Pino Toscano
2018-Jan-31 11:33 UTC
[Libguestfs] [PATCH] customize: allow missing SELINUXTYPE in SELinux config
libselinux defaults to "targeted" when no SELINUXTYPE is specified in
/etc/config/selinux. Hence do the same here, instead of failing because
of the missing key.
Add a slow test for checking SELinux relabeling on a Fedora 27 guest,
both with no changes, and with a modified configuration.
---
customize/Makefile.am | 2 ++
customize/SELinux_relabel.ml | 14 ++++++++++--
customize/test-selinuxrelabel.sh | 49 ++++++++++++++++++++++++++++++++++++++++
3 files changed, 63 insertions(+), 2 deletions(-)
create mode 100755 customize/test-selinuxrelabel.sh
diff --git a/customize/Makefile.am b/customize/Makefile.am
index a22e25c46..7f18b2fc3 100644
--- a/customize/Makefile.am
+++ b/customize/Makefile.am
@@ -23,6 +23,7 @@ EXTRA_DIST = \
customize_main.ml \
test-firstboot.sh \
test-password.pl \
+ test-selinuxrelabel.sh \
test-settings.sh \
test-virt-customize.sh \
test-virt-customize-docs.sh \
@@ -225,6 +226,7 @@ check-valgrind:
SLOW_TESTS = \
$(firstboot_test_scripts) \
$(password_test_scripts) \
+ test-selinuxrelabel.sh \
$(settings_test_scripts)
check-slow:
diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml
index d404c35fa..e7d440c29 100644
--- a/customize/SELinux_relabel.ml
+++ b/customize/SELinux_relabel.ml
@@ -37,8 +37,18 @@ let relabel (g : G.guestfs) g#aug_load ();
debug_augeas_errors g;
- (* Get the SELinux policy name, eg. "targeted",
"minimum". *)
- let policy = g#aug_get "/files/etc/selinux/config/SELINUXTYPE"
in
+ (* Get the SELinux policy name, eg. "targeted",
"minimum".
+ * Use "targeted" if not specified, just like libselinux does.
+ *)
+ let policy + let config_path =
"/files/etc/selinux/config" in
+ let selinuxtype_path = config_path ^ "/SELINUXTYPE" in
+ let keys = g#aug_ls config_path in
+ if Array.mem selinuxtype_path keys then
+ g#aug_get selinuxtype_path
+ else
+ "targeted" in
+
g#aug_close ();
(* Get the spec file name. *)
diff --git a/customize/test-selinuxrelabel.sh b/customize/test-selinuxrelabel.sh
new file mode 100755
index 000000000..d13c0356c
--- /dev/null
+++ b/customize/test-selinuxrelabel.sh
@@ -0,0 +1,49 @@
+#!/bin/bash -
+# Test SELinux relabel functionality.
+# Copyright (C) 2018 Red Hat Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+# This slow test checks that SELinux relabel works.
+
+set -e
+
+$TEST_FUNCTIONS
+slow_test
+
+guestname="fedora-27"
+
+disk="selinuxrelabel.img"
+disk_overlay="selinuxrelabel-overlay.qcow2"
+rm -f "$disk"
+
+skip_unless_virt_builder_guest "$guestname"
+
+# Build a guest (using virt-builder).
+virt-builder "$guestname" --quiet -o "$disk"
+
+# Test #1: relabel with the default configuration works.
+rm -f "$disk_overlay"
+guestfish -- disk-create "$disk_overlay" qcow2 -1
backingfile:"$disk"
+virt-customize -a "$disk" --selinux-relabel
+
+# Test #2: relabel with no SELINUXTYPE in the configuration.
+rm -f "$disk_overlay"
+guestfish -- disk-create "$disk_overlay" qcow2 -1
backingfile:"$disk"
+virt-customize -a "$disk" \
+ --edit /etc/selinux/config:"s,^SELINUXTYPE=,#&,g" \
+ --selinux-relabel
+
+rm "$disk" "$disk_overlay"
--
2.14.3
Richard W.M. Jones
2018-Jan-31 15:31 UTC
Re: [Libguestfs] [PATCH] customize: allow missing SELINUXTYPE in SELinux config
On Wed, Jan 31, 2018 at 12:33:13PM +0100, Pino Toscano wrote:> libselinux defaults to "targeted" when no SELINUXTYPE is specified in > /etc/config/selinux. Hence do the same here, instead of failing because > of the missing key. > > Add a slow test for checking SELinux relabeling on a Fedora 27 guest, > both with no changes, and with a modified configuration. > --- > customize/Makefile.am | 2 ++ > customize/SELinux_relabel.ml | 14 ++++++++++-- > customize/test-selinuxrelabel.sh | 49 ++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 63 insertions(+), 2 deletions(-) > create mode 100755 customize/test-selinuxrelabel.sh > > diff --git a/customize/Makefile.am b/customize/Makefile.am > index a22e25c46..7f18b2fc3 100644 > --- a/customize/Makefile.am > +++ b/customize/Makefile.am > @@ -23,6 +23,7 @@ EXTRA_DIST = \ > customize_main.ml \ > test-firstboot.sh \ > test-password.pl \ > + test-selinuxrelabel.sh \ > test-settings.sh \ > test-virt-customize.sh \ > test-virt-customize-docs.sh \ > @@ -225,6 +226,7 @@ check-valgrind: > SLOW_TESTS = \ > $(firstboot_test_scripts) \ > $(password_test_scripts) \ > + test-selinuxrelabel.sh \ > $(settings_test_scripts) > > check-slow: > diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml > index d404c35fa..e7d440c29 100644 > --- a/customize/SELinux_relabel.ml > +++ b/customize/SELinux_relabel.ml > @@ -37,8 +37,18 @@ let relabel (g : G.guestfs) > g#aug_load (); > debug_augeas_errors g; > > - (* Get the SELinux policy name, eg. "targeted", "minimum". *) > - let policy = g#aug_get "/files/etc/selinux/config/SELINUXTYPE" in > + (* Get the SELinux policy name, eg. "targeted", "minimum". > + * Use "targeted" if not specified, just like libselinux does. > + *) > + let policy > + let config_path = "/files/etc/selinux/config" in > + let selinuxtype_path = config_path ^ "/SELINUXTYPE" in > + let keys = g#aug_ls config_path in > + if Array.mem selinuxtype_path keys then > + g#aug_get selinuxtype_path > + else > + "targeted" in > + > g#aug_close (); > > (* Get the spec file name. *) > diff --git a/customize/test-selinuxrelabel.sh b/customize/test-selinuxrelabel.sh > new file mode 100755 > index 000000000..d13c0356c > --- /dev/null > +++ b/customize/test-selinuxrelabel.sh > @@ -0,0 +1,49 @@ > +#!/bin/bash - > +# Test SELinux relabel functionality. > +# Copyright (C) 2018 Red Hat Inc. > +# > +# This program is free software; you can redistribute it and/or modify > +# it under the terms of the GNU General Public License as published by > +# the Free Software Foundation; either version 2 of the License, or > +# (at your option) any later version. > +# > +# This program is distributed in the hope that it will be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > +# > +# You should have received a copy of the GNU General Public License > +# along with this program; if not, write to the Free Software > +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. > + > +# This slow test checks that SELinux relabel works. > + > +set -e > + > +$TEST_FUNCTIONS > +slow_test > + > +guestname="fedora-27" > + > +disk="selinuxrelabel.img" > +disk_overlay="selinuxrelabel-overlay.qcow2" > +rm -f "$disk" > + > +skip_unless_virt_builder_guest "$guestname" > + > +# Build a guest (using virt-builder). > +virt-builder "$guestname" --quiet -o "$disk" > + > +# Test #1: relabel with the default configuration works. > +rm -f "$disk_overlay" > +guestfish -- disk-create "$disk_overlay" qcow2 -1 backingfile:"$disk" > +virt-customize -a "$disk" --selinux-relabel > + > +# Test #2: relabel with no SELINUXTYPE in the configuration. > +rm -f "$disk_overlay" > +guestfish -- disk-create "$disk_overlay" qcow2 -1 backingfile:"$disk" > +virt-customize -a "$disk" \ > + --edit /etc/selinux/config:"s,^SELINUXTYPE=,#&,g" \ > + --selinux-relabel > + > +rm "$disk" "$disk_overlay"ACK, thanks. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v
Possibly Parallel Threads
- [PATCH] customize: avoid Array.mem for now
- [PATCH libguestfs-common 1/2] mlcustomize: Refactor SELinux_relabel code.
- [common PATCH 0/3] SELinux_relabel: relabel only if enforcing (RHBZ#1828952)
- [PATCH 2/2] Use setfiles from the appliance for the SELinux relabel (RHBZ#1089100).
- [PATCH libguestfs-common 2/2] mlcustomize: Fall back to autorelabel if specfile does not exist (RHBZ#1828952).