From 03612bf8024b58380f6b70254913558c9f96c822 Mon Sep 17 00:00:00 2001 From: Chris Lumens Date: Wed, 18 Aug 2010 10:26:00 -0400 Subject: Reset labels on /var/cache/yum as well (#623434). anaconda indirectly creates this directory tree when it creates a Yum object chrooted under /mnt/sysimage, so we need to ensure it gets the proper selinux label. While I'm at it, fix a couple stupid things in how file context setting didn't work: (1) Make directory handling recursive, since who knows how much stuff is in /var/cache/yum. (2) Make globs check against /mnt/sysimage instead of /. Before, we were just getting lucky with contexts since the networking files were all the same. But we shouldn't rely on that luck continuing. (3) Move the file lists into constants.py. --- pyanaconda/packages.py | 63 +++++++++++++++++++++++++------------------------- 1 file changed, 32 insertions(+), 31 deletions(-) (limited to 'pyanaconda/packages.py') diff --git a/pyanaconda/packages.py b/pyanaconda/packages.py index 7d88d069a..232e329ca 100644 --- a/pyanaconda/packages.py +++ b/pyanaconda/packages.py @@ -23,6 +23,7 @@ # Jeremy Katz # +import itertools import glob import iutil import isys @@ -186,41 +187,41 @@ def setupTimezone(anaconda): # FIXME: this is a huge gross hack. hard coded list of files # created by anaconda so that we can not be killed by selinux def setFileCons(anaconda): + def contextCB(arg, directory, files): + for file in files: + path = os.path.join(directory, file) + + if not os.access(path, os.R_OK): + log.warning("%s doesn't exist" % path) + continue + + # If the path begins with rootPath, matchPathCon will never match + # anything because policy doesn't contain that path. + if path.startswith(anaconda.rootPath): + path = path.replace(anaconda.rootPath, "") + + ret = isys.resetFileContext(path, anaconda.rootPath) + log.info("set fc of %s to %s" % (path, ret)) + if flags.selinux: log.info("setting SELinux contexts for anaconda created files") - files = ["/etc/rpm/macros", "/etc/dasd.conf", "/etc/zfcp.conf", - "/etc/lilo.conf.anaconda", "/lib64", "/usr/lib64", - "/etc/blkid.tab", "/etc/blkid.tab.old", - "/etc/mtab", "/etc/fstab", "/etc/resolv.conf", - "/etc/modprobe.conf", "/etc/modprobe.conf~", - "/var/log/wtmp", "/var/run/utmp", "/etc/crypttab", - "/dev/log", "/var/lib/rpm", "/", "/etc/raidtab", - "/etc/mdadm.conf", "/etc/sysconfig/network", - "/etc/udev/rules.d/70-persistent-net.rules", - "/root/install.log", "/root/install.log.syslog", - "/etc/shadow", "/etc/shadow-", "/etc/gshadow"] + \ - glob.glob('/etc/dhcp/dhclient-*.conf') - - vgs = ["/dev/%s" % vg.name for vg in anaconda.storage.vgs] - - # ugh, this is ugly - for dir in ["/etc/sysconfig/network-scripts", "/var/lib/rpm", "/etc/lvm", "/dev/mapper", "/etc/iscsi", "/var/lib/iscsi", "/root", "/var/log", "/etc/modprobe.d", "/etc/sysconfig" ] + vgs: - def addpath(x): return dir + "/" + x - - if not os.path.isdir(anaconda.rootPath + dir): - continue - dirfiles = os.listdir(anaconda.rootPath + dir) - files.extend(map(addpath, dirfiles)) - files.append(dir) + # Add "/mnt/sysimage" to the front of every path so the glob works. + # Then run glob on each element of the list and flatten it into a + # single list we can run contextCB across. + files = itertools.chain(*map(lambda f: glob.glob("%s/%s" % (anaconda.rootPath, f)), + relabelFiles)) + contextCB(None, "", files) - for f in files: - if not os.access("%s/%s" %(anaconda.rootPath, f), os.R_OK): - log.warning("%s doesn't exist" %(f,)) - continue - ret = isys.resetFileContext(os.path.normpath(f), - anaconda.rootPath) - log.info("set fc of %s to %s" %(f, ret)) + for dir in relabelDirs + ["/dev/%s" % vg.name for vg in anaconda.storage.vgs]: + # Add "/mnt/sysimage" for similar reasons to above. + dir = "%s/%s" % (anaconda.rootPath, dir) + + os.path.walk(dir, contextCB, None) + + # os.path.walk won't include the directory we start walking at, + # so that needs its context set separtely. + contextCB(None, "", [dir]) return -- cgit