[lxc-devel] [PATCH 2/2] Fixes for selinux and pam_loginuid.so
Michael H. Warfield
mhw at WittsEnd.com
Mon Nov 25 20:08:28 UTC 2013
On Mon, 2013-11-25 at 14:46 -0500, Stéphane Graber wrote:
> On Mon, Nov 25, 2013 at 12:31:30PM -0500, Michael H. Warfield wrote:
> > Fixes for selinux and pam_loginuid.so
> >
> > Just some additional catches for disabling selinux and pam_loginuid.so
> > thanks to Dwight Engen and the Oracle template.
> >
> > Signed-off-by: Michael H. Warfield <mhw at WittsEnd.com>
> Might be worth mentioning the addition of the SSH server and client?
Yeah, actually, I caught that one when I tried to fix the problem
in /etc/pam.d/sshd and found it wasn't there because the packages
weren't installed. So, it was sort of related and should have been
caught earlier... Catch-22. If I don't install them, I can't fix them
and, if I don't fix them, they'll be busted when someone else installs
the packages that almost everyone needs anyways... Sigh...
> Anyway, the change itself is fine.
Cool.
Mike
> Acked-by: Stéphane Graber <stgraber at ubuntu.com>
>
> > ---
> > templates/lxc-fedora.in | 23 ++++++++++++++++++++---
> > 1 file changed, 20 insertions(+), 3 deletions(-)
> >
> > diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
> > index 9208e88..9999503 100644
> > --- a/templates/lxc-fedora.in
> > +++ b/templates/lxc-fedora.in
> > @@ -98,11 +98,24 @@ configure_fedora()
> > mkdir -p $rootfs_path/selinux
> > echo 0 > $rootfs_path/selinux/enforce
> >
> > - # This may be related to disabling selinux above but this is
> > - # a known problem and documented in RedHat bugzilla as relating
> > + # Also kill it in the /etc/selinux/config file if it's there...
> > + if [[ -f $rootfs_path/etc/selinux/config ]]
> > + then
> > + sed -i '/^SELINUX=/s/.*/SELINUX=disabled/' $rootfs_path/etc/selinux/config
> > + fi
> > +
> > + # Nice catch from Dwight Engen in the Oracle template.
> > + # Wantonly plagerized here with much appreciation.
> > + if [ -f $rootfs_path/usr/sbin/selinuxenabled ]; then
> > + mv $rootfs_path/usr/sbin/selinuxenabled $rootfs_path/usr/sbin/selinuxenabled.lxcorig
> > + ln -s /bin/false $rootfs_path/usr/sbin/selinuxenabled
> > + fi
> > +
> > + # This is a known problem and documented in RedHat bugzilla as relating
> > # to a problem with auditing enabled. This prevents an error in
> > # the container "Cannot make/remove an entry for the specified session"
> > sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/login
> > + sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/sshd
> >
> > # configure the network using the dhcp
> > cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
> > @@ -132,6 +145,9 @@ EOF
> > ::1 localhost6.localdomain6 localhost6
> > EOF
> >
> > + # These mknod's really don't make any sense with modern releases of
> > + # Fedora with systemd, devtmpfs, and autodev enabled. They are left
> > + # here for legacy reasons and older releases with upstart and sysv init.
> > dev_path="${rootfs_path}/dev"
> > rm -rf $dev_path
> > mkdir -p $dev_path
> > @@ -187,6 +203,7 @@ EOF
> >
> > return 0
> > }
> > +
> > configure_fedora_init()
> > {
> > sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit
> > @@ -635,7 +652,7 @@ download_fedora()
> > BOOTSTRAP_INSTALL_ROOT=${INSTALL_ROOT}
> > BOOTSTRAP_CHROOT=
> >
> > - PKG_LIST="yum initscripts passwd rsyslog vim-minimal dhclient chkconfig rootfiles policycoreutils fedora-release"
> > + PKG_LIST="yum initscripts passwd rsyslog vim-minimal openssh-server openssh-clients dhclient chkconfig rootfiles policycoreutils fedora-release"
> > MIRRORLIST_URL="http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$release&arch=$arch"
> >
> > if [[ ${release} -lt 17 ]]
> > --
> > 1.8.3.1
> >
> >
> > --
> > Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
> > /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
> > NIC whois: MHW9 | An optimist believes we live in the best of all
> > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
> >
>
>
>
> > ------------------------------------------------------------------------------
> > Shape the Mobile Experience: Free Subscription
> > Software experts and developers: Be at the forefront of tech innovation.
> > Intel(R) Software Adrenaline delivers strategic insight and game-changing
> > conversations that shape the rapidly evolving mobile landscape. Sign up now.
> > http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
>
> > _______________________________________________
> > Lxc-devel mailing list
> > Lxc-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/lxc-devel
>
>
> ------------------------------------------------------------------------------
> Shape the Mobile Experience: Free Subscription
> Software experts and developers: Be at the forefront of tech innovation.
> Intel(R) Software Adrenaline delivers strategic insight and game-changing
> conversations that shape the rapidly evolving mobile landscape. Sign up now.
> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131125/4220ad69/attachment.pgp>
More information about the lxc-devel
mailing list