search for: set_selinux

...procps procps-ng psmisc diff --git a/builder/builder.ml b/builder/builder.ml index e7be901..a0ef6d7 100644 --- a/builder/builder.ml +++ b/builder/builder.ml @@ -585,7 +585,10 @@ let main () = (match smp with None -> () | Some smp -> g#set_smp smp); g#set_network network; - g#set_selinux ops.flags.selinux_relabel; + (* If a relabel is needed, make sure to turn SELinux off to avoid + * awkward interactions with the relabel process. + *) + if ops.flags.selinux_relabel then g#set_selinux false; (* The output disk is being created, so use cache=unsafe here. *)...

...rtions(+), 2 deletions(-) diff --git a/builder/builder.ml b/builder/builder.ml index a407924..5195cfd 100644 --- a/builder/builder.ml +++ b/builder/builder.ml @@ -633,7 +633,11 @@ let main () = (match smp with None -> () | Some smp -> g#set_smp smp); g#set_network network; - g#set_selinux ops.flags.selinux_relabel; + (* Make sure to turn SELinux off to avoid awkward interactions + * between the appliance kernel and applications/libraries interacting + * with SELinux xattrs. + *) + g#set_selinux false; (* The output disk is being created, so use cache=unsafe...

...er.ml @@ -642,12 +642,6 @@ let main () = may g#set_smp cmdline.smp; g#set_network cmdline.network; - (* Make sure to turn SELinux off to avoid awkward interactions - * between the appliance kernel and applications/libraries interacting - * with SELinux xattrs. - *) - g#set_selinux false; - (* The output disk is being created, so use cache=unsafe here. *) g#add_drive_opts ~format:output_format ~cachemode:"unsafe" output_filename; diff --git a/customize/customize_main.ml b/customize/customize_main.ml index 3681b32..82e70b7 100644 --- a/customize/customize...

...er.ml @@ -642,12 +642,6 @@ let main () = may g#set_smp cmdline.smp; g#set_network cmdline.network; - (* Make sure to turn SELinux off to avoid awkward interactions - * between the appliance kernel and applications/libraries interacting - * with SELinux xattrs. - *) - g#set_selinux false; - (* The output disk is being created, so use cache=unsafe here. *) g#add_drive_opts ~format:output_format ~cachemode:"unsafe" output_filename; diff --git a/customize/customize_main.ml b/customize/customize_main.ml index 3681b32..82e70b7 100644 --- a/customize/customize...

...; affected by the SELinux state (leading to wrong results), > > selinux_relabel now bails out if SELinux is enabled in the > > appliance. > > As a result of this, virt-builder and virt-customize explicitly > > disable it if the relabel is enabled. > > > > - g#set_selinux ops.flags.selinux_relabel; > > + (* If a relabel is needed, make sure to turn SELinux off to > > avoid + * awkward interactions with the relabel process. > > + *) > > + if ops.flags.selinux_relabel then g#set_selinux false; > > This defaults to false, so...

...s, TestOutputInt ( [["set_memsize"; "500"]; ["get_memsize"]], 500)], @@ -451,7 +451,7 @@ features from later versions into earlier versions, making this an unreliable way to test for features. Use C<guestfs_available> instead."); - ("set_selinux", (RErr, [Bool "selinux"], []), -1, [FishAlias "selinux"], + ("set_selinux", (RErr, [Bool "selinux"], []), -1, [FishAlias "selinux"; ConfigOnly], [InitNone, Always, TestOutputTrue ( [["set_selinux"; "true"];...

[ I realized that we were discussing adding this feature, in various private email, IRC, and this long bugzilla thread: https://bugzilla.redhat.com/show_bug.cgi?id=1060423 That's not how we should do things. Let's discuss it on the mailing list. ] One thing that virt-customize/virt-sysprep/virt-builder have to do is relabel SELinux guests. What we do at the moment

...= /etc/selinux/targeted/policy/policy.29: No such file or directory load_policy: Can't load policy: No such file or directory This could be because the kernel of the libguestfs appliance doesn't match the kernel of the guest. (Also I patched my copy of virt-builder to add a call to g#set_selinux true). By the way, it's not clear to me that using load_policy is safe in all cases. In virt-builder it would be fine (if it worked), because you should trust the templates. In general, loading an untrusted guest policy into the appliance kernel may not be a great idea. Rich. -- Richard J...

We can use the setfiles(8) command to relabel the guest filesystem, even though we don't have a policy loaded nor SELinux enabled in the appliance kernel. This also deprecates or removes the old and broken SELinux support. This patch isn't quite complete - I would like to add some tests to the new API. I'm posting here to garner early feedback. Rich.

Do SELinux relabelling properly.

...handle, 1)>. + =item TMPDIR Location of temporary directory, defaults to C</tmp>. diff --git a/src/generator.ml b/src/generator.ml index 765cb16..6184890 100755 --- a/src/generator.ml +++ b/src/generator.ml @@ -805,6 +805,32 @@ is passed to the appliance at boot time. See C<guestfs_set_selinux>. For more information on the architecture of libguestfs, see L<guestfs(3)>."); + ("set_trace", (RErr, [Bool "trace"]), -1, [FishAlias "trace"], + [InitNone, Always, TestOutputTrue ( + [["set_trace"; "true"]; + [&quot...

A common problem that people have with virt-builder and virt-sysprep is which guests that use SELinux, like Fedora and RHEL. In both cases we touch /.autorelabel in the guest, which means the guest has to reboot once during its first boot. Recap: SELinux file labels -------------------------- SELinux requires that files have labels. Access to a file is controlled by the label on that file.

v1 -> v2: - Add simple test of the setfiles API. - Use SELinux_relabel module in virt-v2v (instead of touch /.autorelabel). - Small fixes. Rich.

Hi All, I been using virt-builder to create testing VMs (most ubuntu) for a while, and it works great. But when I cloned the git repo today and found the process becoming extremely slow, please see the output below. log that produced by pre-installed vendor package: virt-builder ubuntu-14.04 --firstboot-command 'useradd -m -p "" myan; chage -d 0 myan; usermod -aG sudo myan;' [

...s: trace: set_cachedir = 0 libguestfs: trace: set_path "/home/myan/work/libguestfs/appliance" libguestfs: trace: set_path = 0 libguestfs: create: flags = 0, handle = 0x11ce170, program = virt-builder libguestfs: trace: set_network true libguestfs: trace: set_network = 0 libguestfs: trace: set_selinux false libguestfs: trace: set_selinux = 0 libguestfs: trace: add_drive "ubuntu-14.04.img" "format:raw" "cachemode:unsafe" libguestfs: trace: add_drive = 0 libguestfs: trace: launch libguestfs: trace: get_tmpdir libguestfs: trace: get_tmpdir = "/home/myan/work/libgu...

Previously, only the LibVirtXML connection translated network and bridge names in imported metadata. This change moves this functionality in Converter, making it available to LibVirt connections as well. At the same time, the format of the config file is switched to XML. The primary driver for this is that the allowable syntax of a foreign network/bridge name is not known. Rather than create a

Hi, I tried to rewrite virt-rescue from C to OCaml. Goals were feature parity with C implementation, smaller codebase and hopefully better maintainability. I still don't know if I've covered everything right. So, please check it out. PS: my git send-email seems to be broken, so I'm sending it from thunderbird Thanks! maros

I'm currently working on gobject bindings for libguestfs. I haven't got as far as compiling anything yet, but I've attached the C header for initial review. Matt -- Matthew Booth, RHCA, RHCSS Red Hat Engineering, Virtualisation Team GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 -------------- next part -------------- An embedded and

...ze memsize); + (match smp with None -> () | Some smp -> g#set_smp smp); + g#set_network network; + + (* Make sure to turn SELinux off to avoid awkward interactions + * between the appliance kernel and applications/libraries interacting + * with SELinux xattrs. + *) + g#set_selinux false; + + (* Main disk with the built image. *) + let fmt = "raw" in + let fn = + (* If "raw" is among the selected outputs, use it as main backing + * disk, otherwise create a temporary disk. + *) + if not is_ramdisk_build && List.mem &qu...

...ze memsize); + (match smp with None -> () | Some smp -> g#set_smp smp); + g#set_network network; + + (* Make sure to turn SELinux off to avoid awkward interactions + * between the appliance kernel and applications/libraries interacting + * with SELinux xattrs. + *) + g#set_selinux false; + + (* Main disk with the built image. *) + let fmt = "raw" in + let fn = + (* If "raw" is among the selected outputs, use it as main backing + * disk, otherwise create a temporary disk. + *) + if not is_ramdisk_build && List.mem &qu...