[Libguestfs] [COMMON PATCH 1/1] mlcustomize: skip SELinux relabeling if it's disabled
Richard W.M. Jones
rjones at redhat.com
Sat Apr 22 08:03:28 UTC 2023
On Fri, Apr 21, 2023 at 09:01:41PM +0300, Andrey Drobyshev wrote:
> From: Roman Kagan <rkagan at virtuozzo.com>
>
> Even if SELinux config file and policy tools are present, SELinux may be
> turned off by a setting in that config file, "SELINUX", having a value
> of "disabled".
>
> Detect this case and skip relabeling.
>
> Signed-off-by: Roman Kagan <rkagan at virtuozzo.com>
> ---
> mlcustomize/SELinux_relabel.ml | 16 +++++++++++++---
> 1 file changed, 13 insertions(+), 3 deletions(-)
>
> diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml
> index 5ecf7bd..df1de7b 100644
> --- a/mlcustomize/SELinux_relabel.ml
> +++ b/mlcustomize/SELinux_relabel.ml
> @@ -59,14 +59,24 @@ and use_setfiles g =
> g#aug_load ();
> debug_augeas_errors g;
>
> + let config_path = "/files/etc/selinux/config" in
> + let config_keys = g#aug_ls config_path in
> + (* SELinux may be disabled via a setting in config file *)
> + let selinux_disabled =
> + let selinuxmode_path = config_path ^ "/SELINUX" in
> + if array_find selinuxmode_path config_keys then
> + g#aug_get selinuxmode_path = "disabled"
> + else
> + false in
> + if selinux_disabled then
> + failwith "selinux disabled";
> +
> (* Get the SELinux policy name, eg. "targeted", "minimum".
> * Use "targeted" if not specified, just like libselinux does.
> *)
> let policy =
> - let config_path = "/files/etc/selinux/config" in
> let selinuxtype_path = config_path ^ "/SELINUXTYPE" in
> - let keys = g#aug_ls config_path in
> - if array_find selinuxtype_path keys then
> + if array_find selinuxtype_path config_keys then
> g#aug_get selinuxtype_path
> else
> "targeted" in
ACK
I'll push this soon.
I want to also get rid of that array_find function. No longer needed
since we assume OCaml >= 4.03 everywhere now ...
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
More information about the Libguestfs
mailing list