[Libguestfs] SELinux relabeling: do it by default

Laszlo Ersek lersek at redhat.com
Tue May 10 10:09:38 UTC 2022 

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1554735
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075718

I'm going to post four patches or patch-sets in response to this email.
Due to how the libguestfs-common module is organized & consumed, and how
the generator in libguestfs works, this work is very awkward. (See more
below.)

The idea is to *replace* "--selinux-relabel" with
"--no-selinux-relabel", and to invert the SELinux relabeling choice:
that is, to do it by default, and allow users to prevent it with
"--no-selinux-relabel" if they desire so. This is being requested in the
above two BZs.

I've intentionally avoided introducing "--no-selinux-relabel" *in
addition* to "--selinux-relabel". While some utilities support a similar
dual form (such as virt-builder's "--network" and "--no-network"), with
one being the default, those options are special in that they are *not
shared* between different utilities, and they are not generated by the
generator in libguestfs. The key difference is that the *non-shared*
options use Getopt.Set and Getopt.Clear on the *same* boolean reference
cell, whereas the generator introduces a *separate* boolean reference
cell for each option it generates (and then it uses *either*
Getopt.Clear *or* Getopt.Set when the option is passed on the command
line, dependent on the default value of the reference cell). This means
that "--no-selinux-relabel" and "--selinux-relabel", if they both
existed, would work on different booleans, and that would be the source
of a lot of fun (priority? command line order? documentation? etc etc).
So, nope to that.

Back to the structuring of these patches / patch sets. The generator
lives and runs solely in libguestfs. However, it generates such code as
well that is owned by libguestfs-common. Normally we don't notice,
because the generator overwrites "common" submodule contents with
identical files; thus, "git" does not complain about the submodule
checkout being modified locally. This no longer holds with these
patches. Therefore:

- as first step, libguestfs needs to be modified

- the generator is run as a part of "make", which creates a local diff
  in the "common" submodule checkout under the libguestfs worktree

- that diff is reflected to, and captured as a commit, in
  libguestfs-common

- this returns libguestfs to an "everything in sync" state, but more
  importantly

- it exposes the new stuff to virt-v2v and guestfs-tools,

- virt-v2v and guestfs-tools need to be updated to consider the
  disappearance of "--selinux-relabel".

The fact that documentation and test cases are shared in various ways
only makes this more complicated. For example, the virt-builder(1)
manual speaks words on SELinux in the auto-generated (and shared), and
the private (non-shared) sections *both*.

One thing to note is that libguestfs itself does not *consume* the
particular "common" contents that it generates. Therefore we don't have
a reference loop in practice. What we have is this dependency graph:

  libguestfs (generator)
            |
            v
  libguestfs-common (generated content)
       /              \
       v               v
   guestfs-tools     virt-v2v

Because of that, the usual "update common submodule" hunk *need not* be
squashed into the libguestfs (generator) patches, when merging this.
However, said "update common submodule" hunk does have to be squashed
into the (single) guestfs-tools and virt-v2v patches, when merging.

I meticulously tested this stuff:

- libguestfs:

  - "make check" and "make check-slow" complete fine

  - There is no documentation (under the "website/" subdir) that is
    updated by the patches.

- guestfs-tools:

  - Checked the rendered documentation regarding "--no-selinux-relabel"
    that comes from "common":

      virt-builder.1.html
      virt-customize.1.html
      virt-sysprep.1.html

  - Checked the rendered documentation changes that come from
    guestfs-tools itself:

      virt-builder.1.html

  - Checked the "--help" output of:

      virt-builder
      virt-customize
      virt-sysprep

  - "make check" completes OK.

  - "make check-slow" completes OK:

    - PASS for test-firstboot-*.sh (Linux guests -- Windows guests are
      SKIPped),

    - same for test-settings-*.sh

      - except for "test-settings-ubuntu-18.04.sh". It fails for an
        independent reason: "libguestfs: error: download:
        /etc/sysconfig/network: No such file or directory"

    - PASS for test-selinuxrelabel.sh

    - "test-console-ubuntu-20.04.sh" fails for an independent reason:
      "didn't see login banner in serial console output" -- but no
      serial output was actually shown in the log.

- virt-v2v:

  - "make check" completes OK.

  - "make check-slow" completes fine

    - in particular, PASS for test-v2v-conversion-of-*.sh (Linux guests
      -- Windows guests are SKIPped)

Thanks,
Laszlo

More information about the Libguestfs mailing list