search for: autorelabel

...doing a Google search, I came across a fix (lost the site unfortunately) and as I recall, it has something to do with copying a file and having the incorrect SElinux settings (I have SElinux disabled). The fix was to do a fixfiles, relabel (commands that I have never used) or a touch of "/.autorelabel" and rebooting. It worked, but I have no idea of what I did (my lack of in depth knowledge of Linux). Todd ** -- Ariste Software 200 D Street Ext Petaluma, CA 94952 (707) 773-4523 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/...

I'm trying to find a way to exclude file systems during the autorelabel process. I have a file system (/exports) that has tens of millions of files on it and I *know* I don't want it relabeled. I've tried semanage fcontext -a -t "<<none>>" "/exports(/.*)?" and it seems to insist on relabeling that file system. I also tried to...

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1212807

This implements the --selinux-relabel option for virt-customize, virt-builder and virt-sysprep. There is no need to autorelabel functionality now. Thanks: Stephen Smalley --- builder/Makefile.am | 1 + builder/virt-builder.pod | 20 +++++++++---------- customize/Makefile.am | 2 ++ customize/SELinux_relabel.ml | 46 +++++++++++++++++++++++++++++++++++++++++++ customize/SELinux_relabel.mli | 23 ++...

...i?id=1828952#c2 If SELINUXTYPE is set to some value other than targeted then we look for a directory /etc/selinux/<SELINUXTYPE> which does not exist. However this should not cause a fatal error. Using setfiles to do the relabelling immediately is a nice-to-have, but we can fallback to using autorelabel if we're unable to achieve it. --- mlcustomize/SELinux_relabel.ml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml index 5df1f08..5ecf7bd 100644 --- a/mlcustomize/SELinux_relabel.ml +++ b/mlcustomize/SELinux_relabel.ml @@...

...forcing, go ahead with the current relabeling: check SELINUXTYPE, get the policy path, etc; if set like this, then most probably the SELINUXTYPE points to a valid policy, otherwise the guest would not even boot - if permissive or disabled, do not perform any relabeling, including touching /.autorelabel; this is because SELinux was disabled, so attempting any relabeling might result in failures -- Pino Toscano

...e current relabeling: check SELINUXTYPE, > get the policy path, etc; if set like this, then most probably the > SELINUXTYPE points to a valid policy, otherwise the guest would not > even boot > - if permissive or disabled, do not perform any relabeling, including > touching /.autorelabel; this is because SELinux was disabled, so > attempting any relabeling might result in failures Permissive and disabled seem to be different cases. If it's permissive then SELinux is still "running" (but not enforcing decisions). I think the critical thing is actually what SELi...

...quot;. - * Use "targeted" if not specified, just like libselinux does. +let rec relabel (g : G.guestfs) = + (* Is the guest using SELinux? (Otherwise this is a no-op). *) + if is_selinux_guest g then ( + try + use_setfiles g; + (* That worked, so we don't need to autorelabel. *) + g#rm_f "/.autorelabel" + with Failure _ -> + (* This is the fallback in case something in the setfiles + * method didn't work. That includes the case where a non-SELinux + * host is processing an SELinux guest, and other things. *) - let...

A common problem that people have with virt-builder and virt-sysprep is which guests that use SELinux, like Fedora and RHEL. In both cases we touch /.autorelabel in the guest, which means the guest has to reboot once during its first boot. Recap: SELinux file labels -------------------------- SELinux requires that files have labels. Access to a file is controlled by the label on that file. For example: $ ls -lZ /etc/passwd -rw-r--r--. root root system_...

Continuation/rework of: https://www.redhat.com/archives/libguestfs/2020-May/msg00020.html This is my approach, as I explained here: https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c4 https://www.redhat.com/archives/libguestfs/2020-May/msg00035.html IOW: do not attempt to relabel if the guest is not enforcing, as it is either useless or may fail; few words more are in the comments of patch #3.

...customize/customize_run.ml +++ b/customize/customize_run.ml @@ -338,15 +338,19 @@ exec >>%s 2>&1 if ops.flags.selinux_relabel then ( msg (f_"SELinux relabelling"); - let cmd = sprintf " - if load_policy && fixfiles restore; then - rm -f /.autorelabel - else - touch /.autorelabel - echo '%s: SELinux relabelling failed, will relabel at boot instead.' - fi - " prog in - do_run ~display:"load_policy && fixfiles restore" cmd + if guest_arch_compatible then ( + let cmd = sprintf &qu...

Rewrite the relabel API to read the policy configured in the guest, invoking setfiles (added as part of the appliance, as part of policycoreutils) to relabel the specified root. In case of failure at any point of the process, a touch of .autorelabel in the root is tried as last-attempt measure to do the relabel. Considering that running SELinux tools in the appliance might be affected by the SELinux state (leading to wrong results), selinux_relabel now bails out if SELinux is enabled in the appliance. As a result of this, virt-builder and vir...

...423 That's not how we should do things. Let's discuss it on the mailing list. ] One thing that virt-customize/virt-sysprep/virt-builder have to do is relabel SELinux guests. What we do at the moment is run: if load_policy && fixfiles restore; then rm -f /.autorelabel else touch /.autorelabel echo '%s: SELinux relabelling failed, will relabel at boot instead.' fi while chrooted into the guest (using the 'guestfs_sh' API). This has a number of problems: - It has to load the policy using 'load_policy', but th...

On Tue, 21 Jan 2014, Richard W.M. Jones wrote: > A common problem that people have with virt-builder and virt-sysprep > is which guests that use SELinux, like Fedora and RHEL. In both cases > we touch /.autorelabel in the guest, which means the guest has to > reboot once during its first boot. ... snip much analysis ... > (4) It can touch '/.autorelabel' which causes an SELinux enabled guest > to do a full filesystem relabel at first boot (followed by a > reboot). The initscript...

the description of the --selinux-relabel option suggests that it perform an immediate relabel, when in fact it may (and probably will) instead simply touch /.autorelabel on the image, which schedules a relabel operation for the next time the image boots. This can be surprising because it results both in an extended initial boot time *and* results in an automatic reboot (on some distributions). --- generator/customize.ml | 3 +++ 1 file changed, 3 insertions(+) d...

...) > + > (* Simple reimplementation of Array.mem, available only with OCaml >= 4.03. *) > let array_find a l = > List.mem a (Array.to_list l) > @@ -35,12 +38,18 @@ let rec relabel (g : G.guestfs) = > use_setfiles g; > (* That worked, so we don't need to autorelabel. *) > g#rm_f "/.autorelabel" > - with Failure _ -> > + with > + | Failure _ -> > (* This is the fallback in case something in the setfiles > * method didn't work. That includes the case where a non-SELinux > * host is...

Do SELinux relabelling properly.

...o signal a non-enforcing SELinux. *) + (* Simple reimplementation of Array.mem, available only with OCaml >= 4.03. *) let array_find a l = List.mem a (Array.to_list l) @@ -35,12 +38,18 @@ let rec relabel (g : G.guestfs) = use_setfiles g; (* That worked, so we don't need to autorelabel. *) g#rm_f "/.autorelabel" - with Failure _ -> + with + | Failure _ -> (* This is the fallback in case something in the setfiles * method didn't work. That includes the case where a non-SELinux * host is processing an SELinux guest, and ot...

...name is BennettHaselton. I wanted to edit this paragraph: "Note: When switching from Disabled to either Permissive or Enforcing mode, it is highly recommended that the system be rebooted and the filesystem relabeled." to add: "This can be accomplished with the commands touch /.autorelabel reboot If the file /.autorelabel exists at boot time, SELinux performs a filesystem relabel and then deletes /.autorelabel " Since the current page says to relabel the filesystem but doesn't say how to do it; the instructions are easy to find elsewhere on the web, but might as well put...

v1 -> v2: - Add simple test of the setfiles API. - Use SELinux_relabel module in virt-v2v (instead of touch /.autorelabel). - Small fixes. Rich.