search for: selinux_relabel

Instead of just documenting this bug, fix it in the file_contexts file. Replaces commit ad3c8fe7f49c4991e1aa536856a1a408f55d5409. --- customize/SELinux_relabel.ml | 19 +++++++++++++++++++ v2v/virt-v2v.pod | 11 ----------- 2 files changed, 19 insertions(+), 11 deletions(-) diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml index fa9603c..69a4779 100644 --- a/customize/SELinux_relabel.ml +++ b/customize/SELinux_relabel.m...

...the guest is not enforcing, as it is either useless or may fail; few words more are in the comments of patch #3. Pino Toscano (2): mlcustomize: refactor reading from /etc/selinux/config mlcustomize: do not relabel if not enforcing (RHBZ#1828952) Richard W.M. Jones (1): mlcustomize: Refactor SELinux_relabel code. mlcustomize/SELinux_relabel.ml | 153 ++++++++++++++++++++------------- 1 file changed, 94 insertions(+), 59 deletions(-) -- 2.26.2

This shouldn't change the effect of this code. --- mlcustomize/SELinux_relabel.ml | 121 ++++++++++++++++++--------------- 1 file changed, 65 insertions(+), 56 deletions(-) diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml index 44995df..5df1f08 100644 --- a/mlcustomize/SELinux_relabel.ml +++ b/mlcustomize/SELinux_relabel.ml @@ -28,65 +28,74 @@ mod...

...-selinux-relabel option for virt-customize, virt-builder and virt-sysprep. There is no need to autorelabel functionality now. Thanks: Stephen Smalley --- builder/Makefile.am | 1 + builder/virt-builder.pod | 20 +++++++++---------- customize/Makefile.am | 2 ++ customize/SELinux_relabel.ml | 46 +++++++++++++++++++++++++++++++++++++++++++ customize/SELinux_relabel.mli | 23 ++++++++++++++++++++++ customize/customize_run.ml | 14 +------------ generator/customize.ml | 4 ---- sysprep/Makefile.am | 1 + 8 files changed, 84 insertions(+), 27 deletions(-) creat...

Since it is available only in OCaml >= 4.03, which is higher than our requirement, add a simple reimplementation of it. Fixes commit 719d68fa247cc3885ecf7ec1c010faf83267d786. --- customize/SELinux_relabel.ml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml index e7d440c29..7cc166edb 100644 --- a/customize/SELinux_relabel.ml +++ b/customize/SELinux_relabel.ml @@ -24,6 +24,10 @@ open Printf module G = Guestfs +(*...

v1 -> v2: Match more specifically. Rich.

Instead of just documenting this bug, fix it in the file_contexts file. Replaces commit ad3c8fe7f49c4991e1aa536856a1a408f55d5409. --- customize/SELinux_relabel.ml | 20 ++++++++++++++++++++ v2v/virt-v2v.pod | 11 ----------- 2 files changed, 20 insertions(+), 11 deletions(-) diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml index fa9603c..d3b9325 100644 --- a/customize/SELinux_relabel.ml +++ b/customize/SELinux_relabel....

...XTYPE is specified in /etc/config/selinux. Hence do the same here, instead of failing because of the missing key. Add a slow test for checking SELinux relabeling on a Fedora 27 guest, both with no changes, and with a modified configuration. --- customize/Makefile.am | 2 ++ customize/SELinux_relabel.ml | 14 ++++++++++-- customize/test-selinuxrelabel.sh | 49 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+), 2 deletions(-) create mode 100755 customize/test-selinuxrelabel.sh diff --git a/customize/Makefile.am b/customize/Makefile.am index a22e25c46..7f18b2fc3 100...

On Wed, Sep 23, 2020 at 05:57:50PM +0200, Pino Toscano wrote: > Do not attempt to relabel a guest in case its SELinux enforcing mode is > not "enforcing", as it is either pointless, or it may fail because of an > invalid policy configured. > --- > mlcustomize/SELinux_relabel.ml | 26 +++++++++++++++++++++++++- > 1 file changed, 25 insertions(+), 1 deletion(-) > > diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml > index 647aeda..db00e59 100644 > --- a/mlcustomize/SELinux_relabel.ml > +++ b/mlcustomize/SELinux_relabel.ml &gt...

...reutils) to relabel the specified root. In case of failure at any point of the process, a touch of .autorelabel in the root is tried as last-attempt measure to do the relabel. Considering that running SELinux tools in the appliance might be affected by the SELinux state (leading to wrong results), selinux_relabel now bails out if SELinux is enabled in the appliance. As a result of this, virt-builder and virt-customize explicitly disable it if the relabel is enabled. --- appliance/packagelist.in | 1 + builder/builder.ml | 5 +- customize/customize_main.ml | 5 +- daemon/selinux.c...

Nikita, Please take a look at the attached patch. I have rewritten it a little, and only lightly tested it. Rich.

On Monday, 6 March 2017 11:43:14 CET Richard W.M. Jones wrote: > Instead of just documenting this bug, fix it in the file_contexts > file. > > Replaces commit ad3c8fe7f49c4991e1aa536856a1a408f55d5409. > --- > customize/SELinux_relabel.ml | 19 +++++++++++++++++++ > v2v/virt-v2v.pod | 11 ----------- > 2 files changed, 19 insertions(+), 11 deletions(-) > > diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml > index fa9603c..69a4779 100644 > --- a/customize/SELinux_relabel.ml &gt...

...targeted then we look for a directory /etc/selinux/<SELINUXTYPE> which does not exist. However this should not cause a fatal error. Using setfiles to do the relabelling immediately is a nice-to-have, but we can fallback to using autorelabel if we're unable to achieve it. --- mlcustomize/SELinux_relabel.ml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml index 5df1f08..5ecf7bd 100644 --- a/mlcustomize/SELinux_relabel.ml +++ b/mlcustomize/SELinux_relabel.ml @@ -77,6 +77,12 @@ and use_setfiles g = let specfile = sprintf...

Do not attempt to relabel a guest in case its SELinux enforcing mode is not "enforcing", as it is either pointless, or it may fail because of an invalid policy configured. --- mlcustomize/SELinux_relabel.ml | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml index 647aeda..db00e59 100644 --- a/mlcustomize/SELinux_relabel.ml +++ b/mlcustomize/SELinux_relabel.ml @@ -24,6 +24,9 @@ open Printf...

On Wednesday, 23 September 2020 17:57:47 CET Pino Toscano wrote: > Continuation/rework of: > https://www.redhat.com/archives/libguestfs/2020-May/msg00020.html > > This is my approach, as I explained here: > https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c4 > https://www.redhat.com/archives/libguestfs/2020-May/msg00035.html > IOW: do not attempt to relabel if the guest is

Do SELinux relabelling properly.

...s(-) diff --git a/sysprep/main.ml b/sysprep/main.ml index d06b0d2..7d3ce5e 100644 --- a/sysprep/main.ml +++ b/sysprep/main.ml @@ -29,7 +29,7 @@ let () = Sysprep_operation.bake () (* Command line argument parsing. *) let prog = Filename.basename Sys.executable_name -let debug_gc, operations, g, selinux_relabel = +let debug_gc, operations, g, selinux_relabel, show_log = let debug_gc = ref false in let domain = ref None in let dryrun = ref false in @@ -40,6 +40,7 @@ let debug_gc, operations, g, selinux_relabel = let selinux_relabel = ref `Auto in let trace = ref false in let verbose = ref...

...23, 2020 at 05:57:50PM +0200, Pino Toscano wrote: > > Do not attempt to relabel a guest in case its SELinux enforcing mode is > > not "enforcing", as it is either pointless, or it may fail because of an > > invalid policy configured. > > --- > > mlcustomize/SELinux_relabel.ml | 26 +++++++++++++++++++++++++- > > 1 file changed, 25 insertions(+), 1 deletion(-) > > > > diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml > > index 647aeda..db00e59 100644 > > --- a/mlcustomize/SELinux_relabel.ml > > +++ b/mlcu...

...race: v2v: aug_get = "targeted" 14:07:25 E: libguestfs: trace: v2v: aug_close 14:07:25 E: guestfsd: main_loop: new request, len 0x28 14:07:25 E: guestfsd: main_loop: proc 26 (aug_close) took 0.03 seconds 14:07:25 E: libguestfs: trace: v2v: aug_close = 0 14:07:25 E: libguestfs: trace: v2v: selinux_relabel "/etc/selinux/targeted/contexts/files/file_contexts" "/" "force:true" 14:07:25 E: guestfsd: main_loop: new request, len 0x6c 14:07:25 E: commandrvf: stdout=n stderr=y flags=0x0 14:07:25 E: commandrvf: setfiles -F -e /sysroot/dev -e /sysroot/proc -e /sysroot/selinux -e...

...ndex 80ccef7..d6d7570 100644 --- a/builder/builder.ml +++ b/builder/builder.ml @@ -42,7 +42,7 @@ let main () = edit, firstboot, run, format, gpg, hostname, install, list_format, links, memsize, mkdirs, network, output, password_crypto, quiet, root_password, scrub, - scrub_logfile, selinux_relabel, size, smp, sources, sync, timezone, + scrub_logfile, selinux_relabel, size, smp, sources, indexarch, sync, timezone, update, upload, writes = parse_cmdline () in @@ -143,7 +143,8 @@ let main () = let sigchecker = Sigchecker.create ~debug ~gpg ~check_signature...