Libguestfs - Jan 2018 - [PATCH] customize: allow missing SELINUXTYPE in SELinux config

libselinux defaults to "targeted" when no SELINUXTYPE is specified in
/etc/config/selinux.  Hence do the same here, instead of failing because
of the missing key.

Add a slow test for checking SELinux relabeling on a Fedora 27 guest,
both with no changes, and with a modified configuration.
---
 customize/Makefile.am            |  2 ++
 customize/SELinux_relabel.ml     | 14 ++++++++++--
 customize/test-selinuxrelabel.sh | 49 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 63 insertions(+), 2 deletions(-)
 create mode 100755 customize/test-selinuxrelabel.sh

diff --git a/customize/Makefile.am b/customize/Makefile.am
index a22e25c46..7f18b2fc3 100644
--- a/customize/Makefile.am
+++ b/customize/Makefile.am
@@ -23,6 +23,7 @@ EXTRA_DIST = \
 	customize_main.ml \
 	test-firstboot.sh \
 	test-password.pl \
+	test-selinuxrelabel.sh \
 	test-settings.sh \
 	test-virt-customize.sh \
 	test-virt-customize-docs.sh \
@@ -225,6 +226,7 @@ check-valgrind:
 SLOW_TESTS = \
 	$(firstboot_test_scripts) \
 	$(password_test_scripts) \
+	test-selinuxrelabel.sh \
 	$(settings_test_scripts)
 
 check-slow:
diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml
index d404c35fa..e7d440c29 100644
--- a/customize/SELinux_relabel.ml
+++ b/customize/SELinux_relabel.ml
@@ -37,8 +37,18 @@ let relabel (g : G.guestfs)        g#aug_load ();
       debug_augeas_errors g;
 
-      (* Get the SELinux policy name, eg. "targeted",
"minimum". *)
-      let policy = g#aug_get "/files/etc/selinux/config/SELINUXTYPE"
in
+      (* Get the SELinux policy name, eg. "targeted",
"minimum".
+       * Use "targeted" if not specified, just like libselinux does.
+       *)
+      let policy +        let config_path =
"/files/etc/selinux/config" in
+        let selinuxtype_path = config_path ^ "/SELINUXTYPE" in
+        let keys = g#aug_ls config_path in
+        if Array.mem selinuxtype_path keys then
+          g#aug_get selinuxtype_path
+        else
+          "targeted" in
+
       g#aug_close ();
 
       (* Get the spec file name. *)
diff --git a/customize/test-selinuxrelabel.sh b/customize/test-selinuxrelabel.sh
new file mode 100755
index 000000000..d13c0356c
--- /dev/null
+++ b/customize/test-selinuxrelabel.sh
@@ -0,0 +1,49 @@
+#!/bin/bash -
+# Test SELinux relabel functionality.
+# Copyright (C) 2018 Red Hat Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+# This slow test checks that SELinux relabel works.
+
+set -e
+
+$TEST_FUNCTIONS
+slow_test
+
+guestname="fedora-27"
+
+disk="selinuxrelabel.img"
+disk_overlay="selinuxrelabel-overlay.qcow2"
+rm -f "$disk"
+
+skip_unless_virt_builder_guest "$guestname"
+
+# Build a guest (using virt-builder).
+virt-builder "$guestname" --quiet -o "$disk"
+
+# Test #1: relabel with the default configuration works.
+rm -f  "$disk_overlay"
+guestfish -- disk-create "$disk_overlay" qcow2 -1
backingfile:"$disk"
+virt-customize -a "$disk" --selinux-relabel
+
+# Test #2: relabel with no SELINUXTYPE in the configuration.
+rm -f  "$disk_overlay"
+guestfish -- disk-create "$disk_overlay" qcow2 -1
backingfile:"$disk"
+virt-customize -a "$disk" \
+  --edit /etc/selinux/config:"s,^SELINUXTYPE=,#&,g" \
+  --selinux-relabel
+
+rm "$disk" "$disk_overlay"
-- 
2.14.3

On Wed, Jan 31, 2018 at 12:33:13PM +0100, Pino Toscano
wrote:
> libselinux defaults to "targeted" when no SELINUXTYPE is
specified in
> /etc/config/selinux.  Hence do the same here, instead of failing because
> of the missing key.
> 
> Add a slow test for checking SELinux relabeling on a Fedora 27 guest,
> both with no changes, and with a modified configuration.
> ---
>  customize/Makefile.am            |  2 ++
>  customize/SELinux_relabel.ml     | 14 ++++++++++--
>  customize/test-selinuxrelabel.sh | 49
++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 63 insertions(+), 2 deletions(-)
>  create mode 100755 customize/test-selinuxrelabel.sh
> 
> diff --git a/customize/Makefile.am b/customize/Makefile.am
> index a22e25c46..7f18b2fc3 100644
> --- a/customize/Makefile.am
> +++ b/customize/Makefile.am
> @@ -23,6 +23,7 @@ EXTRA_DIST = \
>  	customize_main.ml \
>  	test-firstboot.sh \
>  	test-password.pl \
> +	test-selinuxrelabel.sh \
>  	test-settings.sh \
>  	test-virt-customize.sh \
>  	test-virt-customize-docs.sh \
> @@ -225,6 +226,7 @@ check-valgrind:
>  SLOW_TESTS = \
>  	$(firstboot_test_scripts) \
>  	$(password_test_scripts) \
> +	test-selinuxrelabel.sh \
>  	$(settings_test_scripts)
>  
>  check-slow:
> diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml
> index d404c35fa..e7d440c29 100644
> --- a/customize/SELinux_relabel.ml
> +++ b/customize/SELinux_relabel.ml
> @@ -37,8 +37,18 @@ let relabel (g : G.guestfs) >        g#aug_load ();
>        debug_augeas_errors g;
>  
> -      (* Get the SELinux policy name, eg. "targeted",
"minimum". *)
> -      let policy = g#aug_get
"/files/etc/selinux/config/SELINUXTYPE" in
> +      (* Get the SELinux policy name, eg. "targeted",
"minimum".
> +       * Use "targeted" if not specified, just like libselinux
does.
> +       *)
> +      let policy > +        let config_path =
"/files/etc/selinux/config" in
> +        let selinuxtype_path = config_path ^ "/SELINUXTYPE" in
> +        let keys = g#aug_ls config_path in
> +        if Array.mem selinuxtype_path keys then
> +          g#aug_get selinuxtype_path
> +        else
> +          "targeted" in
> +
>        g#aug_close ();
>  
>        (* Get the spec file name. *)
> diff --git a/customize/test-selinuxrelabel.sh
b/customize/test-selinuxrelabel.sh
> new file mode 100755
> index 000000000..d13c0356c
> --- /dev/null
> +++ b/customize/test-selinuxrelabel.sh
> @@ -0,0 +1,49 @@
> +#!/bin/bash -
> +# Test SELinux relabel functionality.
> +# Copyright (C) 2018 Red Hat Inc.
> +#
> +# This program is free software; you can redistribute it and/or modify
> +# it under the terms of the GNU General Public License as published by
> +# the Free Software Foundation; either version 2 of the License, or
> +# (at your option) any later version.
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program; if not, write to the Free Software
> +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
USA.
> +
> +# This slow test checks that SELinux relabel works.
> +
> +set -e
> +
> +$TEST_FUNCTIONS
> +slow_test
> +
> +guestname="fedora-27"
> +
> +disk="selinuxrelabel.img"
> +disk_overlay="selinuxrelabel-overlay.qcow2"
> +rm -f "$disk"
> +
> +skip_unless_virt_builder_guest "$guestname"
> +
> +# Build a guest (using virt-builder).
> +virt-builder "$guestname" --quiet -o "$disk"
> +
> +# Test #1: relabel with the default configuration works.
> +rm -f  "$disk_overlay"
> +guestfish -- disk-create "$disk_overlay" qcow2 -1
backingfile:"$disk"
> +virt-customize -a "$disk" --selinux-relabel
> +
> +# Test #2: relabel with no SELINUXTYPE in the configuration.
> +rm -f  "$disk_overlay"
> +guestfish -- disk-create "$disk_overlay" qcow2 -1
backingfile:"$disk"
> +virt-customize -a "$disk" \
> +  --edit /etc/selinux/config:"s,^SELINUXTYPE=,#&,g" \
> +  --selinux-relabel
> +
> +rm "$disk" "$disk_overlay"
ACK, thanks.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v