Richard W.M. Jones
2014-Jan-21 17:32 UTC
Re: [Libguestfs] virt-builder & virt-sysprep: Avoiding SELinux relabelling
On Tue, Jan 21, 2014 at 12:01:45PM -0500, R P Herrold wrote:> (5) it can do an additional step at very end of the post > install: > restorecon -R /This doesn't work on its own. I suspect this would work: load_policy && restorecon -R / except it gives an error for me: SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.29, searching for an older version. SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.29: No such file or directory load_policy: Can't load policy: No such file or directory This could be because the kernel of the libguestfs appliance doesn't match the kernel of the guest. (Also I patched my copy of virt-builder to add a call to g#set_selinux true). By the way, it's not clear to me that using load_policy is safe in all cases. In virt-builder it would be fine (if it worked), because you should trust the templates. In general, loading an untrusted guest policy into the appliance kernel may not be a great idea. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v
R P Herrold
2014-Jan-21 18:31 UTC
Re: [Libguestfs] virt-builder & virt-sysprep: Avoiding SELinux relabelling
On Tue, 21 Jan 2014, Richard W.M. Jones wrote:> This could be because the kernel of the libguestfs appliance doesn't > match the kernel of the guest.We also encounter such problems when re-labelling images not matching the dom0 kernel distribution, and just accept the relabel delay (slow and linear) and second boot (boots are fast) -- but I had hoped you had a solution ;) -- Russ herrold
Richard W.M. Jones
2014-Jan-21 18:40 UTC
Re: [Libguestfs] virt-builder & virt-sysprep: Avoiding SELinux relabelling
On Tue, Jan 21, 2014 at 01:31:05PM -0500, R P Herrold wrote:> On Tue, 21 Jan 2014, Richard W.M. Jones wrote: > > > This could be because the kernel of the libguestfs appliance doesn't > > match the kernel of the guest. > > We also encounter such problems when re-labelling images not > matching the dom0 kernel distribution, and just accept the > relabel delay (slow and linear) and second boot (boots are > fast) -- but I had hoped you had a solution ;)Ah well, we do now :-) The trick is to boot the SELinux guest once, using the magic 'qemu -no-reboot' option -- which will ensure when it tries to reboot itself after relabelling, it instead shuts down. Full instructions here: https://github.com/libguestfs/libguestfs/commit/20a4bfde9628cfeb8bea441cab7dcc94843b34e3 Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v
Apparently Analagous Threads
- virt-builder & virt-sysprep: Avoiding SELinux relabelling
- Re: virt-builder & virt-sysprep: Avoiding SELinux relabelling
- virt-builder & virt-sysprep: Avoiding SELinux relabelling
- Re: [libvirt] [PATCH tck] Relabel SELinux when customizing virt-builder image
- Re: [libvirt] [PATCH tck] Relabel SELinux when customizing virt-builder image