[Libguestfs] [common PATCH 3/3] mlcustomize: do not relabel if not enforcing (RHBZ#1828952)

Pino Toscano ptoscano at redhat.com
Wed Sep 23 15:57:50 UTC 2020


Do not attempt to relabel a guest in case its SELinux enforcing mode is
not "enforcing", as it is either pointless, or it may fail because of an
invalid policy configured.
---
 mlcustomize/SELinux_relabel.ml | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml
index 647aeda..db00e59 100644
--- a/mlcustomize/SELinux_relabel.ml
+++ b/mlcustomize/SELinux_relabel.ml
@@ -24,6 +24,9 @@ open Printf
 
 module G = Guestfs
 
+exception SELinux_not_enforcing
+(* Interal exception to signal a non-enforcing SELinux. *)
+
 (* Simple reimplementation of Array.mem, available only with OCaml >= 4.03. *)
 let array_find a l =
   List.mem a (Array.to_list l)
@@ -35,12 +38,18 @@ let rec relabel (g : G.guestfs) =
       use_setfiles g;
       (* That worked, so we don't need to autorelabel. *)
       g#rm_f "/.autorelabel"
-    with Failure _ ->
+    with
+    | Failure _ ->
       (* This is the fallback in case something in the setfiles
        * method didn't work.  That includes the case where a non-SELinux
        * host is processing an SELinux guest, and other things.
        *)
       g#touch "/.autorelabel"
+    | SELinux_not_enforcing ->
+      (* This means that SELinux was not configured to be in enforcing mode,
+       * so silently accept this.
+       *)
+      ()
   )
 
 and is_selinux_guest g =
@@ -59,6 +68,21 @@ and use_setfiles g =
   g#aug_load ();
   debug_augeas_errors g;
 
+  (* Get the SELinux enforcing mode, eg "enforcing", "permissive",
+   * "disabled".
+   * Use "disabled" if not specified, just like libselinux seems to do.
+   *)
+  let typ = read_selinux_config_key g "SELINUX" "disabled" in
+  (* Do not attempt any relabelling if the SELinux is not "enforcing":
+   * - in "permissive" mode SELinux is still running, however nothing is
+   *   enforced: this means labels can be wrong, and "it is fine"
+   * - when "disabled" means SELinux is not running, so any relabelling
+   *   is pointless (other than potentially fail due to an invalid
+   *   SELINUXTYPE configuration)
+   *)
+  if typ <> "enforcing" then
+    raise SELinux_not_enforcing;
+
   (* Get the SELinux policy name, eg. "targeted", "minimum".
    * Use "targeted" if not specified, just like libselinux does.
    *)
-- 
2.26.2




More information about the Libguestfs mailing list