Libguestfs - Dec 2017 - Re: virt-copy-in - how do I get the selinux relabeling done for the file?

On Sun, Dec 24, 2017 at 3:49 PM, Richard W.M. Jones <rjones@redhat.com>
wrote:
> On Sun, Dec 24, 2017 at 02:15:44PM +0200, Yaniv Kaul wrote:
> > I'm copying a file into a VM using virt-copy-in - which is great,
but the
> > file is wrongly labeled.
> > How can I fix that?
>
> Hi Yaniv,
>
> The easiest thing is to run this after doing the virt-copy-in:
>
>   virt-customize -a disk.img --selinux-relabel
>
> which will run this code:
>
>   https://github.com/libguestfs/libguestfs/blob/master/
> customize/SELinux_relabel.ml#L27
>
> That requires an extra launch of the appliance, so if you were very
> concerned about doing this most efficiently then you could do
> something like this instead:
>
>   guestfish -a disk.img -i <<EOF
>     copy-in files [...] /target/dir
>     selinux-relabel /etc/selinux/targeted/contexts/files/file_contexts /
> force:true
>   EOF
>
Thanks - this is exactly what I've decided to use first.
I'll run virt-customize if I need to do more work (specifically, I believe
it'll relabel everything, etc. - not sure I need it right now).
Y.

>
> That isn't quite the same as the virt-customize code above, and in
> particular it assumes that you're using the "targeted" policy
and you
> don't have the buggy version of RHEL 6, but it's near enough for
most
> purposes.  If you want to do any better you'd need to write a custom
> script in Python or whatever.
>
> Rich.
>
> --
> Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~
> rjones
> Read my programming and virtualization blog: http://rwmj.wordpress.com
> virt-top is 'top' for virtual machines.  Tiny program with many
> powerful monitoring features, net stats, disk stats, logging, etc.
> http://people.redhat.com/~rjones/virt-top
>

On Sun, Dec 24, 2017 at 03:59:33PM +0200, Yaniv Kaul
wrote:
> On Sun, Dec 24, 2017 at 3:49 PM, Richard W.M. Jones
<rjones@redhat.com>
> wrote:
> 
> > On Sun, Dec 24, 2017 at 02:15:44PM +0200, Yaniv Kaul wrote:
> > > I'm copying a file into a VM using virt-copy-in - which is
great, but the
> > > file is wrongly labeled.
> > > How can I fix that?
> >
> > Hi Yaniv,
> >
> > The easiest thing is to run this after doing the virt-copy-in:
> >
> >   virt-customize -a disk.img --selinux-relabel
> >
> > which will run this code:
> >
> >   https://github.com/libguestfs/libguestfs/blob/master/
> > customize/SELinux_relabel.ml#L27
> >
> > That requires an extra launch of the appliance, so if you were very
> > concerned about doing this most efficiently then you could do
> > something like this instead:
> >
> >   guestfish -a disk.img -i <<EOF
> >     copy-in files [...] /target/dir
> >     selinux-relabel /etc/selinux/targeted/contexts/files/file_contexts
/ force:true
In case it's not clear, this parameter                                   
^^^
controls the scope of the relabelling, so you can relabel parts of the
filesystem if you want to.  It's basically a wrapper around
‘setfiles’:

https://github.com/libguestfs/libguestfs/blob/dab065a8eed6c6d8d9c53956393566812cfe6a2e/daemon/selinux-relabel.c#L87

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW

On Sun, Dec 24, 2017 at 4:20 PM, Richard W.M. Jones <rjones@redhat.com>
wrote:
> On Sun, Dec 24, 2017 at 03:59:33PM +0200, Yaniv Kaul wrote:
> > On Sun, Dec 24, 2017 at 3:49 PM, Richard W.M. Jones
<rjones@redhat.com>
> > wrote:
> >
> > > On Sun, Dec 24, 2017 at 02:15:44PM +0200, Yaniv Kaul wrote:
> > > > I'm copying a file into a VM using virt-copy-in - which
is great,
> but the
> > > > file is wrongly labeled.
> > > > How can I fix that?
> > >
> > > Hi Yaniv,
> > >
> > > The easiest thing is to run this after doing the virt-copy-in:
> > >
> > >   virt-customize -a disk.img --selinux-relabel
> > >
> > > which will run this code:
> > >
> > >   https://github.com/libguestfs/libguestfs/blob/master/
> > > customize/SELinux_relabel.ml#L27
> > >
> > > That requires an extra launch of the appliance, so if you were
very
> > > concerned about doing this most efficiently then you could do
> > > something like this instead:
> > >
> > >   guestfish -a disk.img -i <<EOF
> > >     copy-in files [...] /target/dir
> > >     selinux-relabel
/etc/selinux/targeted/contexts/files/file_contexts
> / force:true
>
> In case it's not clear, this parameter
> ^^^
> controls the scope of the relabelling, so you can relabel parts of the
> filesystem if you want to.  It's basically a wrapper around
> ‘setfiles’:
>
> https://github.com/libguestfs/libguestfs/blob/
> dab065a8eed6c6d8d9c53956393566812cfe6a2e/daemon/selinux-relabel.c#L87
>
> Rich.
>
Thanks, I think I'm all good - seems to be working nice[1].

I think a great future feature of guestfish would be to run Ansible-based
modules/roles against the VM.
All is needed is an IP, inject SSH credentials. Anything else?
Y.

[1] https://gerrit.ovirt.org/#/c/85715/1/src/ansible/create_target_vm.yml
>
> --
> Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~
> rjones
> Read my programming and virtualization blog: http://rwmj.wordpress.com
> Fedora Windows cross-compiler. Compile Windows programs, test, and
> build Windows installers. Over 100 libraries supported.
> http://fedoraproject.org/wiki/MinGW
>