[Libguestfs] [PATCH 2/2] Use setfiles from the appliance for the SELinux relabel (RHBZ#1089100).

Richard W.M. Jones rjones at redhat.com
Tue May 27 08:08:27 UTC 2014 

On Mon, May 26, 2014 at 11:21:59AM +0200, Pino Toscano wrote:
> Rewrite the relabel API to read the policy configured in the guest,
> invoking setfiles (added as part of the appliance, as part of
> policycoreutils) to relabel the specified root. In case of failure at
> any point of the process, a touch of .autorelabel in the root is tried
> as last-attempt measure to do the relabel.
> 
> Considering that running SELinux tools in the appliance might be
> affected by the SELinux state (leading to wrong results),
> selinux_relabel now bails out if SELinux is enabled in the appliance.
> As a result of this, virt-builder and virt-customize explicitly disable
> it if the relabel is enabled.

> -    g#set_selinux ops.flags.selinux_relabel;
> +    (* If a relabel is needed, make sure to turn SELinux off to avoid
> +     * awkward interactions with the relabel process.
> +     *)
> +    if ops.flags.selinux_relabel then g#set_selinux false;

This defaults to false, so AFAICT you could just remove this hunk.  Or
call g#set_selinux false unconditionally to make your intention
explicit?

(Same for the customize_main.ml hunk)

> +  len = length_without_training_slash (root);
> +
> +  if (asprintf (&selinux_config, "%s%.*s/etc/selinux/config",
> +                sysroot, len, root) == -1) {
> +    if (verbose)
> +      fprintf (stderr, "asprintf/selinux_config failed\n");
> +    goto do_autorelabel;
> +  }
> +
> +  r = read_selinux_policy (selinux_config, &policy);
> +  if (r == -1) {
> +    if (verbose)
> +      fprintf (stderr, "cannot read policy from %s\n", selinux_config);
> +    goto do_autorelabel;
> +  }
> +  if (verbose)
> +    fprintf (stderr, "policy in %s: %s\n", root, policy);
> +
> +  if (policy[0] == '\0')
> +    goto do_autorelabel;

You'll probably find this is much easier to write and a lot more
robust using augeas calls.

But yes, generally looks good.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/

More information about the Libguestfs mailing list