[Libguestfs] [PATCH v2 4/7] customize: Add module for doing SELinux relabel of filesystem.
Richard W.M. Jones
rjones at redhat.com
Thu Jul 14 08:49:58 UTC 2016
This implements the --selinux-relabel option for virt-customize,
virt-builder and virt-sysprep. There is no need to autorelabel
functionality now.
Thanks: Stephen Smalley
---
builder/Makefile.am | 1 +
builder/virt-builder.pod | 20 +++++++++----------
customize/Makefile.am | 2 ++
customize/SELinux_relabel.ml | 46 +++++++++++++++++++++++++++++++++++++++++++
customize/SELinux_relabel.mli | 23 ++++++++++++++++++++++
customize/customize_run.ml | 14 +------------
generator/customize.ml | 4 ----
sysprep/Makefile.am | 1 +
8 files changed, 84 insertions(+), 27 deletions(-)
create mode 100644 customize/SELinux_relabel.ml
create mode 100644 customize/SELinux_relabel.mli
diff --git a/builder/Makefile.am b/builder/Makefile.am
index cc9e51d..d44cf4f 100644
--- a/builder/Makefile.am
+++ b/builder/Makefile.am
@@ -155,6 +155,7 @@ BOBJECTS = \
$(top_builddir)/customize/perl_edit.cmo \
$(top_builddir)/customize/crypt.cmo \
$(top_builddir)/customize/password.cmo \
+ $(top_builddir)/customize/SELinux_relabel.cmo \
$(top_builddir)/customize/ssh_key.cmo \
$(top_builddir)/customize/subscription_manager.cmo \
$(top_builddir)/customize/customize_cmdline.cmo \
diff --git a/builder/virt-builder.pod b/builder/virt-builder.pod
index 91c1114..29a67a9 100644
--- a/builder/virt-builder.pod
+++ b/builder/virt-builder.pod
@@ -1756,20 +1756,21 @@ two possible strategies it can use to ensure correct labelling:
=item Using I<--selinux-relabel>
-This runs L<fixfiles(8)> just before finalizing the guest, which sets
+This runs L<setfiles(8)> just before finalizing the guest, which sets
SELinux labels correctly in the disk image.
-Sometimes fixfiles is not possible during installation, in which case
-this option falls back on:
+This is the recommended method. However it is sometimes not possible,
+in particular where the host machine does not have the SELinux
+setfiles command. In that case you must use:
-=item Touching F</.autorelabel>
+=item I<--touch> F</.autorelabel>
-Guest templates may already contain a file called F</.autorelabel>, or
-it is touched if I<--selinux-relabel> cannot run fixfiles.
+Guest templates may already contain a file called F</.autorelabel> or
+you may touch it.
-For guests that use SELinux, this causes fixfiles to run at first
-boot. Guests will reboot themselves once the first time you use them,
-which is normal and harmless.
+For guests that use SELinux, this causes L<restorecon(8)> to run at
+first boot. Guests will reboot themselves once the first time you use
+them, which is normal and harmless.
=back
@@ -1884,7 +1885,6 @@ L<gpg(1)>,
L<curl(1)>,
L<virt-make-fs(1)>,
L<genisoimage(1)>,
-L<fixfiles(8)>,
L<http://libguestfs.org/>.
=head1 AUTHOR
diff --git a/customize/Makefile.am b/customize/Makefile.am
index fbd584d..32104f2 100644
--- a/customize/Makefile.am
+++ b/customize/Makefile.am
@@ -43,6 +43,7 @@ SOURCES_MLI = \
password.mli \
perl_edit.mli \
random_seed.mli \
+ SELinux_relabel.mli \
ssh_key.mli \
subscription_manager.mli \
timezone.mli \
@@ -58,6 +59,7 @@ SOURCES_ML = \
password.ml \
perl_edit.ml \
random_seed.ml \
+ SELinux_relabel.ml \
ssh_key.ml \
subscription_manager.ml \
timezone.ml \
diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml
new file mode 100644
index 0000000..f3ed16d
--- /dev/null
+++ b/customize/SELinux_relabel.ml
@@ -0,0 +1,46 @@
+(* virt-customize
+ * Copyright (C) 2016 Red Hat Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *)
+
+open Common_gettext.Gettext
+open Common_utils
+
+open Printf
+
+module G = Guestfs
+
+let relabel (g : G.guestfs) =
+ (* Use Augeas to parse /etc/selinux/config. *)
+ g#aug_init "/" (16+32) (* AUG_SAVE_NOOP | AUG_NO_LOAD *);
+ (* See: https://bugzilla.redhat.com/show_bug.cgi?id=975412#c0 *)
+ ignore (g#aug_rm "/augeas/load/*[\"/etc/selinux/config/\" !~ regexp('^') + glob(incl) + regexp('/.*')]");
+ g#aug_load ();
+ debug_augeas_errors g;
+
+ (* Get the SELinux policy name, eg. "targeted", "minimum". *)
+ let policy = g#aug_get "/files/etc/selinux/config/SELINUXTYPE" in
+ g#aug_close ();
+
+ (* Get the spec file name. *)
+ let specfile =
+ sprintf "/etc/selinux/%s/contexts/files/file_contexts" policy in
+
+ (* Relabel everything. *)
+ g#setfiles ~force:true specfile "/";
+
+ (* If that worked, we don't need to autorelabel. *)
+ g#rm_f "/.autorelabel"
diff --git a/customize/SELinux_relabel.mli b/customize/SELinux_relabel.mli
new file mode 100644
index 0000000..b1548c8
--- /dev/null
+++ b/customize/SELinux_relabel.mli
@@ -0,0 +1,23 @@
+(* virt-customize
+ * Copyright (C) 2016 Red Hat Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *)
+
+(** SELinux-relabel the filesystem. *)
+
+val relabel : Guestfs.guestfs -> unit
+(** Relabel the mounted guestfs filesystem using the current SELinux
+ policy that applies to the guest. *)
diff --git a/customize/customize_run.ml b/customize/customize_run.ml
index b96e40c..6f0d615 100644
--- a/customize/customize_run.ml
+++ b/customize/customize_run.ml
@@ -414,19 +414,7 @@ exec >>%s 2>&1
if ops.flags.selinux_relabel then (
message (f_"SELinux relabelling");
- if guest_arch_compatible then (
- let cmd = sprintf "
- if load_policy && fixfiles restore; then
- rm -f /.autorelabel
- else
- touch /.autorelabel
- echo '%s: SELinux relabelling failed, will relabel at boot instead.'
- fi
- " prog in
- do_run ~display:"load_policy && fixfiles restore" cmd
- ) else (
- g#touch "/.autorelabel"
- )
+ SELinux_relabel.relabel g
);
(* Clean up the log file:
diff --git a/generator/customize.ml b/generator/customize.ml
index 8caf2b5..d212c82 100644
--- a/generator/customize.ml
+++ b/generator/customize.ml
@@ -536,10 +536,6 @@ C</etc/pam.d/common-password> (Debian, Ubuntu).";
flag_pod_longdesc = "\
Relabel files in the guest so that they have the correct SELinux label.
-This will attempt to relabel files immediately, but if the operation fails
-this will instead touch F</.autorelabel> on the image to schedule a
-relabel operation for the next time the image boots.
-
You should only use this option for guests which support SELinux.";
};
diff --git a/sysprep/Makefile.am b/sysprep/Makefile.am
index 90f6b04..9dba5e1 100644
--- a/sysprep/Makefile.am
+++ b/sysprep/Makefile.am
@@ -123,6 +123,7 @@ BOBJECTS = \
$(top_builddir)/customize/timezone.cmo \
$(top_builddir)/customize/firstboot.cmo \
$(top_builddir)/customize/perl_edit.cmo \
+ $(top_builddir)/customize/SELinux_relabel.cmo \
$(top_builddir)/customize/ssh_key.cmo \
$(top_builddir)/customize/subscription_manager.cmo \
$(top_builddir)/customize/customize_cmdline.cmo \
--
2.7.4
More information about the Libguestfs
mailing list