[Libguestfs] [guestfs-tools PATCH] adopt inversion of SELinux relabeling in virt-customize
Laszlo Ersek
lersek at redhat.com
Tue May 10 10:50:46 UTC 2022
Remove "--selinux-relabel" options.
Do not add any "--no-selinux-relabel" options; rely on the internal check
for SELinux support instead ("is_selinux_guest" in
"common/mlcustomize/SELinux_relabel.ml").
"--no-selinux-relabel" becomes a real option for virt-sysprep now.
(Again?)
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1554735
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075718
Signed-off-by: Laszlo Ersek <lersek at redhat.com>
---
builder/templates/make-template.ml | 8 +-------
customize/customize_run.ml | 2 +-
sysprep/main.ml | 2 --
builder/virt-builder.pod | 20 ++++----------------
customize/test-settings.sh | 3 ---
sysprep/test-virt-sysprep-docs.sh | 2 +-
6 files changed, 7 insertions(+), 30 deletions(-)
diff --git a/builder/templates/make-template.ml b/builder/templates/make-template.ml
index d87349404ee4..58603242670b 100755
--- a/builder/templates/make-template.ml
+++ b/builder/templates/make-template.ml
@@ -256,8 +256,7 @@ let rec main () =
printf "Sysprepping ...\n%!";
let cmd =
sprintf "virt-sysprep --quiet -a %s%s"
- (quote tmpout)
- (if is_selinux_os os then " --selinux-relabel" else "") in
+ (quote tmpout) in
if Sys.command cmd <> 0 then exit 1
);
@@ -480,11 +479,6 @@ and can_sysprep_os = function
| Debian _ | Ubuntu _ -> true
| FreeBSD _ | Windows _ -> false
-and is_selinux_os = function
- | RHEL _ | Alma _ | CentOS _ | CentOSStream _ | Fedora _ -> true
- | Debian _ | Ubuntu _
- | FreeBSD _ | Windows _ -> false
-
and needs_uefi os arch =
match os, arch with
| Fedora _, Armv7
diff --git a/customize/customize_run.ml b/customize/customize_run.ml
index f2ee20413ece..99b5fe14d849 100644
--- a/customize/customize_run.ml
+++ b/customize/customize_run.ml
@@ -415,7 +415,7 @@ let run (g : G.guestfs) root (ops : ops) =
warning (f_"passwords could not be set for this type of guest")
);
- if ops.flags.selinux_relabel then (
+ if not ops.flags.no_selinux_relabel then (
message (f_"SELinux relabelling");
SELinux_relabel.relabel g
);
diff --git a/sysprep/main.ml b/sysprep/main.ml
index 087d1a17f3e8..b760618ad58a 100644
--- a/sysprep/main.ml
+++ b/sysprep/main.ml
@@ -132,8 +132,6 @@ let main () =
[ L"mount-options" ], Getopt.Set_string (s_"opts", mount_opts), s_"Set mount options (eg /:noatime;/var:rw,noatime)";
[ L"network" ], Getopt.Set network, s_"Enable appliance network";
[ L"no-network" ], Getopt.Clear network, s_"Disable appliance network (default)";
- [ L"no-selinux-relabel" ], Getopt.Unit (fun () -> ()),
- s_"Compatibility option, does nothing";
[ L"operation"; L"operations" ], Getopt.String (s_"operations", set_operations), s_"Enable/disable specific operations";
] in
let args = basic_args @ Sysprep_operation.extra_args () in
diff --git a/builder/virt-builder.pod b/builder/virt-builder.pod
index f7dd6cdad533..aeb505296887 100644
--- a/builder/virt-builder.pod
+++ b/builder/virt-builder.pod
@@ -131,12 +131,6 @@ To update the installed packages to the latest version:
virt-builder debian-7 --update
-For guests which use SELinux, like Fedora and Red Hat Enterprise
-Linux, you may need to do SELinux relabelling after installing or
-updating packages (see L</SELINUX> below):
-
- virt-builder fedora-27 --update --selinux-relabel
-
=head2 Customizing the installation
There are many options that let you customize the installation. These
@@ -972,7 +966,7 @@ command line.
=item *
-SELinux relabelling is done (I<--selinux-relabel>).
+SELinux relabelling is done unless disabled with I<--no-selinux-relabel>.
=back
@@ -1072,8 +1066,7 @@ A typical virt-builder command would be:
--install puppet \
--append-line '/etc/puppet/puppet.conf:[agent]' \
--append-line '/etc/puppet/puppet.conf:server = puppetmaster.example.com/' \
- --run-command 'systemctl enable puppet' \
- --selinux-relabel
+ --run-command 'systemctl enable puppet'
The precise instructions vary according to the Linux distro. For
further information see:
@@ -1753,14 +1746,14 @@ two possible strategies it can use to ensure correct labelling:
=over 4
-=item Using I<--selinux-relabel>
+=item Automatic relabeling
This runs L<setfiles(8)> just before finalizing the guest, which sets
SELinux labels correctly in the disk image.
This is the recommended method.
-=item I<--touch> F</.autorelabel>
+=item Using I<--no-selinux-relabel> I<--touch> F</.autorelabel>
Guest templates may already contain a file called F</.autorelabel> or
you may touch it.
@@ -1771,11 +1764,6 @@ them, which is normal and harmless.
=back
-Please note that if your guest uses SELinux, and you are doing operations
-on it which might create new files or change existing ones, you are
-recommended to use I<--selinux-relabel>. This will help in making sure
-that files have the right SELinux labels.
-
=head1 MACHINE READABLE OUTPUT
The I<--machine-readable> option can be used to make the output more
diff --git a/customize/test-settings.sh b/customize/test-settings.sh
index ed4c90f2eb37..e8b492dd15be 100755
--- a/customize/test-settings.sh
+++ b/customize/test-settings.sh
@@ -61,9 +61,6 @@ case "$guestname" in
extra[${#extra[*]}]='/etc/inittab:
s,^#([1-9].*respawn.*/sbin/getty.*),$1,'
;;
- fedora*|rhel*|centos*)
- extra[${#extra[*]}]='--selinux-relabel'
- ;;
*)
;;
esac
diff --git a/sysprep/test-virt-sysprep-docs.sh b/sysprep/test-virt-sysprep-docs.sh
index 51500b5e9799..9d0298d68557 100755
--- a/sysprep/test-virt-sysprep-docs.sh
+++ b/sysprep/test-virt-sysprep-docs.sh
@@ -25,4 +25,4 @@ $top_srcdir/podcheck.pl "$srcdir/virt-sysprep.pod" virt-sysprep \
--path $top_srcdir/common/options \
--insert sysprep-extra-options.pod:__EXTRA_OPTIONS__ \
--insert sysprep-operations.pod:__OPERATIONS__ \
- --ignore=--dryrun,--dump-pod,--dump-pod-options,--no-selinux-relabel
+ --ignore=--dryrun,--dump-pod,--dump-pod-options
--
2.19.1.3.g30247aa5d201
More information about the Libguestfs
mailing list