Richard W.M. Jones
2022-May-24 10:04 UTC
[Libguestfs] SELinux relabeling: do it by default
So I didn't realise that these commits break --selinux-relabel, eg: $ rpm -q guestfs-tools guestfs-tools-1.49.1-1.fc37.x86_64 $ virt-builder fedora-36 --selinux-relabel virt-builder: unrecognized option '--selinux-relabel' Try ?virt-builder --help? or consult virt-builder(1) for more information. This is kind of bad since it breaks existing scripts. We just had a bug report about this from someone who is testing CentOS Stream 9.1 (where I backported the patches already). This option should continue to exist, but do nothing. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com nbdkit - Flexible, fast NBD server with plugins https://gitlab.com/nbdkit/nbdkit
Richard W.M. Jones
2022-May-24 12:28 UTC
[Libguestfs] SELinux relabeling: do it by default
On Tue, May 24, 2022 at 11:04:49AM +0100, Richard W.M. Jones wrote:> So I didn't realise that these commits break --selinux-relabel, eg: > > $ rpm -q guestfs-tools > guestfs-tools-1.49.1-1.fc37.x86_64 > $ virt-builder fedora-36 --selinux-relabel > virt-builder: unrecognized option '--selinux-relabel' > Try ?virt-builder --help? or consult virt-builder(1) for more information. > > This is kind of bad since it breaks existing scripts. We just had a > bug report about this from someone who is testing CentOS Stream 9.1 > (where I backported the patches already). > > This option should continue to exist, but do nothing.RHEL 9.1 bug: https://bugzilla.redhat.com/show_bug.cgi?id=2089748 Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com nbdkit - Flexible, fast NBD server with plugins https://gitlab.com/nbdkit/nbdkit
On 05/24/22 12:04, Richard W.M. Jones wrote:> So I didn't realise that these commits break --selinux-relabel, eg: > > $ rpm -q guestfs-tools > guestfs-tools-1.49.1-1.fc37.x86_64 > $ virt-builder fedora-36 --selinux-relabel > virt-builder: unrecognized option '--selinux-relabel' > Try ?virt-builder --help? or consult virt-builder(1) for more > information. > > This is kind of bad since it breaks existing scripts.I carefully highlighted it in the cover letter: https://listman.redhat.com/archives/libguestfs/2022-May/028826.html> I've intentionally avoided introducing "--no-selinux-relabel" *in > addition* to "--selinux-relabel". While some utilities support a > similar dual form (such as virt-builder's "--network" and > "--no-network"), with one being the default, those options are special > in that they are *not shared* between different utilities, and they > are not generated by the generator in libguestfs. The key difference > is that the *non-shared* options use Getopt.Set and Getopt.Clear on > the *same* boolean reference cell, whereas the generator introduces a > *separate* boolean reference cell for each option it generates (and > then it uses *either* Getopt.Clear *or* Getopt.Set when the option is > passed on the command line, dependent on the default value of the > reference cell). This means that "--no-selinux-relabel" and > "--selinux-relabel", if they both existed, would work on different > booleans, and that would be the source of a lot of fun (priority? > command line order? documentation? etc etc). So, nope to that.On 05/24/22 12:04, Richard W.M. Jones wrote:> We just had a bug report about this from someone who is testing CentOS > Stream 9.1 (where I backported the patches already). > > This option should continue to exist, but do nothing.The problems I outlined above remain. What happens if someone passes both options? Are we supposed to continue documenting "--selinux-relabel"? Thanks Laszlo