Quoting Dwight Engen (dwight.en...@oracle.com):
> Signed-off-by: Dwight Engen <dwight.en...@oracle.com>
Acked-by: Serge E. Hallyn <serge.hal...@ubuntu.com>
> ---
> templates/lxc-oracle.in | 15 +++++++++++++--
> 1 file changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in
> index 78d99ee..106150c 100644
> --- a/templates/lxc-oracle.in
> +++ b/templates/lxc-oracle.in
> @@ -51,11 +51,17 @@ container_rootfs_configure()
> {
> echo "Configuring container for Oracle Linux
> $container_release_major.$container_release_minor"
>
> - # "disable" selinux. init in OL 5 honors /etc/selinux/config. note that
> + # "disable" selinux in the guest. The policy in the container isn't
> + # likely to match the hosts (unless host == guest exactly) and the
> + # kernel can only be enforcing one policy.
> + #
> + # The OL 5 init honors /etc/selinux/config, but note that
> # this doesnt actually disable it if it's enabled in the host, since
> # libselinux::is_selinux_enabled() in the guest will check
> # /proc/filesystems and see selinuxfs, thus reporting that it is on
> - # (ie. check the output of sestatus in the guest)
> + # (ie. check the output of sestatus in the guest). We also replace
> + # /usr/sbin/selinuxenabled with a symlink to /bin/false so that init
> + # scripts (ie. mcstransd) that call that think selinux is disabled.
> mkdir -p $container_rootfs/selinux
> echo 0 > $container_rootfs/selinux/enforce
> if [ -e $container_rootfs/etc/selinux/config ]; then
> @@ -68,6 +74,11 @@ container_rootfs_configure()
> sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*open|#session
> required pam_selinux.so open|' $container_rootfs/etc/pam.d/login
> sed -i 's|session[ \t]*required[ \t]*pam_loginuid.so|#session required
> pam_loginuid.so|' $container_rootfs/etc/pam.d/login
>
> + if [ -f $container_rootfs/usr/sbin/selinuxenabled ]; then
> + mv $container_rootfs/usr/sbin/selinuxenabled
> $container_rootfs/usr/sbin/selinuxenabled.lxcorig
> + ln -s /bin/false $container_rootfs/usr/sbin/selinuxenabled
> + fi
> +
> # silence error in checking for selinux
> sed -i 's|cat /proc/self/attr/current|cat /proc/self/attr/current
> 2>/dev/null|' $container_rootfs/etc/rc.sysinit
> sed -i 's|cat /proc/self/attr/current|cat /proc/self/attr/current
> 2>/dev/null|' $container_rootfs/etc/rc.d/rc.sysinit
> --
> 1.8.3.1
>
>
> ------------------------------------------------------------------------------
> Shape the Mobile Experience: Free Subscription
> Software experts and developers: Be at the forefront of tech innovation.
> Intel(R) Software Adrenaline delivers strategic insight and game-changing
> conversations that shape the rapidly evolving mobile landscape. Sign up now.
> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
