similar to: Fedora 18, virt-manager & libguestfs SELinux relabelling problem

I'm just about to release libguestfs 1.20. This appendix covers issues specific to Fedora 18. Fedora 18 defaults to using the libvirt attach-method, meaning that libvirt is used to create and manage the libguestfs appliance. There are several benefits to this (see the full release notes). You can switch back to the ordinary method (directly running qemu) at any time by doing: export

Just a note [possibly more of a warning] that I'm intending to switch the default backend in Fedora 18+ to libvirt this week. For more information about what this means, see: https://rwmj.wordpress.com/2012/07/23/new-in-libguestfs-use-libvirt-to-launch-the-appliance/#content Barring any bugs, the change ought to be transparent. The reasons why we're making this change in Fedora are:

Run with LIBGUESTFS_ATTACH_METHOD=appliance Fails with: inspect_os: mount_ro: /dev/sda on / (options: 'ro'): mount: /dev/sda is already mounted or /sysroot busy at /usr/share/perl5/vendor_perl/Sys/VirtConvert/GuestfsHandle.pm line 194. virt-inspector works as expected libguestfs-test-tool.log: http://pastebin.ca/2317900 virt-v2v.log: http://iaindb.pastebin.ca/2317938 Any

On Tue, 21 Jan 2014, Richard W.M. Jones wrote: > A common problem that people have with virt-builder and virt-sysprep > is which guests that use SELinux, like Fedora and RHEL. In both cases > we touch /.autorelabel in the guest, which means the guest has to > reboot once during its first boot. ... snip much analysis ... > (4) It can touch '/.autorelabel' which causes an

On Tue, 21 Jan 2014, Richard W.M. Jones wrote: > This could be because the kernel of the libguestfs appliance doesn't > match the kernel of the guest. We also encounter such problems when re-labelling images not matching the dom0 kernel distribution, and just accept the relabel delay (slow and linear) and second boot (boots are fast) -- but I had hoped you had a solution ;) -- Russ

I'm very pleased to announce the release of libguestfs 1.20. Libguestfs is a library and a comprehensive set of tools for accessing and modifying virtual machine (VM) disk images. For more information see http://libguestfs.org Libguestfs 1.20 represents 7 months of upstream work, dozens of major new features and bug fixes. For full details read the release notes below. You can download

A common problem that people have with virt-builder and virt-sysprep is which guests that use SELinux, like Fedora and RHEL. In both cases we touch /.autorelabel in the guest, which means the guest has to reboot once during its first boot. Recap: SELinux file labels -------------------------- SELinux requires that files have labels. Access to a file is controlled by the label on that file.

On Tue, Jan 21, 2014 at 12:01:45PM -0500, R P Herrold wrote: > (5) it can do an additional step at very end of the post > install: > restorecon -R / This doesn't work on its own. I suspect this would work: load_policy && restorecon -R / except it gives an error for me: SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.29, searching for

Thanks for replying Dario, Yes, I saw your other e-mail too, but I''m afraid I can''t help much as I > always have: > - used xl only, when building Xen from sources, > - used Fedora Xen packages only, when using libvirt stuff > I just want to get couple of DomUs running, that is all. I''m not particular about which tool I use. Virt-manager seemed

On Tue, Feb 06, 2018 at 12:50:51PM -0500, Laine Stump wrote: > On 02/06/2018 10:53 AM, Pino Toscano wrote: > > On Tuesday, 6 February 2018 16:40:04 CET Daniel P. Berrangé wrote: > >> When you tell virt-builder to install extra RPMs, this potentially > >> looses the SELinux labelling that Anaconda had originally setup. Thus we > >> must tell virt-builder to

On 02/06/2018 10:53 AM, Pino Toscano wrote: > On Tuesday, 6 February 2018 16:40:04 CET Daniel P. Berrangé wrote: >> When you tell virt-builder to install extra RPMs, this potentially >> looses the SELinux labelling that Anaconda had originally setup. Thus we >> must tell virt-builder to enable SELinux relabelling. >> >> Signed-off-by: Daniel P. Berrangé

On Sun, Dec 24, 2017 at 03:59:33PM +0200, Yaniv Kaul wrote: > On Sun, Dec 24, 2017 at 3:49 PM, Richard W.M. Jones <rjones@redhat.com> > wrote: > > > On Sun, Dec 24, 2017 at 02:15:44PM +0200, Yaniv Kaul wrote: > > > I'm copying a file into a VM using virt-copy-in - which is great, but the > > > file is wrongly labeled. > > > How can I fix that?

--- appliance/packagelist.in | 1 + daemon/Makefile.am | 1 + daemon/setfiles.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++++ generator/actions.ml | 22 ++++++++++++ gobject/Makefile.inc | 2 ++ src/MAX_PROC_NR | 2 +- 6 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 daemon/setfiles.c diff --git a/appliance/packagelist.in

Hello list, my name is Matteo, i'm new on that list. I'm working on a multitenancy platform with linux containers through libvirt on a production system with Red Hat 6.4. Every container run a separate instance of OpenSSH and Apache HTTPd and I need to give root privileges to the developers and I try to configure SELinux using svirt and MCS. I try the secmodel type dynamic and static in

On Sun, Dec 24, 2017 at 3:49 PM, Richard W.M. Jones <rjones@redhat.com> wrote: > On Sun, Dec 24, 2017 at 02:15:44PM +0200, Yaniv Kaul wrote: > > I'm copying a file into a VM using virt-copy-in - which is great, but the > > file is wrongly labeled. > > How can I fix that? > > Hi Yaniv, > > The easiest thing is to run this after doing the virt-copy-in:

If the guest uses SELinux, then make sure to run a relabel (or at least schedule one) after the image build: this way the template is relabelled, or at least it will do that at the next boot, without the need for the user to ask for a relabel. This just covers the case of building a new image with no additional operations on it though. --- builder/website/centos.sh | 2 ++

On Tuesday 27 May 2014 14:25:08 Richard W.M. Jones wrote: > So I think an API which looks like this ... > > required params: > > None > > optional params: > > path => > Either a directory to be relabelled recursively, or a single > file (defaults to "/"). > > root => > Inspection root of guest. Optional, only

[If you're using the upstream libguestfs with default settings, then this does NOT affect you. libvirt isn't required by libguestfs.] >From libguestfs 1.19.41, if you have selected the alternate libvirt method to launch the appliance, ie, if you have done: ./configure --with-default-attach-method=libvirt then sVirt is enabled by default. This is for enhanced security: if a

https://bugzilla.redhat.com/show_bug.cgi?id=912499 (especially comments 7 & 10) This patch set is the final fix so that we can access disks in use by other guests when SELinux and sVirt are enabled. Previously such disks were inaccessible because sVirt labels the disks with a random SELinux label to prevent other instances of qemu from being able to read them. So naturally the libguestfs

Do SELinux relabelling properly.