search for: is_selinux_guest

Continuation/rework of: https://www.redhat.com/archives/libguestfs/2020-May/msg00020.html This is my approach, as I explained here: https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c4 https://www.redhat.com/archives/libguestfs/2020-May/msg00035.html IOW: do not attempt to relabel if the guest is not enforcing, as it is either useless or may fail; few words more are in the comments of patch #3.

...debug_augeas_errors g; - - (* Get the SELinux policy name, eg. "targeted", "minimum". - * Use "targeted" if not specified, just like libselinux does. +let rec relabel (g : G.guestfs) = + (* Is the guest using SELinux? (Otherwise this is a no-op). *) + if is_selinux_guest g then ( + try + use_setfiles g; + (* That worked, so we don't need to autorelabel. *) + g#rm_f "/.autorelabel" + with Failure _ -> + (* This is the fallback in case something in the setfiles + * method didn't work. That includes the case where...

...nd other things. > *) > g#touch "/.autorelabel" > + | SELinux_not_enforcing -> > + (* This means that SELinux was not configured to be in enforcing mode, > + * so silently accept this. > + *) > + () > ) > > and is_selinux_guest g = > @@ -59,6 +68,21 @@ and use_setfiles g = > g#aug_load (); > debug_augeas_errors g; > > + (* Get the SELinux enforcing mode, eg "enforcing", "permissive", > + * "disabled". > + * Use "disabled" if not specified, just like...

...x * host is processing an SELinux guest, and other things. *) g#touch "/.autorelabel" + | SELinux_not_enforcing -> + (* This means that SELinux was not configured to be in enforcing mode, + * so silently accept this. + *) + () ) and is_selinux_guest g = @@ -59,6 +68,21 @@ and use_setfiles g = g#aug_load (); debug_augeas_errors g; + (* Get the SELinux enforcing mode, eg "enforcing", "permissive", + * "disabled". + * Use "disabled" if not specified, just like libselinux seems to do. + *) +...

...g#touch "/.autorelabel" > > + | SELinux_not_enforcing -> > > + (* This means that SELinux was not configured to be in enforcing mode, > > + * so silently accept this. > > + *) > > + () > > ) > > > > and is_selinux_guest g = > > @@ -59,6 +68,21 @@ and use_setfiles g = > > g#aug_load (); > > debug_augeas_errors g; > > > > + (* Get the SELinux enforcing mode, eg "enforcing", "permissive", > > + * "disabled". > > + * Use "disable...