Libguestfs - Apr 2023 - [COMMON PATCH 1/1] mlcustomize: skip SELinux relabeling if it's disabled

From: Roman Kagan <rkagan at virtuozzo.com>

Even if SELinux config file and policy tools are present, SELinux may be
turned off by a setting in that config file, "SELINUX", having a value
of "disabled".

Detect this case and skip relabeling.

Signed-off-by: Roman Kagan <rkagan at virtuozzo.com>
---
 mlcustomize/SELinux_relabel.ml | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml
index 5ecf7bd..df1de7b 100644
--- a/mlcustomize/SELinux_relabel.ml
+++ b/mlcustomize/SELinux_relabel.ml
@@ -59,14 +59,24 @@ and use_setfiles g    g#aug_load ();
   debug_augeas_errors g;
 
+  let config_path = "/files/etc/selinux/config" in
+  let config_keys = g#aug_ls config_path in
+  (* SELinux may be disabled via a setting in config file *)
+  let selinux_disabled +    let selinuxmode_path = config_path ^
"/SELINUX" in
+    if array_find selinuxmode_path config_keys then
+      g#aug_get selinuxmode_path = "disabled"
+    else
+      false in
+  if selinux_disabled then
+      failwith "selinux disabled";
+
   (* Get the SELinux policy name, eg. "targeted",
"minimum".
    * Use "targeted" if not specified, just like libselinux does.
    *)
   let policy -    let config_path = "/files/etc/selinux/config" in
     let selinuxtype_path = config_path ^ "/SELINUXTYPE" in
-    let keys = g#aug_ls config_path in
-    if array_find selinuxtype_path keys then
+    if array_find selinuxtype_path config_keys then
       g#aug_get selinuxtype_path
     else
       "targeted" in
-- 
2.31.1

On Fri, Apr 21, 2023 at 09:01:41PM +0300, Andrey Drobyshev
wrote:
> From: Roman Kagan <rkagan at virtuozzo.com>
> 
> Even if SELinux config file and policy tools are present, SELinux may be
> turned off by a setting in that config file, "SELINUX", having a
value
> of "disabled".
> 
> Detect this case and skip relabeling.
> 
> Signed-off-by: Roman Kagan <rkagan at virtuozzo.com>
> ---
>  mlcustomize/SELinux_relabel.ml | 16 +++++++++++++---
>  1 file changed, 13 insertions(+), 3 deletions(-)
> 
> diff --git a/mlcustomize/SELinux_relabel.ml
b/mlcustomize/SELinux_relabel.ml
> index 5ecf7bd..df1de7b 100644
> --- a/mlcustomize/SELinux_relabel.ml
> +++ b/mlcustomize/SELinux_relabel.ml
> @@ -59,14 +59,24 @@ and use_setfiles g >    g#aug_load ();
>    debug_augeas_errors g;
>  
> +  let config_path = "/files/etc/selinux/config" in
> +  let config_keys = g#aug_ls config_path in
> +  (* SELinux may be disabled via a setting in config file *)
> +  let selinux_disabled > +    let selinuxmode_path = config_path ^
"/SELINUX" in
> +    if array_find selinuxmode_path config_keys then
> +      g#aug_get selinuxmode_path = "disabled"
> +    else
> +      false in
> +  if selinux_disabled then
> +      failwith "selinux disabled";
> +
>    (* Get the SELinux policy name, eg. "targeted",
"minimum".
>     * Use "targeted" if not specified, just like libselinux does.
>     *)
>    let policy > -    let config_path =
"/files/etc/selinux/config" in
>      let selinuxtype_path = config_path ^ "/SELINUXTYPE" in
> -    let keys = g#aug_ls config_path in
> -    if array_find selinuxtype_path keys then
> +    if array_find selinuxtype_path config_keys then
>        g#aug_get selinuxtype_path
>      else
>        "targeted" in
ACK

I'll push this soon.

I want to also get rid of that array_find function.  No longer needed
since we assume OCaml >= 4.03 everywhere now ...

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org

Upstream in libguestfs-common: 70c10a079..38e6988c1

and in virt-v2v: 6db3b26d2f..e83de8abe6

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html