[Libguestfs] [PATCH 2/2] Use setfiles from the appliance for the SELinux relabel (RHBZ#1089100).

Pino Toscano ptoscano at redhat.com
Tue May 27 08:52:43 UTC 2014 

On Tuesday 27 May 2014 09:08:27 Richard W.M. Jones wrote:
> On Mon, May 26, 2014 at 11:21:59AM +0200, Pino Toscano wrote:
> > Rewrite the relabel API to read the policy configured in the guest,
> > invoking setfiles (added as part of the appliance, as part of
> > policycoreutils) to relabel the specified root. In case of failure
> > at
> > any point of the process, a touch of .autorelabel in the root is
> > tried as last-attempt measure to do the relabel.
> > 
> > Considering that running SELinux tools in the appliance might be
> > affected by the SELinux state (leading to wrong results),
> > selinux_relabel now bails out if SELinux is enabled in the
> > appliance.
> > As a result of this, virt-builder and virt-customize explicitly
> > disable it if the relabel is enabled.
> > 
> > -    g#set_selinux ops.flags.selinux_relabel;
> > +    (* If a relabel is needed, make sure to turn SELinux off to
> > avoid +     * awkward interactions with the relabel process.
> > +     *)
> > +    if ops.flags.selinux_relabel then g#set_selinux false;
> 
> This defaults to false, so AFAICT you could just remove this hunk.  Or
> call g#set_selinux false unconditionally to make your intention
> explicit?
> 
> (Same for the customize_main.ml hunk)

Yes, that together its comment above is done to make that setting 
explicit, so it is not changed in the future creating issues.

> > +  len = length_without_training_slash (root);
> > +
> > +  if (asprintf (&selinux_config, "%s%.*s/etc/selinux/config",
> > +                sysroot, len, root) == -1) {
> > +    if (verbose)
> > +      fprintf (stderr, "asprintf/selinux_config failed\n");
> > +    goto do_autorelabel;
> > +  }
> > +
> > +  r = read_selinux_policy (selinux_config, &policy);
> > +  if (r == -1) {
> > +    if (verbose)
> > +      fprintf (stderr, "cannot read policy from %s\n",
> > selinux_config); +    goto do_autorelabel;
> > +  }
> > +  if (verbose)
> > +    fprintf (stderr, "policy in %s: %s\n", root, policy);
> > +
> > +  if (policy[0] == '\0')
> > +    goto do_autorelabel;
> 
> You'll probably find this is much easier to write and a lot more
> robust using augeas calls.

Good idea, I will use it.

Thanks,
-- 
Pino Toscano

More information about the Libguestfs mailing list