[lxc-devel] [PATCH 2/2] Fixes for selinux and pam_loginuid.so

Stéphane Graber stgraber at ubuntu.com
Mon Nov 25 19:46:50 UTC 2013 

On Mon, Nov 25, 2013 at 12:31:30PM -0500, Michael H. Warfield wrote:
> Fixes for selinux and pam_loginuid.so
> 
> Just some additional catches for disabling selinux and pam_loginuid.so
> thanks to Dwight Engen and the Oracle template.
> 
> Signed-off-by: Michael H. Warfield <mhw at WittsEnd.com>

Might be worth mentioning the addition of the SSH server and client?

Anyway, the change itself is fine.

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  templates/lxc-fedora.in | 23 ++++++++++++++++++++---
>  1 file changed, 20 insertions(+), 3 deletions(-)
> 
> diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
> index 9208e88..9999503 100644
> --- a/templates/lxc-fedora.in
> +++ b/templates/lxc-fedora.in
> @@ -98,11 +98,24 @@ configure_fedora()
>      mkdir -p $rootfs_path/selinux
>      echo 0 > $rootfs_path/selinux/enforce
>  
> -    # This may be related to disabling selinux above but this is
> -    # a known problem and documented in RedHat bugzilla as relating
> +    # Also kill it in the /etc/selinux/config file if it's there...
> +    if [[ -f $rootfs_path/etc/selinux/config ]]
> +    then
> +        sed -i '/^SELINUX=/s/.*/SELINUX=disabled/' $rootfs_path/etc/selinux/config
> +    fi
> +
> +    # Nice catch from Dwight Engen in the Oracle template.
> +    # Wantonly plagerized here with much appreciation.
> +    if [ -f $rootfs_path/usr/sbin/selinuxenabled ]; then
> +        mv $rootfs_path/usr/sbin/selinuxenabled $rootfs_path/usr/sbin/selinuxenabled.lxcorig
> +        ln -s /bin/false $rootfs_path/usr/sbin/selinuxenabled
> +    fi
> +
> +    # This is a known problem and documented in RedHat bugzilla as relating
>      # to a problem with auditing enabled.  This prevents an error in
>      # the container "Cannot make/remove an entry for the specified session"
>      sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/login
> +    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/sshd
>  
>      # configure the network using the dhcp
>      cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
> @@ -132,6 +145,9 @@ EOF
>  ::1                 localhost6.localdomain6 localhost6
>  EOF
>  
> +    # These mknod's really don't make any sense with modern releases of
> +    # Fedora with systemd, devtmpfs, and autodev enabled.  They are left
> +    # here for legacy reasons and older releases with upstart and sysv init.
>      dev_path="${rootfs_path}/dev"
>      rm -rf $dev_path
>      mkdir -p $dev_path
> @@ -187,6 +203,7 @@ EOF
>  
>      return 0
>  }
> +
>  configure_fedora_init()
>  {
>      sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit
> @@ -635,7 +652,7 @@ download_fedora()
>      BOOTSTRAP_INSTALL_ROOT=${INSTALL_ROOT}
>      BOOTSTRAP_CHROOT=
>  
> -    PKG_LIST="yum initscripts passwd rsyslog vim-minimal dhclient chkconfig rootfiles policycoreutils fedora-release"
> +    PKG_LIST="yum initscripts passwd rsyslog vim-minimal openssh-server openssh-clients dhclient chkconfig rootfiles policycoreutils fedora-release"
>      MIRRORLIST_URL="http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$release&arch=$arch"
>  
>      if [[ ${release} -lt 17 ]]
> -- 
> 1.8.3.1
> 
> 
> -- 
> Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the best of all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> 



> ------------------------------------------------------------------------------
> Shape the Mobile Experience: Free Subscription
> Software experts and developers: Be at the forefront of tech innovation.
> Intel(R) Software Adrenaline delivers strategic insight and game-changing 
> conversations that shape the rapidly evolving mobile landscape. Sign up now. 
> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk

> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131125/ca6c8bb3/attachment.pgp>

More information about the lxc-devel mailing list