[Libguestfs] [PATCH] customize: allow missing SELINUXTYPE in SELinux config

Richard W.M. Jones rjones at redhat.com
Wed Jan 31 15:31:09 UTC 2018 

On Wed, Jan 31, 2018 at 12:33:13PM +0100, Pino Toscano wrote:
> libselinux defaults to "targeted" when no SELINUXTYPE is specified in
> /etc/config/selinux.  Hence do the same here, instead of failing because
> of the missing key.
> 
> Add a slow test for checking SELinux relabeling on a Fedora 27 guest,
> both with no changes, and with a modified configuration.
> ---
>  customize/Makefile.am            |  2 ++
>  customize/SELinux_relabel.ml     | 14 ++++++++++--
>  customize/test-selinuxrelabel.sh | 49 ++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 63 insertions(+), 2 deletions(-)
>  create mode 100755 customize/test-selinuxrelabel.sh
> 
> diff --git a/customize/Makefile.am b/customize/Makefile.am
> index a22e25c46..7f18b2fc3 100644
> --- a/customize/Makefile.am
> +++ b/customize/Makefile.am
> @@ -23,6 +23,7 @@ EXTRA_DIST = \
>  	customize_main.ml \
>  	test-firstboot.sh \
>  	test-password.pl \
> +	test-selinuxrelabel.sh \
>  	test-settings.sh \
>  	test-virt-customize.sh \
>  	test-virt-customize-docs.sh \
> @@ -225,6 +226,7 @@ check-valgrind:
>  SLOW_TESTS = \
>  	$(firstboot_test_scripts) \
>  	$(password_test_scripts) \
> +	test-selinuxrelabel.sh \
>  	$(settings_test_scripts)
>  
>  check-slow:
> diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml
> index d404c35fa..e7d440c29 100644
> --- a/customize/SELinux_relabel.ml
> +++ b/customize/SELinux_relabel.ml
> @@ -37,8 +37,18 @@ let relabel (g : G.guestfs) =
>        g#aug_load ();
>        debug_augeas_errors g;
>  
> -      (* Get the SELinux policy name, eg. "targeted", "minimum". *)
> -      let policy = g#aug_get "/files/etc/selinux/config/SELINUXTYPE" in
> +      (* Get the SELinux policy name, eg. "targeted", "minimum".
> +       * Use "targeted" if not specified, just like libselinux does.
> +       *)
> +      let policy =
> +        let config_path = "/files/etc/selinux/config" in
> +        let selinuxtype_path = config_path ^ "/SELINUXTYPE" in
> +        let keys = g#aug_ls config_path in
> +        if Array.mem selinuxtype_path keys then
> +          g#aug_get selinuxtype_path
> +        else
> +          "targeted" in
> +
>        g#aug_close ();
>  
>        (* Get the spec file name. *)
> diff --git a/customize/test-selinuxrelabel.sh b/customize/test-selinuxrelabel.sh
> new file mode 100755
> index 000000000..d13c0356c
> --- /dev/null
> +++ b/customize/test-selinuxrelabel.sh
> @@ -0,0 +1,49 @@
> +#!/bin/bash -
> +# Test SELinux relabel functionality.
> +# Copyright (C) 2018 Red Hat Inc.
> +#
> +# This program is free software; you can redistribute it and/or modify
> +# it under the terms of the GNU General Public License as published by
> +# the Free Software Foundation; either version 2 of the License, or
> +# (at your option) any later version.
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program; if not, write to the Free Software
> +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> +
> +# This slow test checks that SELinux relabel works.
> +
> +set -e
> +
> +$TEST_FUNCTIONS
> +slow_test
> +
> +guestname="fedora-27"
> +
> +disk="selinuxrelabel.img"
> +disk_overlay="selinuxrelabel-overlay.qcow2"
> +rm -f "$disk"
> +
> +skip_unless_virt_builder_guest "$guestname"
> +
> +# Build a guest (using virt-builder).
> +virt-builder "$guestname" --quiet -o "$disk"
> +
> +# Test #1: relabel with the default configuration works.
> +rm -f  "$disk_overlay"
> +guestfish -- disk-create "$disk_overlay" qcow2 -1 backingfile:"$disk"
> +virt-customize -a "$disk" --selinux-relabel
> +
> +# Test #2: relabel with no SELINUXTYPE in the configuration.
> +rm -f  "$disk_overlay"
> +guestfish -- disk-create "$disk_overlay" qcow2 -1 backingfile:"$disk"
> +virt-customize -a "$disk" \
> +  --edit /etc/selinux/config:"s,^SELINUXTYPE=,#&,g" \
> +  --selinux-relabel
> +
> +rm "$disk" "$disk_overlay"

ACK, thanks.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v

More information about the Libguestfs mailing list