search for: relabelling

the description of the --selinux-relabel option suggests that it perform an immediate relabel, when in fact it may (and probably will) instead simply touch /.autorelabel on the image, which schedules a relabel operation for the next time the image boots. This can be surprising because it results both in an extended initial boot time *and* results in an automatic reboot (on some distributions).

This shows which files are being relabelled. Also only use -q (suppress non-error output) when we are not verbose. --- daemon/selinux-relabel.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/daemon/selinux-relabel.c b/daemon/selinux-relabel.c index 2f48ee6..e7da42d 100644 --- a/daemon/selinux-relabel.c +++ b/daemon/selinux-relabel.c @@ -112,8 +112,11 @@

----- Original Message ----- > From: Martin Kletzander <mkletzan@redhat.com> > To: Cristian Ciupitu <cristian.ciupitu@yahoo.com> > Cc: Eric Blake <eblake@redhat.com>; libvirt-users <libvirt-users@redhat.com> > Sent: Tuesday, August 20, 2013 6:05 PM > Subject: Re: [libvirt-users] Stop the relabeling of CD images > > On 08/20/2013 04:19 AM, Cristian

----- Original Message ----- > From: Eric Blake <eblake@redhat.com> > To: Cristian Ciupitu <cristian.ciupitu@yahoo.com> > Cc: libvirt-users <libvirt-users@redhat.com> > Sent: Monday, August 19, 2013 11:24 PM > Subject: Re: [libvirt-users] Stop the relabeling of CD images > So maybe this would do it: > > <source file=...> >   <seclabel

...har *path) { - CLEANUP_FREE char *cmd = NULL, *out = NULL; - const char cmd_fmt[] = - "if load_policy && fixfiles restore; then\n" - " rm -f %.*s/.autorelabel\n" - "else\n" - " touch %.*s/.autorelabel\n" - " echo 'SELinux relabelling failed, will relabel at boot instead.'\n" - "fi\n"; - int len = strlen (root); - - if (root[len - 1] == '/') + int len = strlen (path); + if (path[len - 1] == '/') --len; + return len; +} + +int +do_selinux_relabel (const char *root) +{ + CLEANUP_FRE...

...mailing list. ] One thing that virt-customize/virt-sysprep/virt-builder have to do is relabel SELinux guests. What we do at the moment is run: if load_policy && fixfiles restore; then rm -f /.autorelabel else touch /.autorelabel echo '%s: SELinux relabelling failed, will relabel at boot instead.' fi while chrooted into the guest (using the 'guestfs_sh' API). This has a number of problems: - It has to load the policy using 'load_policy', but this doesn't work sometimes: * RHEL 5 load_policy takes a parameter....

Hi, I'm installing the operating system for my virtual machines from CD images and I would like for libvirtd to stop relabeling the corresponding files.  Since the installation media is no big secret, I have labeled the files with system_u:object_r:public_content_t:s0, but libvirtd keeps changing them to system_u:object_r:svirt_image_t:s0.  It also changes the ownership to qemu:qemu.  This

On Sun, Dec 24, 2017 at 3:49 PM, Richard W.M. Jones <rjones@redhat.com> wrote: > On Sun, Dec 24, 2017 at 02:15:44PM +0200, Yaniv Kaul wrote: > > I'm copying a file into a VM using virt-copy-in - which is great, but the > > file is wrongly labeled. > > How can I fix that? > > Hi Yaniv, > > The easiest thing is to run this after doing the virt-copy-in:

...the guest. *) diff --git a/customize/customize_run.ml b/customize/customize_run.ml index b96e40c..6f0d615 100644 --- a/customize/customize_run.ml +++ b/customize/customize_run.ml @@ -414,19 +414,7 @@ exec >>%s 2>&1 if ops.flags.selinux_relabel then ( message (f_"SELinux relabelling"); - if guest_arch_compatible then ( - let cmd = sprintf " - if load_policy && fixfiles restore; then - rm -f /.autorelabel - else - touch /.autorelabel - echo '%s: SELinux relabelling failed, will relabel at boot instead.'...

...Pino Toscano wrote: > On Tuesday, 6 February 2018 16:40:04 CET Daniel P. Berrangé wrote: >> When you tell virt-builder to install extra RPMs, this potentially >> looses the SELinux labelling that Anaconda had originally setup. Thus we >> must tell virt-builder to enable SELinux relabelling. >> >> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> >> --- >> lib/Sys/Virt/TCK.pm | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm >> index e9da8d2..b39f578 100644...

Continuation/rework of: https://www.redhat.com/archives/libguestfs/2020-May/msg00020.html This is my approach, as I explained here: https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c4 https://www.redhat.com/archives/libguestfs/2020-May/msg00035.html IOW: do not attempt to relabel if the guest is not enforcing, as it is either useless or may fail; few words more are in the comments of patch #3.

...this that I saw in the past. > > In permissive mode, all these situation are logged in the audit log, > yes, but they cause no blocks nor errors. > > > It's also fine for an administrator to > > switch a system to permissive and then back to enforcing without > > relabelling or rebooting. > > A mislabelled /etc/passwd is still read and used fine in permissive > mode. Switch back from permissive to enforcing without a relabelling > is generally not a good idea, especially after the system ran for a > lot of time after the switch to permissive. It's...

...g "enforcing", "permissive", > + * "disabled". > + * Use "disabled" if not specified, just like libselinux seems to do. > + *) > + let typ = read_selinux_config_key g "SELINUX" "disabled" in > + (* Do not attempt any relabelling if the SELinux is not "enforcing": > + * - in "permissive" mode SELinux is still running, however nothing is > + * enforced: this means labels can be wrong, and "it is fine" I don't think it's fine. As I showed here: https://www.redhat.com/archiv...

On Thu, Mar 24, 2016 at 03:21:45PM -0400, Lars Kellogg-Stedman wrote: > the description of the --selinux-relabel option suggests that it > perform an immediate relabel, when in fact it may (and probably will) > instead simply touch /.autorelabel on the image, which schedules a > relabel operation for the next time the image boots. This can be > surprising because it results both in

On 08/19/2013 01:51 PM, Cristian Ciupitu wrote: > Hi, > > I'm installing the operating system for my virtual machines from CD > images and I would like for libvirtd to stop relabeling the > corresponding files. Since the installation media is no big secret, I > have labeled the files with system_u:object_r:public_content_t:s0, but > libvirtd keeps changing them to

...man), launch the container as container_t:s0:$MCS. libvirtd > *and* QEMU thus both run as container_t:s0:$MCS. ie All the labelling > is setup when the container is launched and libvirtd should not do > anything. > > So I'm really not sure why you have libvirtd configured to do relabelling > at all ? I'd be expecting it to have security_driver=none in the qemu.conf > file so that libvirtd doesn't do anything. > I checked the dumpxml of the virt-launcher pod (that runs the qemu in kubevirt) - it has dynamic policy. <seclabel type='dynamic' model='da...

On Tue, Jul 14, 2020 at 3:33 PM Daniel P. Berrangé <berrange@redhat.com> wrote: > On Tue, Jul 14, 2020 at 03:21:17PM +0300, Ram Lavi wrote: > > Hello all, > > > > tl;dr, can you point me to the point in the libvirt repo where it's > trying > > to change a tap-device's SELinux label? > > > > I am trying to create a tap device with libvirt on

Do SELinux relabelling properly.

On Tuesday 27 May 2014 09:08:27 Richard W.M. Jones wrote: > On Mon, May 26, 2014 at 11:21:59AM +0200, Pino Toscano wrote: > > Rewrite the relabel API to read the policy configured in the guest, > > invoking setfiles (added as part of the appliance, as part of > > policycoreutils) to relabel the specified root. In case of failure > > at > > any point of the process,

I have 4000 observations that I need to randomly relabel 1000 times and then calculate the mean of the 1000 values at each of the 4000 points. Any ideas for where to begin? Thanks Kevin -- View this message in context: http://r.789695.n4.nabble.com/Random-Relabelling-tp3463100p3463100.html Sent from the R help mailing list archive at Nabble.com.