search for: relabelling

Displaying 20 results from an estimated 450 matches for "relabelling".

2016 Mar 24
1
[PATCH] document behavior of --selinux-relabel
the description of the --selinux-relabel option suggests that it perform an immediate relabel, when in fact it may (and probably will) instead simply touch /.autorelabel on the image, which schedules a relabel operation for the next time the image boots. This can be surprising because it results both in an extended initial boot time *and* results in an automatic reboot (on some
2013 Aug 20
1
Re: Stop the relabeling of CD images
----- Original Message ----- > From: Martin Kletzander <mkletzan@redhat.com> > To: Cristian Ciupitu <cristian.ciupitu@yahoo.com> > Cc: Eric Blake <eblake@redhat.com>; libvirt-users <libvirt-users@redhat.com> > Sent: Tuesday, August 20, 2013 6:05 PM > Subject: Re: [libvirt-users] Stop the relabeling of CD images > > On 08/20/2013 04:19 AM,
2017 Mar 20
2
[PATCH] daemon: selinux: Add setfiles -vv flags when verbose.
This shows which files are being relabelled. Also only use -q (suppress non-error output) when we are not verbose. --- daemon/selinux-relabel.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/daemon/selinux-relabel.c b/daemon/selinux-relabel.c index 2f48ee6..e7da42d 100644 --- a/daemon/selinux-relabel.c +++ b/daemon/selinux-relabel.c
2013 Aug 20
2
Re: Stop the relabeling of CD images
----- Original Message ----- > From: Eric Blake <eblake@redhat.com> > To: Cristian Ciupitu <cristian.ciupitu@yahoo.com> > Cc: libvirt-users <libvirt-users@redhat.com> > Sent: Monday, August 19, 2013 11:24 PM > Subject: Re: [libvirt-users] Stop the relabeling of CD images > So maybe this would do it: > > <source file=...> >   <seclabel
2014 May 26
2
[PATCH 2/2] Use setfiles from the appliance for the SELinux relabel (RHBZ#1089100).
...h) { - CLEANUP_FREE char *cmd = NULL, *out = NULL; - const char cmd_fmt[] = - "if load_policy && fixfiles restore; then\n" - " rm -f %.*s/.autorelabel\n" - "else\n" - " touch %.*s/.autorelabel\n" - " echo 'SELinux relabelling failed, will relabel at boot instead.'\n" - "fi\n"; - int len = strlen (root); - - if (root[len - 1] == '/') + int len = strlen (path); + if (path[len - 1] == '/') --len; + return len; +} + +int +do_selinux_relabel (const char *root) +{ + CLE...
2014 May 24
9
SELinux relabel API
...] One thing that virt-customize/virt-sysprep/virt-builder have to do is relabel SELinux guests. What we do at the moment is run: if load_policy && fixfiles restore; then rm -f /.autorelabel else touch /.autorelabel echo '%s: SELinux relabelling failed, will relabel at boot instead.' fi while chrooted into the guest (using the 'guestfs_sh' API). This has a number of problems: - It has to load the policy using 'load_policy', but this doesn't work sometimes: * RHEL 5 load_policy takes a parameter....
2013 Aug 19
2
Stop the relabeling of CD images
Hi, I'm installing the operating system for my virtual machines from CD images and I would like for libvirtd to stop relabeling the corresponding files.  Since the installation media is no big secret, I have labeled the files with system_u:object_r:public_content_t:s0, but libvirtd keeps changing them to system_u:object_r:svirt_image_t:s0.  It also changes the ownership to qemu:qemu.  This
2017 Dec 24
2
Re: virt-copy-in - how do I get the selinux relabeling done for the file?
On Sun, Dec 24, 2017 at 3:49 PM, Richard W.M. Jones <rjones@redhat.com> wrote: > On Sun, Dec 24, 2017 at 02:15:44PM +0200, Yaniv Kaul wrote: > > I'm copying a file into a VM using virt-copy-in - which is great, but the > > file is wrongly labeled. > > How can I fix that? > > Hi Yaniv, > > The easiest thing is to run this after doing the virt-copy-in:
2020 Sep 23
6
[common PATCH 0/3] SELinux_relabel: relabel only if enforcing (RHBZ#1828952)
Continuation/rework of: https://www.redhat.com/archives/libguestfs/2020-May/msg00020.html This is my approach, as I explained here: https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c4 https://www.redhat.com/archives/libguestfs/2020-May/msg00035.html IOW: do not attempt to relabel if the guest is not enforcing, as it is either
2016 Jul 14
0
[PATCH v2 4/7] customize: Add module for doing SELinux relabel of filesystem.
...customize/customize_run.ml b/customize/customize_run.ml index b96e40c..6f0d615 100644 --- a/customize/customize_run.ml +++ b/customize/customize_run.ml @@ -414,19 +414,7 @@ exec >>%s 2>&1 if ops.flags.selinux_relabel then ( message (f_"SELinux relabelling"); - if guest_arch_compatible then ( - let cmd = sprintf " - if load_policy && fixfiles restore; then - rm -f /.autorelabel - else - touch /.autorelabel - echo '%s: SELinux relabelling failed, will relabel at boot instea...
2018 Feb 06
2
Re: [libvirt] [PATCH tck] Relabel SELinux when customizing virt-builder image
...Pino Toscano wrote: > On Tuesday, 6 February 2018 16:40:04 CET Daniel P. Berrangé wrote: >> When you tell virt-builder to install extra RPMs, this potentially >> looses the SELinux labelling that Anaconda had originally setup. Thus we >> must tell virt-builder to enable SELinux relabelling. >> >> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> >> --- >> lib/Sys/Virt/TCK.pm | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TC...
2020 Sep 24
3
Re: [common PATCH 3/3] mlcustomize: do not relabel if not enforcing (RHBZ#1828952)
...g "enforcing", "permissive", > + * "disabled". > + * Use "disabled" if not specified, just like libselinux seems to do. > + *) > + let typ = read_selinux_config_key g "SELINUX" "disabled" in > + (* Do not attempt any relabelling if the SELinux is not "enforcing": > + * - in "permissive" mode SELinux is still running, however nothing is > + * enforced: this means labels can be wrong, and "it is fine" I don't think it's fine. As I showed here: https://www.redhat.co...
2020 Sep 24
2
Re: [common PATCH 3/3] mlcustomize: do not relabel if not enforcing (RHBZ#1828952)
...this that I saw in the past. > > In permissive mode, all these situation are logged in the audit log, > yes, but they cause no blocks nor errors. > > > It's also fine for an administrator to > > switch a system to permissive and then back to enforcing without > > relabelling or rebooting. > > A mislabelled /etc/passwd is still read and used fine in permissive > mode. Switch back from permissive to enforcing without a relabelling > is generally not a good idea, especially after the system ran for a > lot of time after the switch to permissive. I...
2020 Jul 16
1
Re: SELinux labels change in libvirt
...man), launch the container as container_t:s0:$MCS. libvirtd > *and* QEMU thus both run as container_t:s0:$MCS. ie All the labelling > is setup when the container is launched and libvirtd should not do > anything. > > So I'm really not sure why you have libvirtd configured to do relabelling > at all ? I'd be expecting it to have security_driver=none in the qemu.conf > file so that libvirtd doesn't do anything. > I checked the dumpxml of the virt-launcher pod (that runs the qemu in kubevirt) - it has dynamic policy. <seclabel type='dynamic' model='da...
2020 Jul 14
2
Re: SELinux labels change in libvirt
On Tue, Jul 14, 2020 at 3:33 PM Daniel P. Berrangé <berrange@redhat.com> wrote: > On Tue, Jul 14, 2020 at 03:21:17PM +0300, Ram Lavi wrote: > > Hello all, > > > > tl;dr, can you point me to the point in the libvirt repo where it's > trying > > to change a tap-device's SELinux label? > > > > I am trying to create a tap device with libvirt on
2016 Mar 24
0
Re: [PATCH] document behavior of --selinux-relabel
On Thu, Mar 24, 2016 at 03:21:45PM -0400, Lars Kellogg-Stedman wrote: > the description of the --selinux-relabel option suggests that it > perform an immediate relabel, when in fact it may (and probably will) > instead simply touch /.autorelabel on the image, which schedules a > relabel operation for the next time the image boots. This can be > surprising because it results
2013 Aug 19
0
Re: Stop the relabeling of CD images
On 08/19/2013 01:51 PM, Cristian Ciupitu wrote: > Hi, > > I'm installing the operating system for my virtual machines from CD > images and I would like for libvirtd to stop relabeling the > corresponding files. Since the installation media is no big secret, I > have labeled the files with system_u:object_r:public_content_t:s0, but > libvirtd keeps changing them
2014 Jan 24
2
[PATCH 0/2] Implement virt-builder --selinux-relabel option.
Do SELinux relabelling properly.
2014 May 27
3
Re: [PATCH 2/2] Use setfiles from the appliance for the SELinux relabel (RHBZ#1089100).
On Tuesday 27 May 2014 09:08:27 Richard W.M. Jones wrote: > On Mon, May 26, 2014 at 11:21:59AM +0200, Pino Toscano wrote: > > Rewrite the relabel API to read the policy configured in the guest, > > invoking setfiles (added as part of the appliance, as part of > > policycoreutils) to relabel the specified root. In case of failure > > at > > any point of the process,
2018 Feb 07
0
Re: [libvirt] [PATCH tck] Relabel SELinux when customizing virt-builder image
...> > On Tuesday, 6 February 2018 16:40:04 CET Daniel P. Berrangé wrote: > >> When you tell virt-builder to install extra RPMs, this potentially > >> looses the SELinux labelling that Anaconda had originally setup. Thus we > >> must tell virt-builder to enable SELinux relabelling. > >> > >> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> > >> --- > >> lib/Sys/Virt/TCK.pm | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/lib/Sys/Virt/TCK.p...