cleanup

move quirks/nss.sh to prepare-root.sh

remove old non-working quirks

only mount selinux when needed

don't install new selinux rules

quirks/nss-altfiles.sh

@@ -1,50 +0,0 @@
-
-sed -i -e 's#^\(passwd:.*\) files#\1 altfiles files#g;s#^\(shadow:.*\) files#\1 altfiles files#g;s#^\(group:.*\) files#\1 altfiles files#g' \
-    "$sysroot"/etc/nsswitch.conf
-
-chroot "$sysroot" bash -c 'useradd -G wheel admin'
-egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.admin
-egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin
-
-sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
-sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow
-
-chroot "$sysroot" bash -c 'mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
-mv "$sysroot"/etc/group.admin "$sysroot"/etc/group
-mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow
-chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
-chroot "$sysroot" bash -c 'passwd -e admin'
-
-mkdir -p "$sysroot"/usr/share/factory/var
-mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var
-
-sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
-
-for i in passwd shadow group gshadow .pwd.lock subuid subgid; do 
-    ln -sfnr "$sysroot"/var/"$i" "$sysroot"/etc/"$i"
-done
-
-sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/npasswd#/var/npasswd#g' "$sysroot"/usr/lib64/security/pam_unix.so
-sed -i -e 's#/etc/shadow#/var/shadow#g;s#/etc/nshadow#/var/nshadow#g' "$sysroot"/usr/lib64/security/pam_unix.so
-sed -i -e 's#/etc/.pwdXXXXXX#/var/.pwdXXXXXX#g' "$sysroot"/usr/lib64/security/pam_unix.so
-sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/shadow#/var/shadow#g;s#/etc/gshadow#/var/gshadow#g;s#/etc/group#/var/group#g;s#/etc/subuid#/var/subuid#g;s#/etc/subgid#/var/subgid#g' "$sysroot"/usr/sbin/user{add,mod,del} "$sysroot"/usr/sbin/group{add,mod,del}
-sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \
-    "$sysroot"/lib*/libc.so.* \
-    "$sysroot"/usr/lib/systemd/libsystemd-shared*.so
-
-[[ -e "$sysroot"/usr/lib*/librpmostree-1.so.1 ]] && sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' "$sysroot"/usr/lib*/librpmostree-1.so.1
-
-mkdir -p "$sysroot"/usr/share/factory/home
-cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin
-chown -R +1000.+1000 "$sysroot"/usr/share/factory/home/admin
-
-cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF
-C /home/admin - - - - -
-C /var/passwd - - - - -
-C /var/shadow - - - - -
-C /var/group - - - - -
-C /var/gshadow - - - - -
-C /var/subuid - - - - -
-C /var/subgid - - - - -
-C /var/etc - - - - -
-EOF

quirks/nss.sh

@@ -1,82 +0,0 @@
-#!/usr/bin/bash -ex
-
-#chroot "$sysroot" bash -c 'echo -n admin | passwd --stdin root'
-
-# rpcbind only accepts "files altfiles"
-# altfiles has no shadow/gshadow support, therefore we need db
-
-sed -i -e 's#^\(passwd:.*\) files#\1 files altfiles db#g;s#^\(shadow:.*\) files#\1 files altfiles db#g;s#^\(group:.*\) files#\1 files altfiles db#g' \
-    "$sysroot"/etc/nsswitch.conf
-
-mkdir -p "$sysroot"/usr/db
-sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib*/libnss_db-2*.so "$sysroot"/var/db/Makefile
-
-egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.adm
-egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.adm
-chmod --reference="$sysroot"/etc/group "$sysroot"/etc/group.adm
-chmod --reference="$sysroot"/etc/gshadow "$sysroot"/etc/gshadow.adm
-
-sed -i -e 's#:/root:#:/var/roothome:#g' "$sysroot"/etc/passwd
-
-sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
-
-chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /usr/db/gshadow.db /usr/db/group.db && mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
-
-mv "$sysroot"/etc/group.adm "$sysroot"/etc/group
-mv "$sysroot"/etc/gshadow.adm "$sysroot"/etc/gshadow
-chmod --reference="$sysroot"/lib/shadow "$sysroot"/etc/shadow
-chmod --reference="$sysroot"/lib/passwd "$sysroot"/etc/passwd
-
-mkdir -p "$sysroot"/usr/share/factory/cfg
-mv "$sysroot"/etc/passwd \
-    "$sysroot"/etc/sub{u,g}id \
-    "$sysroot"/etc/shadow \
-    "$sysroot"/etc/group \
-    "$sysroot"/etc/gshadow \
-    "$sysroot"/usr/share/factory/cfg/
-
-rm -f "$sysroot"/etc/shadow- "$sysroot"/etc/gshadow-
-
-sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
-
-for i in passwd shadow group gshadow .pwd.lock subuid subgid; do
-    ln -sfnr "$sysroot"/cfg/"$i" "$sysroot"/etc/"$i"
-done
-
-sed -i -e 's#/etc/passwd#/cfg/passwd#g;s#/etc/npasswd#/cfg/npasswd#g' \
-    "$sysroot"/usr/lib*/security/pam_unix.so
-
-sed -i -e 's#/etc/shadow#/cfg/shadow#g;s#/etc/nshadow#/cfg/nshadow#g' \
-    "$sysroot"/usr/lib*/security/pam_unix.so
-
-sed -i -e 's#/etc/.pwdXXXXXX#/cfg/.pwdXXXXXX#g' \
-    "$sysroot"/usr/lib*/security/pam_unix.so
-
-sed -i -e 's#/etc/passwd#/cfg/passwd#g;s#/etc/shadow#/cfg/shadow#g;s#/etc/gshadow#/cfg/gshadow#g;s#/etc/group#/cfg/group#g;s#/etc/subuid#/cfg/subuid#g;s#/etc/subgid#/cfg/subgid#g' \
-    "$sysroot"/usr/sbin/user{add,mod,del} \
-    "$sysroot"/usr/sbin/group{add,mod,del} \
-    "$sysroot"/usr/bin/newgidmap \
-    "$sysroot"/usr/bin/newuidmap \
-    "$sysroot"/usr/sbin/newusers
-
-sed -i -e 's#/etc/.pwd.lock#/cfg/.pwd.lock#g' \
-    "$sysroot"/lib*/libc.so.* \
-    "$sysroot"/usr/lib/systemd/libsystemd-shared*.so
-
-[[ -e "$sysroot"/usr/lib*/librpmostree-1.so.1 ]] \
-    && sed -i -e 's#/etc/.pwd.lock#/cfg/.pwd.lock#g' \
-    "$sysroot"/usr/lib*/librpmostree-1.so.1
-
-mkdir -p "$sysroot"/usr/share/factory/var/roothome
-chown +0.+0 "$sysroot"/usr/share/factory/var/roothome
-
-cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF
-C /var/roothome - - - - -
-C /cfg/passwd - - - - -
-C /cfg/shadow - - - - -
-C /cfg/group - - - - -
-C /cfg/gshadow - - - - -
-C /cfg/subuid - - - - -
-C /cfg/subgid - - - - -
-EOF
-

quirks/nss_db.sh

@@ -1,52 +0,0 @@
-sed -i -e 's#^\(passwd:.*\) files#\1 files db altfile#g;s#^\(shadow:.*\) files#\1 files altfiles db#g;s#^\(group:.*\) files#\1 files altfiles db#g' \
-    "$sysroot"/etc/nsswitch.conf
-mkdir -p "$sysroot"/usr/db
-sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib64/libnss_db-2*.so "$sysroot"/var/db/Makefile
-
-chroot "$sysroot" bash -c 'useradd -G wheel admin'
-egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.admin
-egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin
-
-sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
-sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow
-
-chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /usr/db/gshadow.db /usr/db/group.db && mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
-
-mv "$sysroot"/etc/group.admin "$sysroot"/etc/group
-mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow
-chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
-chroot "$sysroot" bash -c 'passwd -e admin'
-
-mkdir -p "$sysroot"/usr/share/factory/var
-mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var
-
-sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
-
-for i in passwd shadow group gshadow .pwd.lock subuid subgid; do 
-    ln -sfnr "$sysroot"/var/"$i" "$sysroot"/etc/"$i"
-done
-
-sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/npasswd#/var/npasswd#g' "$sysroot"/usr/lib64/security/pam_unix.so
-sed -i -e 's#/etc/shadow#/var/shadow#g;s#/etc/nshadow#/var/nshadow#g' "$sysroot"/usr/lib64/security/pam_unix.so
-sed -i -e 's#/etc/.pwdXXXXXX#/var/.pwdXXXXXX#g' "$sysroot"/usr/lib64/security/pam_unix.so
-sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/shadow#/var/shadow#g;s#/etc/gshadow#/var/gshadow#g;s#/etc/group#/var/group#g;s#/etc/subuid#/var/subuid#g;s#/etc/subgid#/var/subgid#g' "$sysroot"/usr/sbin/user{add,mod,del} "$sysroot"/usr/sbin/group{add,mod,del}
-sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \
-    "$sysroot"/lib*/libc.so.* \
-    "$sysroot"/usr/lib*/librpmostree-1.so.1 \
-    "$sysroot"/usr/lib/systemd/libsystemd-shared*.so
-
-
-mkdir -p "$sysroot"/usr/share/factory/home
-cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin
-chown -R +1000.+1000 "$sysroot"/usr/share/factory/home/admin
-
-cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF
-C /home/admin - - - - -
-C /var/passwd - - - - -
-C /var/shadow - - - - -
-C /var/group - - - - -
-C /var/gshadow - - - - -
-C /var/subuid - - - - -
-C /var/subgid - - - - -
-C /var/etc - - - - -
-EOF

quirks/passwd.sh

@@ -1,31 +0,0 @@
-chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
-#chroot "$sysroot" bash -c 'passwd -e admin'
-
-mkdir -p "$sysroot"/usr/share/factory/var
-mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var
-
-sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
-
-for i in passwd shadow group gshadow .pwd.lock subuid subgid; do 
-    ln -sfnr "$sysroot"/var/"$i" "$sysroot"/etc/"$i" 
-done
-
-sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/npasswd#/var/npasswd#g' "$sysroot"/usr/lib64/security/pam_unix.so
-sed -i -e 's#/etc/shadow#/var/shadow#g;s#/etc/nshadow#/var/nshadow#g' "$sysroot"/usr/lib64/security/pam_unix.so
-sed -i -e 's#/etc/.pwdXXXXXX#/var/.pwdXXXXXX#g' "$sysroot"/usr/lib64/security/pam_unix.so
-sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/shadow#/var/shadow#g;s#/etc/gshadow#/var/gshadow#g;s#/etc/group#/var/group#g;s#/etc/subuid#/var/subuid#g;s#/etc/subgid#/var/subgid#g' "$sysroot"/usr/sbin/user{add,mod,del} "$sysroot"/usr/sbin/group{add,mod,del}
-
-mkdir -p "$sysroot"/usr/share/factory/home
-cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin
-chown -R +1000.+1000 "$sysroot"/usr/share/factory/home/admin
-
-cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF
-C /home/admin - - - - -
-C /var/passwd - - - - -
-C /var/shadow - - - - -
-C /var/group - - - - -
-C /var/gshadow - - - - -
-C /var/subuid - - - - -
-C /var/subgid - - - - -
-C /var/etc - - - - -
-EOF

quirks/sssd.sh

@@ -1,24 +0,0 @@
-#---------------
-# admin user
-cat > "$sysroot"/etc/sssd/sssd.conf <<EOF
-[sssd]
-domains=local
-config_file_version=2
-services=nss,pam
-[domain/local]
-id_provider=local
-EOF
-chmod 0600 "$sysroot"/etc/sssd/sssd.conf
-
-chroot "$sysroot"
-
-chroot "$sysroot" bash -c 'authselect select sssd with-sudo with-fingerprint with-mkhomedir -f ; sssd -i & sleep 2; sss_useradd admin ; echo -n admin | passwd --stdin admin; echo -n root | passwd --stdin root; usermod -a -G wheel admin; kill %1; wait; :'
-
-systemctl --root="$sysroot" enable sssd.service oddjobd.service
-mkdir -p "$sysroot"/usr/share/factory/var/lib
-mv "$sysroot"/var/lib/sss "$sysroot"/usr/share/factory/var/lib/
-
-cat >> "$sysroot"/usr/lib/tmpfiles.d/sssd.conf <<EOF
-C /var/lib/sss -    -    -    - -
-d /var/log/sssd 0750 root root - -
-EOF

quirks/yubikey.sh

@@ -1,4 +0,0 @@
-#!/bin/bash
-
-mkdir -p "$sysroot"/etc/udev/rules.d
-cp "$CURDIR/69-yubikey.rules" "$sysroot"/etc/udev/rules.d