[virt-tools-list] virt-bootstrap: libvirt and SELinux issues
Fabiano Fidêncio
fidencio at redhat.com
Mon Jun 11 15:35:54 UTC 2018
On Mon, Jun 11, 2018 at 5:34 PM, Fabiano Fidêncio <fidencio at redhat.com> wrote:
> So, several things ...
>
> On Mon, Jun 11, 2018 at 4:41 PM, Richard W.M. Jones <rjones at redhat.com> wrote:
>> (Adding virt-tools-list)
>>
>> On Fri, Jun 08, 2018 at 02:20:22PM +0200, Timothée Floure wrote:
>>> Hello,
>>>
>>> I'm trying to package virt-bootstrap [0], but various tests fail due to
>>> SELinux. I know some selinux basics from redhat's selinux manual [1],
>>> but am unsure about how to approach the issue.
>
> virt-bootstrap is already part of Fedora28+.
And a link for the builds:
https://koji.fedoraproject.org/koji/packageinfo?packageID=27008
>
>>>
>>> For example, the following command - extracted from a failing test -
>>> fails due to SELinux:
>>>
>>> ```
>>> virt-sandbox -c qemu:///session --name=bootstrap_26639 -m host-bind:/mnt=/tmp/tmps77ywg1n_bootstrap_dest -- /bin/tar xf /tmp/tmp8gca1fzq_bootstrap_tarfiles/b52c708f02ff0ee783331f23f723ed9123dfc72994e19d1c33f3bd5db723007a.tar -C /mnt --exclude "dev/*" --overwrite --absolute-names
>>> ```
>>>
>>> ```
>>> type=AVC msg=audit(1525329618.892:19448): avc: denied { read } for pid=31860 comm="qemu-system-x86" name="config" dev="dm-3" ino=4589515 scontext=unconfined_u:unconfined_r:svirt_t:s0:c422,c725 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0
>>> ```
>
> This is something that, IMO, should be reported as an issue for the
> selinux-policy component. But maybe virt-sandbox/qemu maintainers have
> a different opinion here.
>
>>>
>>> I also attached the related specfile to this email. I would appreciate
>>> if someone could take a few minutes to redirect me.
>>>
>>>
>>> [0] https://github.com/virt-manager/virt-bootstrap
>>> [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/part_i-selinux
>>>
>>> Thanks !
>>>
>>> --
>>> Timothée Floure
>>
>>> %global debug_package %{nil}
>>>
>>> Name: virt-bootstrap
>>> Version: 1.0.0
>>> Release: 1%{?dist}
>>> Summary: Easy way to setup the root file system for libvirt-based containers
>>>
>>> License: GPLv3
>>> URL: https://github.com/virt-manager/%{name}
>>> Source0: https://github.com/virt-manager/%{name}/archive/v%{version}.tar.gz
>>>
>>> BuildArch: noarch
>>> BuildRequires: python3-devel
>>> BuildRequires: perl-podlators
>>> BuildRequires: sed
>>> # Provides virt-sandbox
>>> BuildRequires: libvirt-sandbox
>>> # Provides virt-builder
>>> BuildRequires: libguestfs-tools-c
>>> BuildRequires: python3-libguestfs
>>> BuildRequires: python3-passlib
>>> BuildRequires: python3-mock
>>> Requires: skopeo
>>> # Provides virt-sandbox
>>> Requires: libvirt-sandbox
>>> # Provides virt-builder
>>> Requires: libguestfs-tools-c
>>> Requires: python3-libguestfs
>>> Requires: python3-passlib
>>>
>>> %description
>>> %{summary}.
>>>
>>> %prep
>>> %setup -q
>>>
>>>
>>> %build
>>> %py3_build
>>>
>>> %install
>>> %py3_install
>>>
>>> sed -i 's|#!/usr/bin/env python|#!/usr/bin/python|' \
>>> %{buildroot}%{python3_sitelib}/virtBootstrap/virt_bootstrap.py
>>>
>>> chmod +x %{buildroot}%{python3_sitelib}/virtBootstrap/virt_bootstrap.py
>>>
>>> %check
>>> %{__python3} setup.py test
>>>
>>> %files
>>> %license LICENSE
>>> %doc README.md
>>> %{_bindir}/%{name}
>>> %{python3_sitelib}/*
>>> %{_mandir}/man1/%{name}.1*
>>>
>>> %changelog
>>> * Mon Apr 30 2018 Timothée Floure <fnux at fedoraproject.org> - 1.0.0-1
>>> - Let there be package
>>
>>
>>
>>
>>> _______________________________________________
>>> devel mailing list -- devel at lists.fedoraproject.org
>>> To unsubscribe send an email to devel-leave at lists.fedoraproject.org
>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/EYYT6HPMNJXQNFRUR3BA3NLVCFLY6RMA/
>>
>>
>> --
>> Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
>> Read my programming and virtualization blog: http://rwmj.wordpress.com
>> libguestfs lets you edit virtual machines. Supports shell scripting,
>> bindings from many languages. http://libguestfs.org
>>
>> _______________________________________________
>> virt-tools-list mailing list
>> virt-tools-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/virt-tools-list
>
> Best Regards,
> --
> Fabiano Fidêncio
More information about the virt-tools-list
mailing list