[Piuparts-devel] Bug#682068: Bug#682068: selinux + piuparts

Laurent Bigonville bigon at debian.org
Thu May 1 14:13:45 UTC 2014 

tag 682068 + patch
thanks

Le Wed, 30 Apr 2014 15:46:45 +0200,
Holger Levsen <holger at layer-acht.org> a écrit :

> Hi,
> 
> On Mittwoch, 30. April 2014, Laurent Bigonville wrote:
> > I'll try to cook something. But if you really want to remove the
> > support, wouldn't it be better to unconditionally switch to the new
> > path instead?
> 
> as said a year ago, just changing pathes won't work, as detecting
> selinux needs to be updated too:
> 
> On Samstag, 18. Mai 2013, Holger Levsen wrote:
> > tags 682068 + moreinfo
> > thanks
> > 
> > Hi Laurent,
> > 
> > piuparts is only trying to mount selinux mountpoints if
> > /usr/sbin/selinuxenabled ran successfully.
> > 
> > I have two problems now:
> > - /usr/sbin/selinuxenabled doesn't even exist on my wheezy system
> > - isn't there some selinux tool to tell me the expected mountpoint?
> > I don't want to mess around with versions in piuparts.py source
> > code (be it "wheezy", "squeeze", 2.0.96-1 or 2.1.9-5) to decide
> > whether to mount /selinux or /sys/fs/selinux ?!!
> > 
> > See below for actual related code. That's it, plus calls to them.
> > 
> > def selinux_enabled(enabled_test="/usr/sbin/selinuxenabled"):
> >     if os.access(enabled_test, os.X_OK):
> >         retval, output = run([enabled_test], ignore_errors=True)
> >         if retval == 0:
> >             return True
> >         else:
> >             return False
> > 
> >     def mount_selinux(self):
> >         if selinux_enabled():
> >             run(["mkdir", "-p", self.relative("/selinux")])
> >             run(["mount", "-t", "selinuxfs", "/selinux",
> > self.relative("/selinux")])
> >             logging.info("SElinux mounted into chroot")
> > 
> >     def unmount_selinux(self):
> >         if selinux_enabled():
> >             run(["umount", self.relative("/selinux")])
> >             logging.info("SElinux unmounted from chroot")
> 
> I think I really either want a tested patch from someone using
> selinux or remove this code.

I've attached a patch that is implementing the change. If /selinux is
present, the selinuxfs will be mounted there. This directory was
shipped by libselinux package until wheezy (even if in wheezy it was
mounted already to the new location).

The patch is also changing the way the selinuxfs is mounted. The
selinuxfs is now bind mounted and then set to read only. This is needed
to make think the userspace that selinux is disabled, otherwise dpkg
will simply fail if the selinux policy is not installed in the chroot
(see: #734193)

I've also added a soft dependency against python-selinux to use the
python API to detect if selinux is enabled instead of using
selinuxenabled executable. If you don't agree with this, I can revert
this change.

Cheers,

Laurent Bigonville
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 682068.patch
Type: text/x-patch
Size: 2796 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/piuparts-devel/attachments/20140501/b4a03fd2/attachment.bin>

More information about the Piuparts-devel mailing list