[Libguestfs] virt-builder & virt-sysprep: Avoiding SELinux relabelling
Richard W.M. Jones
rjones at redhat.com
Tue Jan 21 17:32:33 UTC 2014
On Tue, Jan 21, 2014 at 12:01:45PM -0500, R P Herrold wrote:
> (5) it can do an additional step at very end of the post
> install:
> restorecon -R /
This doesn't work on its own. I suspect this would work:
load_policy && restorecon -R /
except it gives an error for me:
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.29, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.29: No such file or directory
load_policy: Can't load policy: No such file or directory
This could be because the kernel of the libguestfs appliance doesn't
match the kernel of the guest.
(Also I patched my copy of virt-builder to add a call to g#set_selinux true).
By the way, it's not clear to me that using load_policy is safe in all
cases. In virt-builder it would be fine (if it worked), because you
should trust the templates. In general, loading an untrusted guest
policy into the appliance kernel may not be a great idea.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
More information about the Libguestfs
mailing list