search for: relabel

Displaying 20 results from an estimated 450 matches for "relabel".

2016 Mar 24
1
[PATCH] document behavior of --selinux-relabel
the description of the --selinux-relabel option suggests that it perform an immediate relabel, when in fact it may (and probably will) instead simply touch /.autorelabel on the image, which schedules a relabel operation for the next time the image boots. This can be surprising because it results both in an extended initial boot time...
2013 Aug 20
1
Re: Stop the relabeling of CD images
...> From: Martin Kletzander <mkletzan@redhat.com> > To: Cristian Ciupitu <cristian.ciupitu@yahoo.com> > Cc: Eric Blake <eblake@redhat.com>; libvirt-users <libvirt-users@redhat.com> > Sent: Tuesday, August 20, 2013 6:05 PM > Subject: Re: [libvirt-users] Stop the relabeling of CD images > > On 08/20/2013 04:19 AM, Cristian Ciupitu wrote: >> ----- Original Message ----- >>> From: Eric Blake <eblake@redhat.com> >>> To: Cristian Ciupitu <cristian.ciupitu@yahoo.com> >>> Cc: libvirt-users <libvirt-users@redha...
2017 Mar 20
2
[PATCH] daemon: selinux: Add setfiles -vv flags when verbose.
This shows which files are being relabelled. Also only use -q (suppress non-error output) when we are not verbose. --- daemon/selinux-relabel.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/daemon/selinux-relabel.c b/daemon/selinux-relabel.c index 2f48ee6..e7da42d 100644 --- a/daemon&...
2013 Aug 20
2
Re: Stop the relabeling of CD images
----- Original Message ----- > From: Eric Blake <eblake@redhat.com> > To: Cristian Ciupitu <cristian.ciupitu@yahoo.com> > Cc: libvirt-users <libvirt-users@redhat.com> > Sent: Monday, August 19, 2013 11:24 PM > Subject: Re: [libvirt-users] Stop the relabeling of CD images > So maybe this would do it: > > <source file=...> >   <seclabel model='selinux' relabel='no'/> >   <seclabel model='dac' relabel='no'/> > </source> I've just tried it and the SELinux label i...
2014 May 26
2
[PATCH 2/2] Use setfiles from the appliance for the SELinux relabel (RHBZ#1089100).
Rewrite the relabel API to read the policy configured in the guest, invoking setfiles (added as part of the appliance, as part of policycoreutils) to relabel the specified root. In case of failure at any point of the process, a touch of .autorelabel in the root is tried as last-attempt measure to do the relabel. Cons...
2014 May 24
9
SELinux relabel API
...us private email, IRC, and this long bugzilla thread: https://bugzilla.redhat.com/show_bug.cgi?id=1060423 That's not how we should do things. Let's discuss it on the mailing list. ] One thing that virt-customize/virt-sysprep/virt-builder have to do is relabel SELinux guests. What we do at the moment is run: if load_policy && fixfiles restore; then rm -f /.autorelabel else touch /.autorelabel echo '%s: SELinux relabelling failed, will relabel at boot instead.' fi while chrooted into the...
2013 Aug 19
2
Stop the relabeling of CD images
Hi, I'm installing the operating system for my virtual machines from CD images and I would like for libvirtd to stop relabeling the corresponding files.  Since the installation media is no big secret, I have labeled the files with system_u:object_r:public_content_t:s0, but libvirtd keeps changing them to system_u:object_r:svirt_image_t:s0.  It also changes the ownership to qemu:qemu.  This means that I can not make the f...
2017 Dec 24
2
Re: virt-copy-in - how do I get the selinux relabeling done for the file?
...ote: > > I'm copying a file into a VM using virt-copy-in - which is great, but the > > file is wrongly labeled. > > How can I fix that? > > Hi Yaniv, > > The easiest thing is to run this after doing the virt-copy-in: > > virt-customize -a disk.img --selinux-relabel > > which will run this code: > > https://github.com/libguestfs/libguestfs/blob/master/ > customize/SELinux_relabel.ml#L27 > > That requires an extra launch of the appliance, so if you were very > concerned about doing this most efficiently...
2020 Sep 23
6
[common PATCH 0/3] SELinux_relabel: relabel only if enforcing (RHBZ#1828952)
...47;www.redhat.com/archives/libguestfs/2020-May/msg00020.html This is my approach, as I explained here: https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c4 https://www.redhat.com/archives/libguestfs/2020-May/msg00035.html IOW: do not attempt to relabel if the guest is not enforcing, as it is either useless or may fail; few words more are in the comments of patch #3. Pino Toscano (2): mlcustomize: refactor reading from /etc/selinux/config mlcustomize: do not relabel if not enforcing (RHBZ#1828952) Richard W.M. Jones (1): mlcust...
2016 Jul 14
0
[PATCH v2 4/7] customize: Add module for doing SELinux relabel of filesystem.
This implements the --selinux-relabel option for virt-customize, virt-builder and virt-sysprep. There is no need to autorelabel functionality now. Thanks: Stephen Smalley --- builder/Makefile.am | 1 + builder/virt-builder.pod | 20 +++++++++---------- customize/Makefile.am | 2 ++ customize/...
2018 Feb 06
2
Re: [libvirt] [PATCH tck] Relabel SELinux when customizing virt-builder image
...Pino Toscano wrote: > On Tuesday, 6 February 2018 16:40:04 CET Daniel P. Berrangé wrote: >> When you tell virt-builder to install extra RPMs, this potentially >> looses the SELinux labelling that Anaconda had originally setup. Thus we >> must tell virt-builder to enable SELinux relabelling. >> >> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> >> --- >> lib/Sys/Virt/TCK.pm | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt...
2020 Sep 24
3
Re: [common PATCH 3/3] mlcustomize: do not relabel if not enforcing (RHBZ#1828952)
On Wed, Sep 23, 2020 at 05:57:50PM +0200, Pino Toscano wrote: > Do not attempt to relabel a guest in case its SELinux enforcing mode is > not "enforcing", as it is either pointless, or it may fail because of an > invalid policy configured. > --- > mlcustomize/SELinux_relabel.ml | 26 +++++++++++++++++++++++++- > 1 file changed, 25 insertions(+), 1 deletion(...
2020 Sep 24
2
Re: [common PATCH 3/3] mlcustomize: do not relabel if not enforcing (RHBZ#1828952)
...r:user_tmp_t:s0 0 Sep 24 12:26 /tmp/test > $ mv /tmp/test ~/var/ > $ ls -lZ ~/var/test > -rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_tmp_t:s0 0 Sep 24 12:26 /home/ptoscano/var/test > $ restorecon -v ~/var/test > Relabeled /home/ptoscano/var/test from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:user_home_t:s0 > $ ls -lZ ~/var/test > -rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_home_t:s0 0 Sep 24 12:26 /home/ptoscano/var/test That's d...
2020 Jul 16
1
Re: SELinux labels change in libvirt
...virtd is running under prevents it from > > > re-labelling, then TAP devices label failure is just going to be one > > > out of 100's of labelling failures. > > > > > IIUC normally libvirtd would use devices created by itself, so there > > shouldn't be relabeling failures, right? > > Whether or not there are relabeling failures is determined by what > SELinux policy libvirtd is running under. > > > > > > > Either the SELinux policy needs to be changed to allow libvirtd to > > > relabel stuff in the normal manner, or...
2020 Jul 14
2
Re: SELinux labels change in libvirt
...libvirt? > > If the SELinux policy that libvirtd is running under prevents it from > re-labelling, then TAP devices label failure is just going to be one > out of 100's of labelling failures. > IIUC normally libvirtd would use devices created by itself, so there shouldn't be relabeling failures, right? > > Either the SELinux policy needs to be changed to allow libvirtd to > relabel stuff in the normal manner, or you will have to turn off > SELinux support in libvirtd. in /etc/libvirt/qemu.conf via the > param security_driver = "none". If...
2016 Mar 24
0
Re: [PATCH] document behavior of --selinux-relabel
On Thu, Mar 24, 2016 at 03:21:45PM -0400, Lars Kellogg-Stedman wrote: > the description of the --selinux-relabel option suggests that it > perform an immediate relabel, when in fact it may (and probably will) > instead simply touch /.autorelabel on the image, which schedules a > relabel operation for the next time the image boots. This can be > surprising because it results both in an extende...
2013 Aug 19
0
Re: Stop the relabeling of CD images
On 08/19/2013 01:51 PM, Cristian Ciupitu wrote: > Hi, > > I'm installing the operating system for my virtual machines from CD > images and I would like for libvirtd to stop relabeling the > corresponding files. Since the installation media is no big secret, I > have labeled the files with system_u:object_r:public_content_t:s0, but > libvirtd keeps changing them to system_u:object_r:svirt_image_t:s0. It > also changes the ownership to qemu:qemu. This means that...
2014 Jan 24
2
[PATCH 0/2] Implement virt-builder --selinux-relabel option.
Do SELinux relabelling properly.
2014 May 27
3
Re: [PATCH 2/2] Use setfiles from the appliance for the SELinux relabel (RHBZ#1089100).
On Tuesday 27 May 2014 09:08:27 Richard W.M. Jones wrote: > On Mon, May 26, 2014 at 11:21:59AM +0200, Pino Toscano wrote: > > Rewrite the relabel API to read the policy configured in the guest, > > invoking setfiles (added as part of the appliance, as part of > > policycoreutils) to relabel the specified root. In case of failure > > at > > any point of the process, a touch of .autorelabel in the root is > > trie...
2018 Feb 07
0
Re: [libvirt] [PATCH tck] Relabel SELinux when customizing virt-builder image
...> > On Tuesday, 6 February 2018 16:40:04 CET Daniel P. Berrangé wrote: > >> When you tell virt-builder to install extra RPMs, this potentially > >> looses the SELinux labelling that Anaconda had originally setup. Thus we > >> must tell virt-builder to enable SELinux relabelling. > >> > >> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> > >> --- > >> lib/Sys/Virt/TCK.pm | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/lib/Sys/Virt/T...