Pino Toscano
2014-Sep-29 11:57 UTC
[Libguestfs] [PATCH 1/2] builder, customize: disable SELinux
Having SELinux enabled (even if not enforcing) in the appliance causes troubles to applications/libraries that read/write SELinux attributes. --- builder/builder.ml | 6 +++++- customize/customize_main.ml | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/builder/builder.ml b/builder/builder.ml index a407924..5195cfd 100644 --- a/builder/builder.ml +++ b/builder/builder.ml @@ -633,7 +633,11 @@ let main () (match smp with None -> () | Some smp -> g#set_smp smp); g#set_network network; - g#set_selinux ops.flags.selinux_relabel; + (* Make sure to turn SELinux off to avoid awkward interactions + * between the appliance kernel and applications/libraries interacting + * with SELinux xattrs. + *) + g#set_selinux false; (* The output disk is being created, so use cache=unsafe here. *) g#add_drive_opts ~format:output_format ~cachemode:"unsafe" output_filename; diff --git a/customize/customize_main.ml b/customize/customize_main.ml index 6e0ba2d..2c8b2ef 100644 --- a/customize/customize_main.ml +++ b/customize/customize_main.ml @@ -208,7 +208,11 @@ read the man page virt-customize(1). (match memsize with None -> () | Some memsize -> g#set_memsize memsize); (match smp with None -> () | Some smp -> g#set_smp smp); g#set_network network; - g#set_selinux ops.flags.selinux_relabel; + (* Make sure to turn SELinux off to avoid awkward interactions + * between the appliance kernel and applications/libraries interacting + * with SELinux xattrs. + *) + g#set_selinux false; (* Add disks. *) add g dryrun; -- 1.9.3
Pino Toscano
2014-Sep-29 11:57 UTC
[Libguestfs] [PATCH 2/2] customize: fix attributes of /etc/shadow (RHBZ#1146275)
When saving a configuration file, Augeas creates a new file and replaces the old one with it; this creates a /etc/shadow file without the SELinux xattrs, since they are missing. Thus, create a temporary file with all the attributes of /etc/shadow, so all the attributes of it (permissions and xattrs, among others) can be restored properly on the new /etc/shadow. As side effect, if a guest is already properly SELinux-labelled, then there should be no more need to relabel it to make sure /etc/shadow still has the right SELinux xattrs. --- customize/password.ml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/customize/password.ml b/customize/password.ml index 3437bf0..2bbfbbc 100644 --- a/customize/password.ml +++ b/customize/password.ml @@ -81,12 +81,19 @@ and read_password_from_file filename (* Permissible characters in a salt. *) let chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./" -let rec set_linux_passwords ~prog ?password_crypto g root passwords +let rec set_linux_passwords ~prog ?password_crypto (g : Guestfs.guestfs) root passwords let crypto match password_crypto with | None -> default_crypto ~prog g root | Some c -> c in + (* Create a (almost) empty temporary file with the attributes of + * /etc/shadow, so we can restore them later. + *) + let tempfile = g#mktemp "/etc/shadow.guestfsXXXXXX" in + g#write tempfile "*"; + g#copy_attributes ~all:true "/etc/shadow" tempfile; + g#aug_init "/" 0; let users = Array.to_list (g#aug_ls "/files/etc/shadow") in List.iter ( @@ -116,9 +123,11 @@ let rec set_linux_passwords ~prog ?password_crypto g root passwords with Not_found -> () ) users; g#aug_save (); + g#aug_close (); - (* In virt-sysprep /.autorelabel will label it correctly. *) - g#chmod 0 "/etc/shadow" + (* Restore all the attributes from the temporary file, and remove it. *) + g#copy_attributes ~all:true tempfile "/etc/shadow"; + g#rm tempfile (* Encrypt each password. Use glibc (on the host). See: * https://rwmj.wordpress.com/2013/07/09/setting-the-root-or-other-passwords-in-a-linux-guest/ -- 1.9.3
Richard W.M. Jones
2014-Sep-29 12:18 UTC
Re: [Libguestfs] [PATCH 2/2] customize: fix attributes of /etc/shadow (RHBZ#1146275)
On Mon, Sep 29, 2014 at 01:57:24PM +0200, Pino Toscano wrote:> When saving a configuration file, Augeas creates a new file and > replaces the old one with it; this creates a /etc/shadow file without > the SELinux xattrs, since they are missing. > > Thus, create a temporary file with all the attributes of /etc/shadow, so > all the attributes of it (permissions and xattrs, among others) can be > restored properly on the new /etc/shadow. > > As side effect, if a guest is already properly SELinux-labelled, then > there should be no more need to relabel it to make sure /etc/shadow > still has the right SELinux xattrs. > --- > customize/password.ml | 15 ++++++++++++--- > 1 file changed, 12 insertions(+), 3 deletions(-) > > diff --git a/customize/password.ml b/customize/password.ml > index 3437bf0..2bbfbbc 100644 > --- a/customize/password.ml > +++ b/customize/password.ml > @@ -81,12 +81,19 @@ and read_password_from_file filename > (* Permissible characters in a salt. *) > let chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./" > > -let rec set_linux_passwords ~prog ?password_crypto g root passwords > +let rec set_linux_passwords ~prog ?password_crypto (g : Guestfs.guestfs) root passwords > let crypto > match password_crypto with > | None -> default_crypto ~prog g root > | Some c -> c in > > + (* Create a (almost) empty temporary file with the attributes of > + * /etc/shadow, so we can restore them later. > + *) > + let tempfile = g#mktemp "/etc/shadow.guestfsXXXXXX" in > + g#write tempfile "*"; > + g#copy_attributes ~all:true "/etc/shadow" tempfile; > + > g#aug_init "/" 0; > let users = Array.to_list (g#aug_ls "/files/etc/shadow") in > List.iter ( > @@ -116,9 +123,11 @@ let rec set_linux_passwords ~prog ?password_crypto g root passwords > with Not_found -> () > ) users; > g#aug_save (); > + g#aug_close (); > > - (* In virt-sysprep /.autorelabel will label it correctly. *) > - g#chmod 0 "/etc/shadow" > + (* Restore all the attributes from the temporary file, and remove it. *) > + g#copy_attributes ~all:true tempfile "/etc/shadow"; > + g#rm tempfile > > (* Encrypt each password. Use glibc (on the host). See: > * https://rwmj.wordpress.com/2013/07/09/setting-the-root-or-other-passwords-in-a-linux-guest/ > -- > 1.9.3ACK to both. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org
Apparently Analagous Threads
- [PATCH 2/2] customize: fix attributes of /etc/shadow (RHBZ#1146275)
- [PATCH] customize: Move virt-customize-related code to a separate
- [PATCH 2/2] Use setfiles from the appliance for the SELinux relabel (RHBZ#1089100).
- [PATCH 0/5] use augeas for /etc/shadow
- [PATCH 5/5] lib: Deprecate old SELinux APIs, rewrite SELinux documentation.