Lars Kellogg-Stedman
2016-Mar-24 19:21 UTC
[Libguestfs] [PATCH] document behavior of --selinux-relabel
the description of the --selinux-relabel option suggests that it perform an immediate relabel, when in fact it may (and probably will) instead simply touch /.autorelabel on the image, which schedules a relabel operation for the next time the image boots. This can be surprising because it results both in an extended initial boot time *and* results in an automatic reboot (on some distributions). --- generator/customize.ml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/generator/customize.ml b/generator/customize.ml index 36d185c..b146325 100644 --- a/generator/customize.ml +++ b/generator/customize.ml @@ -522,6 +522,9 @@ C</etc/pam.d/common-password> (Debian, Ubuntu)."; flag_shortdesc = "Relabel files with correct SELinux labels"; flag_pod_longdesc = "\ Relabel files in the guest so that they have the correct SELinux label. +This will attempt to relabel files immediately, but if the operation fails +this will instead touch C</.autorelabel> on the image to schedule a +relabel operation for the next time the image boots. You should only use this option for guests which support SELinux."; }; -- 2.5.5
Richard W.M. Jones
2016-Mar-24 20:22 UTC
Re: [Libguestfs] [PATCH] document behavior of --selinux-relabel
On Thu, Mar 24, 2016 at 03:21:45PM -0400, Lars Kellogg-Stedman wrote:> the description of the --selinux-relabel option suggests that it > perform an immediate relabel, when in fact it may (and probably will) > instead simply touch /.autorelabel on the image, which schedules a > relabel operation for the next time the image boots. This can be > surprising because it results both in an extended initial boot time > *and* results in an automatic reboot (on some distributions). > --- > generator/customize.ml | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/generator/customize.ml b/generator/customize.ml > index 36d185c..b146325 100644 > --- a/generator/customize.ml > +++ b/generator/customize.ml > @@ -522,6 +522,9 @@ C</etc/pam.d/common-password> (Debian, Ubuntu)."; > flag_shortdesc = "Relabel files with correct SELinux labels"; > flag_pod_longdesc = "\ > Relabel files in the guest so that they have the correct SELinux label. > +This will attempt to relabel files immediately, but if the operation fails > +this will instead touch C</.autorelabel> on the image to schedule a > +relabel operation for the next time the image boots. > > You should only use this option for guests which support SELinux."; > };Thanks - I pushed this with a couple (of characters) of very minor changes :-) Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top
Apparently Analagous Threads
- Re: [PATCH] document behavior of --selinux-relabel
- [PATCH 2/2] Use setfiles from the appliance for the SELinux relabel (RHBZ#1089100).
- [PATCH v2 4/7] customize: Add module for doing SELinux relabel of filesystem.
- SELinux relabel API
- Re: [common PATCH 3/3] mlcustomize: do not relabel if not enforcing (RHBZ#1828952)