
-prelink
-newt-python
-newt
--selinux-policy-targeted
--selinux-policy
-kudzu
-libselinux-python
-rhpl
diff --git a/ovirt-node-image.ks b/ovirt-node-image.ks
index 9ec0b50..f5695d8 100644
--- a/ovirt-node-image.ks
+++ b/ovirt-node-image.ks
@@ -10,6 +10,8 @@
%post
%include common-post.ks
+touch /.autorelabel
+
%end
%post --nochroot
--
1.6.0.1.308.gede4c
>From e3d27bd525ecc5f833db60ae4c7088ec3be9ee81 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering at redhat.com>
Date: Tue, 16 Sep 2008 21:32:03 +0200
Subject: [PATCH node-image] common-post.ks: prune blacklisted packages with rpm -e --nodeps
Otherwise, they were not being removed.
---
common-post.ks | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/common-post.ks b/common-post.ks
index e234249..d14c790 100644
--- a/common-post.ks
+++ b/common-post.ks
@@ -49,12 +49,14 @@ echo "Removing excess RPMs"
# and livecd-tools needs lokkit to disable SELinux.
# However, this is just an install-time dependency; we can remove
# it afterwards, which we do here
-rpm -e system-config-firewall-tui system-config-network-tui rhpl \
+$RPM -e system-config-firewall-tui system-config-network-tui rhpl \
rpm-python dbus-python kudzu newt-python newt
-rpm -e qemu kpartx mkinitrd isomd5sum dmraid python python-libs
RPM="rpm -v -e --nodeps"
+$RPM -e qemu kpartx mkinitrd isomd5sum dmraid python python-libs
+$RPM -e checkpolicy
+
# Remove additional RPMs forcefully
$RPM gamin pm-utils kbd libuser passwd usermode \
vbetool ConsoleKit hdparm \
--
1.6.0.1.308.gede4c
>From 047ae89c284087ae3d3a373bf8cbab9540217b1a Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering at redhat.com>
Date: Wed, 17 Sep 2008 13:56:15 +0200
Subject: [PATCH node-image] allow for {,lib64} constructs in blacklist variables
---
common-post.ks | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/common-post.ks b/common-post.ks
index d14c790..a2a8630 100644
--- a/common-post.ks
+++ b/common-post.ks
@@ -142,8 +142,8 @@ docs_blacklist="/usr/share/omf /usr/share/gnome /usr/share/doc \
/usr/share/locale /usr/share/libthai /usr/share/man /usr/share/terminfo \
/usr/share/X11 /usr/share/i18n"
-$RM $blacklist $blacklist_lib $blacklist_pango $blacklist_hal $blacklist_ssh \
- $docs_blacklist
+eval $RM $blacklist $blacklist_lib $blacklist_pango $blacklist_hal \
+ $blacklist_ssh $docs_blacklist
echo "Cleanup empty directory structures in /usr/share"
find /usr/share -type d -exec rmdir {} \; > /dev/null 2>&1
--
1.6.0.1.308.gede4c
>From 817655c2b4f0c200a929caddad69b1f8f52295c6 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering at redhat.com>
Date: Wed, 17 Sep 2008 14:12:25 +0200
Subject: [PATCH node-image] remove big /usr/sbin binaries
remove system-config-* etc with --nodeps, too
---
common-post.ks | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/common-post.ks b/common-post.ks
index a2a8630..ea5b1b7 100644
--- a/common-post.ks
+++ b/common-post.ks
@@ -45,6 +45,8 @@ EOF
echo "Removing excess RPMs"
+RPM="rpm -v -e --nodeps"
+
# kernel pulls in mkinitrd which pulls in isomd5sum which pulls in python,
# and livecd-tools needs lokkit to disable SELinux.
# However, this is just an install-time dependency; we can remove
@@ -122,7 +124,7 @@ blacklist="/boot /etc/alsa /etc/pki /usr/share/hwdata/MonitorsDB \
/usr/share/tabset /usr/share/libvirt /usr/share/augeas/lenses/tests \
/usr/share/tc /usr/share/emacs /usr/share/info /usr/kerberos \
/usr/src /usr/etc /usr/games /usr/include /usr/local \
- /usr/sbin/dell*"
+ /usr/sbin/{dell*,sasldblistusers2,build-locale-archive,glibc_post_upgrade.*}"
blacklist_lib="/usr/lib{,64}/python2.5 /usr/lib{,64}/gconv \
/usr/{,lib64}/tc /usr/lib{,64}/tls /usr/lib{,64}/sse2 \
/usr/lib{,64}/pkgconfig /usr/lib{,64}/nss /usr/lib{,64}/X11 \
--
1.6.0.1.308.gede4c
>From a570566201f06108c9eabd6a588c329a8a59e55e Mon Sep 17 00:00:00 2001
From: Daniel P. Berrange <berrange at redhat.com>
Date: Wed, 17 Sep 2008 15:15:10 +0200
Subject: [PATCH node-image] exclude qemu cleanly, by explicitly including qemu-img
Work around YUM dep solver problem: explicitly include qemu-img
http://thread.gmane.org/gmane.comp.emulators.libvirt.ovirt/1984/focus=1985
[I had already removed qemu with the "rpm -e --nodeps" sledgehammer,
but Dan P. Berrange found this cleaner way to do it. -jmm]
---
common-pkgs.ks | 5 ++++-
common-post.ks | 2 +-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/common-pkgs.ks b/common-pkgs.ks
index 29d3cf7..0149956 100644
--- a/common-pkgs.ks
+++ b/common-pkgs.ks
@@ -28,6 +28,10 @@ bind-utils
syslinux
cronie
hal
+# Stupid yum dep solver pulls in older 'qemu' to resolve
+# /usr/bin/qemu-img dep. This forces it to pick the new
+# qemu-img RPM.
+qemu-img
ovirt-node
-audit-libs-python
-hdparm
@@ -58,6 +62,5 @@ ovirt-node
-cpio
-hwdata
-file
--qemu
-libvirt-python
/usr/sbin/lokkit
diff --git a/common-post.ks b/common-post.ks
index ea5b1b7..dfc6418 100644
--- a/common-post.ks
+++ b/common-post.ks
@@ -56,7 +56,7 @@ $RPM -e system-config-firewall-tui system-config-network-tui rhpl \
RPM="rpm -v -e --nodeps"
-$RPM -e qemu kpartx mkinitrd isomd5sum dmraid python python-libs
+$RPM -e kpartx mkinitrd isomd5sum dmraid python python-libs
$RPM -e checkpolicy
# Remove additional RPMs forcefully
--
1.6.0.1.308.gede4c
More information about the ovirt-devel
mailing list