[libvirt] [Libguestfs] [PATCH tck] Relabel SELinux when customizing virt-builder image

Richard W.M. Jones rjones at redhat.com
Wed Feb 7 11:10:25 UTC 2018


On Tue, Feb 06, 2018 at 12:50:51PM -0500, Laine Stump wrote:
> On 02/06/2018 10:53 AM, Pino Toscano wrote:
> > On Tuesday, 6 February 2018 16:40:04 CET Daniel P. Berrangé wrote:
> >> When you tell virt-builder to install extra RPMs, this potentially
> >> looses the SELinux labelling that Anaconda had originally setup. Thus we
> >> must tell virt-builder to enable SELinux relabelling.
> >>
> >> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> >> ---
> >>  lib/Sys/Virt/TCK.pm | 2 +-
> >>  1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm
> >> index e9da8d2..b39f578 100644
> >> --- a/lib/Sys/Virt/TCK.pm
> >> +++ b/lib/Sys/Virt/TCK.pm
> >> @@ -405,7 +405,7 @@ sub create_virt_builder_disk {
> >>      }
> >>  
> >>      print "# running virt-builder $osname\n";
> >> -    system "virt-builder", "--install", "dsniff", "--root-password", "password:$password", "--output", $target, $osname;
> >> +    system "virt-builder", "--install", "dsniff", "--selinux-relabel", "--root-password", "password:$password", "--output", $target, $osname;
> >>  
> >>      die "cannot run virt-builder: $?" if $? != 0;
> > 
> > Reviewed-by: Pino Toscano <ptoscano at redhat.com>
> > 
> 
> This change works, but since the original image came from virt-builder,
> and virt-builder knows enough about the image to know that it should
> install packages with dnf (or yum or apt-get or whatever is appropriate
> for any given image), it should also have enough info available to
> determine on its own that the selinux labels need to be redone.
> Especially since the Fedora images provided by virt-builder have selinux
> set to enforcing, I think the default behavior in this case should be
> for virt-builder to relabel.
> 
> This patch fixes the problem for libvirt-tck, but I can imagine that
> this same problem will be revisited time after time on IRC and the
> libguestfs mailing list (once the user takes the obligatory
> troubleshooting trip to discover the source of the problem). In this
> case the initial symptom was "a guest that was never logged into by a
> human was failing an automated test". There were several steps from
> there to "dhcpc was failing to get an IP address due to bad selinux
> labels", and then learning via IRC that the labels were incorrect
> because extra packages are installed with the image mounted on the
> libguestfs appliance, which runs with selinux disabled.
> 
> What is preventing virt-builder from automatically making a correct
> determination about whether or not relabeling must be done?

Yes, in fact I think it could go further and just call
SELinux_relabel.relabel on every guest, since that code just ignores
non-SELinux guests.

Basically the reasons it doesn't do this are historical and possibly a
fear of breaking if some guest has broken SELinux files.  We could
retain the ‘--no-selinux-relabel’ flag to mean don't do any
relabelling.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org




More information about the libvir-list mailing list