From 3c3080a57dc23d84549a41e439aa0662575efaac Mon Sep 17 00:00:00 2001 From: Andrew Jeddeloh Date: Fri, 18 Oct 2019 13:29:24 -0700 Subject: [PATCH 1/2] distro: turn on SELinux by default Also force it off when blackbox testing. --- internal/distro/distro.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/distro/distro.go b/internal/distro/distro.go index 97fb2c1b9..d2c96c051 100644 --- a/internal/distro/distro.go +++ b/internal/distro/distro.go @@ -53,7 +53,7 @@ var ( xfsMkfsCmd = "mkfs.xfs" // Flags - selinuxRelabel = "false" + selinuxRelabel = "true" blackboxTesting = "false" // writeAuthorizedKeysFragment indicates whether to write SSH keys // specified in the Ignition config as a fragment to @@ -84,7 +84,7 @@ func SwapMkfsCmd() string { return swapMkfsCmd } func VfatMkfsCmd() string { return vfatMkfsCmd } func XfsMkfsCmd() string { return xfsMkfsCmd } -func SelinuxRelabel() bool { return bakedStringToBool(selinuxRelabel) } +func SelinuxRelabel() bool { return bakedStringToBool(selinuxRelabel) && !BlackboxTesting() } func BlackboxTesting() bool { return bakedStringToBool(blackboxTesting) } func WriteAuthorizedKeysFragment() bool { return bakedStringToBool(fromEnv("WRITE_AUTHORIZED_KEYS_FRAGMENT", writeAuthorizedKeysFragment)) From 5a4e5c704ca90ed56a18907892e14154e701142d Mon Sep 17 00:00:00 2001 From: Andrew Jeddeloh Date: Fri, 18 Oct 2019 13:36:27 -0700 Subject: [PATCH 2/2] tests: remove unused stub for id This is no longer needed as Ignition no longer shells out to id. --- tests/filesystem.go | 7 +---- tests/stubs/id-stub/main.go | 61 ------------------------------------- 2 files changed, 1 insertion(+), 67 deletions(-) delete mode 100644 tests/stubs/id-stub/main.go diff --git a/tests/filesystem.go b/tests/filesystem.go index edaa5bbd5..873852574 100644 --- a/tests/filesystem.go +++ b/tests/filesystem.go @@ -80,13 +80,8 @@ func prepareRootPartitionForPasswd(ctx context.Context, root *types.Partition) e } // TODO: use the architecture, not hardcode amd64 - // copy to mountPath/usr/bin/id as it's used by Ignition via a chroot to the mountPath - _, err := run(ctx, "cp", "bin/amd64/id-stub", filepath.Join(mountPath, "usr", "bin", "id")) - if err != nil { - return err - } // TODO: needed for user_group_lookup.c - _, err = run(ctx, "cp", "/lib64/libnss_files.so.2", filepath.Join(mountPath, "usr", "lib64")) + _, err := run(ctx, "cp", "/lib64/libnss_files.so.2", filepath.Join(mountPath, "usr", "lib64")) return err } diff --git a/tests/stubs/id-stub/main.go b/tests/stubs/id-stub/main.go deleted file mode 100644 index 303a06418..000000000 --- a/tests/stubs/id-stub/main.go +++ /dev/null @@ -1,61 +0,0 @@ -// Copyright 2018 CoreOS, Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package main - -import ( - "fmt" - "io/ioutil" - "os" - "strings" -) - -func main() { - if len(os.Args) != 2 { - fmt.Printf("id called incorrectly\n") - os.Exit(1) - } - fmt.Printf("id called for user %s\n", os.Args[1]) - - // id accepts both usernames and UIDs, so attempt a lookup for both. If - // either lookup doesn't return an error, exit cleanly. - - passwdContents, err := ioutil.ReadFile("/etc/passwd") - if err != nil { - fmt.Printf("couldn't open /etc/passwd: %v\n", err) - os.Exit(1) - } - passwdLines := strings.Split(string(passwdContents), "\n") - for i, l := range passwdLines { - if i == len(passwdLines)-1 { - // The last line is empty - break - } - tokens := strings.Split(l, ":") - if len(tokens) != 7 { - fmt.Printf("scanned incorrect number of items: %d\n", len(tokens)) - os.Exit(1) - } - currUser := tokens[0] - currUid := tokens[2] - if currUser == os.Args[1] { - os.Exit(0) - } - if currUid == os.Args[1] { - os.Exit(0) - } - } - - os.Exit(1) -}