Pino Toscano
2016-May-10 08:59 UTC
[Libguestfs] [PATCH] builder: run/schedule a SELinux relabel if needed
If the guest uses SELinux, then make sure to run a relabel (or at least
schedule one) after the image build: this way the template is
relabelled, or at least it will do that at the next boot, without the
need for the user to ask for a relabel.
This just covers the case of building a new image with no additional
operations on it though.
---
builder/website/centos.sh | 2 ++
builder/website/compress.sh | 18 +++++++++++++++++-
builder/website/fedora-aarch64.sh | 2 ++
builder/website/fedora-armv7l.sh | 2 ++
builder/website/fedora-i686.sh | 2 ++
builder/website/fedora-ppc64.sh | 2 ++
builder/website/fedora-ppc64le.sh | 2 ++
builder/website/fedora.sh | 2 ++
builder/website/rhel-aarch64.sh | 2 ++
builder/website/rhel-ppc64.sh | 2 ++
builder/website/rhel-ppc64le.sh | 2 ++
builder/website/rhel.sh | 2 ++
builder/website/scientificlinux.sh | 2 ++
13 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/builder/website/centos.sh b/builder/website/centos.sh
index 5217aef..69670fe 100755
--- a/builder/website/centos.sh
+++ b/builder/website/centos.sh
@@ -96,4 +96,6 @@ virt-install \
--nographics \
--noreboot
+DO_RELABEL=1
+
source $(dirname "$0")/compress.sh $output
diff --git a/builder/website/compress.sh b/builder/website/compress.sh
index 2148804..4e09bf3 100644
--- a/builder/website/compress.sh
+++ b/builder/website/compress.sh
@@ -20,10 +20,26 @@
output=$1
+relabel_args=()
+
+if [ -n "$DO_RELABEL" ]; then
+ os_arch=$(uname -m)
+ guest_arch=$(virt-inspector -a "$output" | virt-inspector --xpath
"string(/operatingsystems/operatingsystem/arch)")
+
+ if [ "$os_arch" = "$guest_arch" ] || [
"$os_arch" = "x86_64" -a "$guest_arch" =
"i386" ]; then
+ # this is what --selinux-relabel should really do, but do it ourselves
+ # in the meanwhile -- see RHBZ#1089100.
+ relabel_args+=(--run-command "setfiles
/etc/selinux/targeted/contexts/files/file_contexts /")
+ else
+ relabel_args+=(--selinux-relabel)
+ fi
+
+fi
+
# Sysprep (removes logfiles and so on).
# Note this also touches /.autorelabel so the further installation
# changes that we make will be labelled properly at first boot.
-virt-sysprep -a $output
+virt-sysprep -a $output "${relabel_args[@]}"
# Sparsify.
mv $output $output.old
diff --git a/builder/website/fedora-aarch64.sh
b/builder/website/fedora-aarch64.sh
index 8c7c1b9..1de834d 100755
--- a/builder/website/fedora-aarch64.sh
+++ b/builder/website/fedora-aarch64.sh
@@ -103,4 +103,6 @@ virt-install \
cp $vars $output-nvram
xz --best $output-nvram
+DO_RELABEL=1
+
source $(dirname "$0")/compress.sh $output
diff --git a/builder/website/fedora-armv7l.sh b/builder/website/fedora-armv7l.sh
index 1de9b93..ece95c3 100755
--- a/builder/website/fedora-armv7l.sh
+++ b/builder/website/fedora-armv7l.sh
@@ -92,4 +92,6 @@ virt-install \
--nographics \
--noreboot
+DO_RELABEL=1
+
source $(dirname "$0")/compress.sh $output
diff --git a/builder/website/fedora-i686.sh b/builder/website/fedora-i686.sh
index ccae8ab..92d3f21 100755
--- a/builder/website/fedora-i686.sh
+++ b/builder/website/fedora-i686.sh
@@ -100,4 +100,6 @@ virt-install \
--nographics \
--noreboot
+DO_RELABEL=1
+
source $(dirname "$0")/compress.sh $output
diff --git a/builder/website/fedora-ppc64.sh b/builder/website/fedora-ppc64.sh
index b664e04..c8eafe2 100755
--- a/builder/website/fedora-ppc64.sh
+++ b/builder/website/fedora-ppc64.sh
@@ -92,4 +92,6 @@ virt-install \
--nographics \
--noreboot
+DO_RELABEL=1
+
source $(dirname "$0")/compress.sh $output
diff --git a/builder/website/fedora-ppc64le.sh
b/builder/website/fedora-ppc64le.sh
index 351b569..8645ab4 100755
--- a/builder/website/fedora-ppc64le.sh
+++ b/builder/website/fedora-ppc64le.sh
@@ -92,4 +92,6 @@ virt-install \
--nographics \
--noreboot
+DO_RELABEL=1
+
source $(dirname "$0")/compress.sh $output
diff --git a/builder/website/fedora.sh b/builder/website/fedora.sh
index 8e48ce1..8911d14 100755
--- a/builder/website/fedora.sh
+++ b/builder/website/fedora.sh
@@ -100,4 +100,6 @@ virt-install \
--nographics \
--noreboot
+DO_RELABEL=1
+
source $(dirname "$0")/compress.sh $output
diff --git a/builder/website/rhel-aarch64.sh b/builder/website/rhel-aarch64.sh
index a8d1019..467d43b 100755
--- a/builder/website/rhel-aarch64.sh
+++ b/builder/website/rhel-aarch64.sh
@@ -159,4 +159,6 @@ cp $vars $output-nvram
guestfish --rw -a $output -m $guestroot \
upload $yum /etc/yum.repos.d/download.devel.redhat.com.repo
+DO_RELABEL=1
+
source $(dirname "$0")/compress.sh $output
diff --git a/builder/website/rhel-ppc64.sh b/builder/website/rhel-ppc64.sh
index 48d6280..32148ae 100755
--- a/builder/website/rhel-ppc64.sh
+++ b/builder/website/rhel-ppc64.sh
@@ -140,4 +140,6 @@ virt-install \
guestfish --rw -a $output -m $guestroot \
upload $yum /etc/yum.repos.d/download.devel.redhat.com.repo
+DO_RELABEL=1
+
source $(dirname "$0")/compress.sh $output
diff --git a/builder/website/rhel-ppc64le.sh b/builder/website/rhel-ppc64le.sh
index a6dcc5b..9169b12 100755
--- a/builder/website/rhel-ppc64le.sh
+++ b/builder/website/rhel-ppc64le.sh
@@ -140,4 +140,6 @@ virt-install \
guestfish --rw -a $output -m $guestroot \
upload $yum /etc/yum.repos.d/download.devel.redhat.com.repo
+DO_RELABEL=1
+
source $(dirname "$0")/compress.sh $output
diff --git a/builder/website/rhel.sh b/builder/website/rhel.sh
index 0c64563..fcb7315 100755
--- a/builder/website/rhel.sh
+++ b/builder/website/rhel.sh
@@ -225,4 +225,6 @@ guestfish --rw -a $output -m $guestroot \
upload $yum /etc/yum.repos.d/download.devel.redhat.com.repo
fi
+DO_RELABEL=1
+
source $(dirname "$0")/compress.sh $output
diff --git a/builder/website/scientificlinux.sh
b/builder/website/scientificlinux.sh
index f3f8948..2cd2c8f 100755
--- a/builder/website/scientificlinux.sh
+++ b/builder/website/scientificlinux.sh
@@ -86,4 +86,6 @@ virt-install \
--nographics \
--noreboot
+DO_RELABEL=1
+
source $(dirname "$0")/compress.sh $output
--
2.5.5
Richard W.M. Jones
2016-May-10 13:52 UTC
Re: [Libguestfs] [PATCH] builder: run/schedule a SELinux relabel if needed
On Tue, May 10, 2016 at 10:59:26AM +0200, Pino Toscano wrote:> If the guest uses SELinux, then make sure to run a relabel (or at least > schedule one) after the image build: this way the template is > relabelled, or at least it will do that at the next boot, without the > need for the user to ask for a relabel. > > This just covers the case of building a new image with no additional > operations on it though.ACK. I suspect that 'compress' should now be called 'functions' and it should be sourced at the beginning of each script ... Rich.> builder/website/centos.sh | 2 ++ > builder/website/compress.sh | 18 +++++++++++++++++- > builder/website/fedora-aarch64.sh | 2 ++ > builder/website/fedora-armv7l.sh | 2 ++ > builder/website/fedora-i686.sh | 2 ++ > builder/website/fedora-ppc64.sh | 2 ++ > builder/website/fedora-ppc64le.sh | 2 ++ > builder/website/fedora.sh | 2 ++ > builder/website/rhel-aarch64.sh | 2 ++ > builder/website/rhel-ppc64.sh | 2 ++ > builder/website/rhel-ppc64le.sh | 2 ++ > builder/website/rhel.sh | 2 ++ > builder/website/scientificlinux.sh | 2 ++ > 13 files changed, 41 insertions(+), 1 deletion(-) > > diff --git a/builder/website/centos.sh b/builder/website/centos.sh > index 5217aef..69670fe 100755 > --- a/builder/website/centos.sh > +++ b/builder/website/centos.sh > @@ -96,4 +96,6 @@ virt-install \ > --nographics \ > --noreboot > > +DO_RELABEL=1 > + > source $(dirname "$0")/compress.sh $output > diff --git a/builder/website/compress.sh b/builder/website/compress.sh > index 2148804..4e09bf3 100644 > --- a/builder/website/compress.sh > +++ b/builder/website/compress.sh > @@ -20,10 +20,26 @@ > > output=$1 > > +relabel_args=() > + > +if [ -n "$DO_RELABEL" ]; then > + os_arch=$(uname -m) > + guest_arch=$(virt-inspector -a "$output" | virt-inspector --xpath "string(/operatingsystems/operatingsystem/arch)") > + > + if [ "$os_arch" = "$guest_arch" ] || [ "$os_arch" = "x86_64" -a "$guest_arch" = "i386" ]; then > + # this is what --selinux-relabel should really do, but do it ourselves > + # in the meanwhile -- see RHBZ#1089100. > + relabel_args+=(--run-command "setfiles /etc/selinux/targeted/contexts/files/file_contexts /") > + else > + relabel_args+=(--selinux-relabel) > + fi > + > +fi > + > # Sysprep (removes logfiles and so on). > # Note this also touches /.autorelabel so the further installation > # changes that we make will be labelled properly at first boot. > -virt-sysprep -a $output > +virt-sysprep -a $output "${relabel_args[@]}" > > # Sparsify. > mv $output $output.old > diff --git a/builder/website/fedora-aarch64.sh b/builder/website/fedora-aarch64.sh > index 8c7c1b9..1de834d 100755 > --- a/builder/website/fedora-aarch64.sh > +++ b/builder/website/fedora-aarch64.sh > @@ -103,4 +103,6 @@ virt-install \ > cp $vars $output-nvram > xz --best $output-nvram > > +DO_RELABEL=1 > + > source $(dirname "$0")/compress.sh $output > diff --git a/builder/website/fedora-armv7l.sh b/builder/website/fedora-armv7l.sh > index 1de9b93..ece95c3 100755 > --- a/builder/website/fedora-armv7l.sh > +++ b/builder/website/fedora-armv7l.sh > @@ -92,4 +92,6 @@ virt-install \ > --nographics \ > --noreboot > > +DO_RELABEL=1 > + > source $(dirname "$0")/compress.sh $output > diff --git a/builder/website/fedora-i686.sh b/builder/website/fedora-i686.sh > index ccae8ab..92d3f21 100755 > --- a/builder/website/fedora-i686.sh > +++ b/builder/website/fedora-i686.sh > @@ -100,4 +100,6 @@ virt-install \ > --nographics \ > --noreboot > > +DO_RELABEL=1 > + > source $(dirname "$0")/compress.sh $output > diff --git a/builder/website/fedora-ppc64.sh b/builder/website/fedora-ppc64.sh > index b664e04..c8eafe2 100755 > --- a/builder/website/fedora-ppc64.sh > +++ b/builder/website/fedora-ppc64.sh > @@ -92,4 +92,6 @@ virt-install \ > --nographics \ > --noreboot > > +DO_RELABEL=1 > + > source $(dirname "$0")/compress.sh $output > diff --git a/builder/website/fedora-ppc64le.sh b/builder/website/fedora-ppc64le.sh > index 351b569..8645ab4 100755 > --- a/builder/website/fedora-ppc64le.sh > +++ b/builder/website/fedora-ppc64le.sh > @@ -92,4 +92,6 @@ virt-install \ > --nographics \ > --noreboot > > +DO_RELABEL=1 > + > source $(dirname "$0")/compress.sh $output > diff --git a/builder/website/fedora.sh b/builder/website/fedora.sh > index 8e48ce1..8911d14 100755 > --- a/builder/website/fedora.sh > +++ b/builder/website/fedora.sh > @@ -100,4 +100,6 @@ virt-install \ > --nographics \ > --noreboot > > +DO_RELABEL=1 > + > source $(dirname "$0")/compress.sh $output > diff --git a/builder/website/rhel-aarch64.sh b/builder/website/rhel-aarch64.sh > index a8d1019..467d43b 100755 > --- a/builder/website/rhel-aarch64.sh > +++ b/builder/website/rhel-aarch64.sh > @@ -159,4 +159,6 @@ cp $vars $output-nvram > guestfish --rw -a $output -m $guestroot \ > upload $yum /etc/yum.repos.d/download.devel.redhat.com.repo > > +DO_RELABEL=1 > + > source $(dirname "$0")/compress.sh $output > diff --git a/builder/website/rhel-ppc64.sh b/builder/website/rhel-ppc64.sh > index 48d6280..32148ae 100755 > --- a/builder/website/rhel-ppc64.sh > +++ b/builder/website/rhel-ppc64.sh > @@ -140,4 +140,6 @@ virt-install \ > guestfish --rw -a $output -m $guestroot \ > upload $yum /etc/yum.repos.d/download.devel.redhat.com.repo > > +DO_RELABEL=1 > + > source $(dirname "$0")/compress.sh $output > diff --git a/builder/website/rhel-ppc64le.sh b/builder/website/rhel-ppc64le.sh > index a6dcc5b..9169b12 100755 > --- a/builder/website/rhel-ppc64le.sh > +++ b/builder/website/rhel-ppc64le.sh > @@ -140,4 +140,6 @@ virt-install \ > guestfish --rw -a $output -m $guestroot \ > upload $yum /etc/yum.repos.d/download.devel.redhat.com.repo > > +DO_RELABEL=1 > + > source $(dirname "$0")/compress.sh $output > diff --git a/builder/website/rhel.sh b/builder/website/rhel.sh > index 0c64563..fcb7315 100755 > --- a/builder/website/rhel.sh > +++ b/builder/website/rhel.sh > @@ -225,4 +225,6 @@ guestfish --rw -a $output -m $guestroot \ > upload $yum /etc/yum.repos.d/download.devel.redhat.com.repo > fi > > +DO_RELABEL=1 > + > source $(dirname "$0")/compress.sh $output > diff --git a/builder/website/scientificlinux.sh b/builder/website/scientificlinux.sh > index f3f8948..2cd2c8f 100755 > --- a/builder/website/scientificlinux.sh > +++ b/builder/website/scientificlinux.sh > @@ -86,4 +86,6 @@ virt-install \ > --nographics \ > --noreboot > > +DO_RELABEL=1 > + > source $(dirname "$0")/compress.sh $output > -- > 2.5.5 > > _______________________________________________ > Libguestfs mailing list > Libguestfs@redhat.com > https://www.redhat.com/mailman/listinfo/libguestfs-- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v