From 543a42edd62c4c32236090ac868df4fff436f2df Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Thu, 6 Feb 2025 16:30:06 -0500 Subject: [PATCH] Disable SELinux policy in EL diskless images The SELinux policies do not currently work in a diskless build, disable by default, though a user may try to enable it manually after build. --- imgutil/imgutil | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/imgutil/imgutil b/imgutil/imgutil index 276ff601..b1698c79 100644 --- a/imgutil/imgutil +++ b/imgutil/imgutil @@ -224,7 +224,7 @@ def capture_remote(args): sys.exit(1) oscat = finfo['oscategory'] subprocess.check_call(['ssh', '-o', 'LogLevel=QUIET', '-t', targ, 'python3', '/run/imgutil/capenv/imgutil', 'capturelocal']) - utillib = __file__.replace('bin/imgutil', 'lib/imgutil') + utillib = __file__.replace('bin/imgutil', 'lib/imgutil') if oscat.startswith('ubuntu'): utillib = os.path.join(utillib, '{}/initramfs-tools/'.format(oscat)) if not os.path.exists(utillib): @@ -752,6 +752,10 @@ class ElHandler(OsHandler): subprocess.check_call(['yum'] + self.yumargs) else: subprocess.check_call(['yum', '-y'] + self.yumargs) + with open(os.path.join(self.targpath, 'etc/selinux/config'), 'r') as seconfigin: + seconfig = seconfigin.read().replace('SELINUX=enforcing', 'SELINUX=disabled') + with open(os.path.join(self.targpath, 'etc/selinux/config'), 'w') as seconfigout: + seconfigout.write(seconfig) with open('/proc/mounts') as mountinfo: for line in mountinfo.readlines(): if line.startswith('selinuxfs '): @@ -761,7 +765,7 @@ class ElHandler(OsHandler): def relabel_targdir(self): subprocess.check_call( - ['setfiles', '-r', self.targpath, + ['setfiles', '-r', self.targpath, '/etc/selinux/targeted/contexts/files/file_contexts', self.targpath])