[lxc-devel] [PATCH 2/2] Fixes for selinux and pam_loginuid.so

Mon Nov 25 17:31:30 UTC 2013

Fixes for selinux and pam_loginuid.so

Just some additional catches for disabling selinux and pam_loginuid.so
thanks to Dwight Engen and the Oracle template.

Signed-off-by: Michael H. Warfield <mhw at WittsEnd.com>
---
 templates/lxc-fedora.in | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
index 9208e88..9999503 100644
--- a/templates/lxc-fedora.in
+++ b/templates/lxc-fedora.in
@@ -98,11 +98,24 @@ configure_fedora()
     mkdir -p $rootfs_path/selinux
     echo 0 > $rootfs_path/selinux/enforce
 
-    # This may be related to disabling selinux above but this is
-    # a known problem and documented in RedHat bugzilla as relating
+    # Also kill it in the /etc/selinux/config file if it's there...
+    if [[ -f $rootfs_path/etc/selinux/config ]]
+    then
+        sed -i '/^SELINUX=/s/.*/SELINUX=disabled/' $rootfs_path/etc/selinux/config
+    fi
+
+    # Nice catch from Dwight Engen in the Oracle template.
+    # Wantonly plagerized here with much appreciation.
+    if [ -f $rootfs_path/usr/sbin/selinuxenabled ]; then
+        mv $rootfs_path/usr/sbin/selinuxenabled $rootfs_path/usr/sbin/selinuxenabled.lxcorig
+        ln -s /bin/false $rootfs_path/usr/sbin/selinuxenabled
+    fi
+
+    # This is a known problem and documented in RedHat bugzilla as relating
     # to a problem with auditing enabled.  This prevents an error in
     # the container "Cannot make/remove an entry for the specified session"
     sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/login
+    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/sshd
 
     # configure the network using the dhcp
     cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
@@ -132,6 +145,9 @@ EOF
 ::1                 localhost6.localdomain6 localhost6
 EOF
 
+    # These mknod's really don't make any sense with modern releases of
+    # Fedora with systemd, devtmpfs, and autodev enabled.  They are left
+    # here for legacy reasons and older releases with upstart and sysv init.
     dev_path="${rootfs_path}/dev"
     rm -rf $dev_path
     mkdir -p $dev_path
@@ -187,6 +203,7 @@ EOF
 
     return 0
 }
+
 configure_fedora_init()
 {
     sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit
@@ -635,7 +652,7 @@ download_fedora()
     BOOTSTRAP_INSTALL_ROOT=${INSTALL_ROOT}
     BOOTSTRAP_CHROOT=
 
-    PKG_LIST="yum initscripts passwd rsyslog vim-minimal dhclient chkconfig rootfiles policycoreutils fedora-release"
+    PKG_LIST="yum initscripts passwd rsyslog vim-minimal openssh-server openssh-clients dhclient chkconfig rootfiles policycoreutils fedora-release"
     MIRRORLIST_URL="http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$release&arch=$arch"
 
     if [[ ${release} -lt 17 ]]
-- 
1.8.3.1


-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131125/4d352f56/attachment.pgp>
