lxc-fedora: Fixes for selinux and pam_loginuid.so

Just some additional catches for disabling selinux and pam_loginuid.so thanks to Dwight Engen and the Oracle template. Also add ssh and ssh-server to the default installation. Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

lxc-fedora: Fixes for selinux and pam_loginuid.so
5266cf0a · Michael H. Warfield · Stéphane Graber · 6a59920b · 5266cf0a
Commit 5266cf0a authored Nov 25, 2013 by Michael H. Warfield Committed by Stéphane Graber Nov 25, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 3 deletions

lxc-fedora.in templates/lxc-fedora.in +20 -3

No files found.
--- a/templates/lxc-fedora.in
+++ b/templates/lxc-fedora.in
@@ -98,11 +98,24 @@ configure_fedora()
    mkdir -p $rootfs_path/selinux
    echo 0 > $rootfs_path/selinux/enforce

-    # This may be related to disabling selinux above but this is
-    # a known problem and documented in RedHat bugzilla as relating
+    # Also kill it in the /etc/selinux/config file if it's there...
+    if [[ -f $rootfs_path/etc/selinux/config ]]
+    then
+        sed -i '/^SELINUX=/s/.*/SELINUX=disabled/' $rootfs_path/etc/selinux/config
+    fi
+
+    # Nice catch from Dwight Engen in the Oracle template.
+    # Wantonly plagerized here with much appreciation.
+    if [ -f $rootfs_path/usr/sbin/selinuxenabled ]; then
+        mv $rootfs_path/usr/sbin/selinuxenabled $rootfs_path/usr/sbin/selinuxenabled.lxcorig
+        ln -s /bin/false $rootfs_path/usr/sbin/selinuxenabled
+    fi
+
+    # This is a known problem and documented in RedHat bugzilla as relating
    # to a problem with auditing enabled.  This prevents an error in
    # the container "Cannot make/remove an entry for the specified session"
    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/login
+    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/sshd

    # configure the network using the dhcp
    cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
@@ -132,6 +145,9 @@ EOF
 ::1                 localhost6.localdomain6 localhost6
 EOF

+    # These mknod's really don't make any sense with modern releases of
+    # Fedora with systemd, devtmpfs, and autodev enabled.  They are left
+    # here for legacy reasons and older releases with upstart and sysv init.
    dev_path="${rootfs_path}/dev"
    rm -rf $dev_path
    mkdir -p $dev_path
@@ -187,6 +203,7 @@ EOF

    return 0
 }
+
 configure_fedora_init()
 {
    sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit
@@ -635,7 +652,7 @@ download_fedora()
    BOOTSTRAP_INSTALL_ROOT=${INSTALL_ROOT}
    BOOTSTRAP_CHROOT=

-    PKG_LIST="yum initscripts passwd rsyslog vim-minimal dhclient chkconfig rootfiles policycoreutils fedora-release"
+    PKG_LIST="yum initscripts passwd rsyslog vim-minimal openssh-server openssh-clients dhclient chkconfig rootfiles policycoreutils fedora-release"
    MIRRORLIST_URL="http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$release&arch=$arch"

    if [[ ${release} -lt 17 ]]