[Libguestfs] [PATCH] builder: run/schedule a SELinux relabel if needed

Richard W.M. Jones rjones at redhat.com
Tue May 10 13:52:04 UTC 2016 

On Tue, May 10, 2016 at 10:59:26AM +0200, Pino Toscano wrote:
> If the guest uses SELinux, then make sure to run a relabel (or at least
> schedule one) after the image build: this way the template is
> relabelled, or at least it will do that at the next boot, without the
> need for the user to ask for a relabel.
> 
> This just covers the case of building a new image with no additional
> operations on it though.

ACK.

I suspect that 'compress' should now be called 'functions' and
it should be sourced at the beginning of each script ...

Rich.

>  builder/website/centos.sh          |  2 ++
>  builder/website/compress.sh        | 18 +++++++++++++++++-
>  builder/website/fedora-aarch64.sh  |  2 ++
>  builder/website/fedora-armv7l.sh   |  2 ++
>  builder/website/fedora-i686.sh     |  2 ++
>  builder/website/fedora-ppc64.sh    |  2 ++
>  builder/website/fedora-ppc64le.sh  |  2 ++
>  builder/website/fedora.sh          |  2 ++
>  builder/website/rhel-aarch64.sh    |  2 ++
>  builder/website/rhel-ppc64.sh      |  2 ++
>  builder/website/rhel-ppc64le.sh    |  2 ++
>  builder/website/rhel.sh            |  2 ++
>  builder/website/scientificlinux.sh |  2 ++
>  13 files changed, 41 insertions(+), 1 deletion(-)
> 
> diff --git a/builder/website/centos.sh b/builder/website/centos.sh
> index 5217aef..69670fe 100755
> --- a/builder/website/centos.sh
> +++ b/builder/website/centos.sh
> @@ -96,4 +96,6 @@ virt-install \
>      --nographics \
>      --noreboot
>  
> +DO_RELABEL=1
> +
>  source $(dirname "$0")/compress.sh $output
> diff --git a/builder/website/compress.sh b/builder/website/compress.sh
> index 2148804..4e09bf3 100644
> --- a/builder/website/compress.sh
> +++ b/builder/website/compress.sh
> @@ -20,10 +20,26 @@
>  
>  output=$1
>  
> +relabel_args=()
> +
> +if [ -n "$DO_RELABEL" ]; then
> +    os_arch=$(uname -m)
> +    guest_arch=$(virt-inspector -a "$output" | virt-inspector --xpath "string(/operatingsystems/operatingsystem/arch)")
> +
> +    if [ "$os_arch" = "$guest_arch" ] || [ "$os_arch" = "x86_64" -a "$guest_arch" = "i386" ]; then
> +        # this is what --selinux-relabel should really do, but do it ourselves
> +        # in the meanwhile -- see RHBZ#1089100.
> +        relabel_args+=(--run-command "setfiles /etc/selinux/targeted/contexts/files/file_contexts /")
> +    else
> +        relabel_args+=(--selinux-relabel)
> +    fi
> +
> +fi
> +
>  # Sysprep (removes logfiles and so on).
>  # Note this also touches /.autorelabel so the further installation
>  # changes that we make will be labelled properly at first boot.
> -virt-sysprep -a $output
> +virt-sysprep -a $output "${relabel_args[@]}"
>  
>  # Sparsify.
>  mv $output $output.old
> diff --git a/builder/website/fedora-aarch64.sh b/builder/website/fedora-aarch64.sh
> index 8c7c1b9..1de834d 100755
> --- a/builder/website/fedora-aarch64.sh
> +++ b/builder/website/fedora-aarch64.sh
> @@ -103,4 +103,6 @@ virt-install \
>  cp $vars $output-nvram
>  xz --best $output-nvram
>  
> +DO_RELABEL=1
> +
>  source $(dirname "$0")/compress.sh $output
> diff --git a/builder/website/fedora-armv7l.sh b/builder/website/fedora-armv7l.sh
> index 1de9b93..ece95c3 100755
> --- a/builder/website/fedora-armv7l.sh
> +++ b/builder/website/fedora-armv7l.sh
> @@ -92,4 +92,6 @@ virt-install \
>      --nographics \
>      --noreboot
>  
> +DO_RELABEL=1
> +
>  source $(dirname "$0")/compress.sh $output
> diff --git a/builder/website/fedora-i686.sh b/builder/website/fedora-i686.sh
> index ccae8ab..92d3f21 100755
> --- a/builder/website/fedora-i686.sh
> +++ b/builder/website/fedora-i686.sh
> @@ -100,4 +100,6 @@ virt-install \
>      --nographics \
>      --noreboot
>  
> +DO_RELABEL=1
> +
>  source $(dirname "$0")/compress.sh $output
> diff --git a/builder/website/fedora-ppc64.sh b/builder/website/fedora-ppc64.sh
> index b664e04..c8eafe2 100755
> --- a/builder/website/fedora-ppc64.sh
> +++ b/builder/website/fedora-ppc64.sh
> @@ -92,4 +92,6 @@ virt-install \
>      --nographics \
>      --noreboot
>  
> +DO_RELABEL=1
> +
>  source $(dirname "$0")/compress.sh $output
> diff --git a/builder/website/fedora-ppc64le.sh b/builder/website/fedora-ppc64le.sh
> index 351b569..8645ab4 100755
> --- a/builder/website/fedora-ppc64le.sh
> +++ b/builder/website/fedora-ppc64le.sh
> @@ -92,4 +92,6 @@ virt-install \
>      --nographics \
>      --noreboot
>  
> +DO_RELABEL=1
> +
>  source $(dirname "$0")/compress.sh $output
> diff --git a/builder/website/fedora.sh b/builder/website/fedora.sh
> index 8e48ce1..8911d14 100755
> --- a/builder/website/fedora.sh
> +++ b/builder/website/fedora.sh
> @@ -100,4 +100,6 @@ virt-install \
>      --nographics \
>      --noreboot
>  
> +DO_RELABEL=1
> +
>  source $(dirname "$0")/compress.sh $output
> diff --git a/builder/website/rhel-aarch64.sh b/builder/website/rhel-aarch64.sh
> index a8d1019..467d43b 100755
> --- a/builder/website/rhel-aarch64.sh
> +++ b/builder/website/rhel-aarch64.sh
> @@ -159,4 +159,6 @@ cp $vars $output-nvram
>  guestfish --rw -a $output -m $guestroot \
>    upload $yum /etc/yum.repos.d/download.devel.redhat.com.repo
>  
> +DO_RELABEL=1
> +
>  source $(dirname "$0")/compress.sh $output
> diff --git a/builder/website/rhel-ppc64.sh b/builder/website/rhel-ppc64.sh
> index 48d6280..32148ae 100755
> --- a/builder/website/rhel-ppc64.sh
> +++ b/builder/website/rhel-ppc64.sh
> @@ -140,4 +140,6 @@ virt-install \
>  guestfish --rw -a $output -m $guestroot \
>    upload $yum /etc/yum.repos.d/download.devel.redhat.com.repo
>  
> +DO_RELABEL=1
> +
>  source $(dirname "$0")/compress.sh $output
> diff --git a/builder/website/rhel-ppc64le.sh b/builder/website/rhel-ppc64le.sh
> index a6dcc5b..9169b12 100755
> --- a/builder/website/rhel-ppc64le.sh
> +++ b/builder/website/rhel-ppc64le.sh
> @@ -140,4 +140,6 @@ virt-install \
>  guestfish --rw -a $output -m $guestroot \
>    upload $yum /etc/yum.repos.d/download.devel.redhat.com.repo
>  
> +DO_RELABEL=1
> +
>  source $(dirname "$0")/compress.sh $output
> diff --git a/builder/website/rhel.sh b/builder/website/rhel.sh
> index 0c64563..fcb7315 100755
> --- a/builder/website/rhel.sh
> +++ b/builder/website/rhel.sh
> @@ -225,4 +225,6 @@ guestfish --rw -a $output -m $guestroot \
>    upload $yum /etc/yum.repos.d/download.devel.redhat.com.repo
>  fi
>  
> +DO_RELABEL=1
> +
>  source $(dirname "$0")/compress.sh $output
> diff --git a/builder/website/scientificlinux.sh b/builder/website/scientificlinux.sh
> index f3f8948..2cd2c8f 100755
> --- a/builder/website/scientificlinux.sh
> +++ b/builder/website/scientificlinux.sh
> @@ -86,4 +86,6 @@ virt-install \
>      --nographics \
>      --noreboot
>  
> +DO_RELABEL=1
> +
>  source $(dirname "$0")/compress.sh $output
> -- 
> 2.5.5
> 
> _______________________________________________
> Libguestfs mailing list
> Libguestfs at redhat.com
> https://www.redhat.com/mailman/listinfo/libguestfs

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v

More information about the Libguestfs mailing list