Displaying 20 results from an estimated 2000 matches similar to: "[PATCH] document behavior of --selinux-relabel"
2016 Mar 24
0
Re: [PATCH] document behavior of --selinux-relabel
On Thu, Mar 24, 2016 at 03:21:45PM -0400, Lars Kellogg-Stedman wrote:
> the description of the --selinux-relabel option suggests that it
> perform an immediate relabel, when in fact it may (and probably will)
> instead simply touch /.autorelabel on the image, which schedules a
> relabel operation for the next time the image boots. This can be
> surprising because it results both in
2014 May 26
2
[PATCH 2/2] Use setfiles from the appliance for the SELinux relabel (RHBZ#1089100).
Rewrite the relabel API to read the policy configured in the guest,
invoking setfiles (added as part of the appliance, as part of
policycoreutils) to relabel the specified root. In case of failure at
any point of the process, a touch of .autorelabel in the root is tried
as last-attempt measure to do the relabel.
Considering that running SELinux tools in the appliance might be
affected by the
2016 Jul 14
0
[PATCH v2 4/7] customize: Add module for doing SELinux relabel of filesystem.
This implements the --selinux-relabel option for virt-customize,
virt-builder and virt-sysprep. There is no need to autorelabel
functionality now.
Thanks: Stephen Smalley
---
builder/Makefile.am | 1 +
builder/virt-builder.pod | 20 +++++++++----------
customize/Makefile.am | 2 ++
customize/SELinux_relabel.ml | 46 +++++++++++++++++++++++++++++++++++++++++++
2014 May 24
9
SELinux relabel API
[
I realized that we were discussing adding this feature, in various
private email, IRC, and this long bugzilla thread:
https://bugzilla.redhat.com/show_bug.cgi?id=1060423
That's not how we should do things. Let's discuss it on the
mailing list.
]
One thing that virt-customize/virt-sysprep/virt-builder have to do is
relabel SELinux guests.
What we do at the moment
2020 Sep 24
3
Re: [common PATCH 3/3] mlcustomize: do not relabel if not enforcing (RHBZ#1828952)
On Wed, Sep 23, 2020 at 05:57:50PM +0200, Pino Toscano wrote:
> Do not attempt to relabel a guest in case its SELinux enforcing mode is
> not "enforcing", as it is either pointless, or it may fail because of an
> invalid policy configured.
> ---
> mlcustomize/SELinux_relabel.ml | 26 +++++++++++++++++++++++++-
> 1 file changed, 25 insertions(+), 1 deletion(-)
>
2020 Sep 23
6
[common PATCH 0/3] SELinux_relabel: relabel only if enforcing (RHBZ#1828952)
Continuation/rework of:
https://www.redhat.com/archives/libguestfs/2020-May/msg00020.html
This is my approach, as I explained here:
https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c4
https://www.redhat.com/archives/libguestfs/2020-May/msg00035.html
IOW: do not attempt to relabel if the guest is not enforcing, as it is
either useless or may fail; few words more are in the comments of patch
#3.
2020 May 05
3
[PATCH libguestfs-common 1/2] mlcustomize: Refactor SELinux_relabel code.
This shouldn't change the effect of this code.
---
mlcustomize/SELinux_relabel.ml | 121 ++++++++++++++++++---------------
1 file changed, 65 insertions(+), 56 deletions(-)
diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml
index 44995df..5df1f08 100644
--- a/mlcustomize/SELinux_relabel.ml
+++ b/mlcustomize/SELinux_relabel.ml
@@ -28,65 +28,74 @@ module G = Guestfs
2014 Jan 21
2
virt-builder & virt-sysprep: Avoiding SELinux relabelling
A common problem that people have with virt-builder and virt-sysprep
is which guests that use SELinux, like Fedora and RHEL. In both cases
we touch /.autorelabel in the guest, which means the guest has to
reboot once during its first boot.
Recap: SELinux file labels
--------------------------
SELinux requires that files have labels. Access to a file is
controlled by the label on that file.
2009 Sep 09
1
SELinux Relabeling
Hello everyone,
If create a folder called "whatever" under /var, the context is:
root:object_r:var_t /var/whatever/
That's expected as it is under /var. If I then change its type:
chcont -t httpd_sys_content_t /var/whatever
The context looks like:
root:object_r:httpd_sys_content_t /var/whatever/
My question is...Shouldn't a relabeling of the filesystem change the type
2012 Jan 04
1
edit proposal to /HowTos/SELinux - how to relabel filesystem
Following the steps under "Contribute to the Wiki" at
http://wiki.centos.org/Contribute#head-42b3d8e26400a106851a61aebe5c2cca54dd79e5
My Wiki name is BennettHaselton. I wanted to edit this paragraph:
"Note: When switching from Disabled to either Permissive or Enforcing
mode, it is highly recommended that the system be rebooted and the
filesystem relabeled."
to add:
2014 Jan 24
2
[PATCH 0/2] Implement virt-builder --selinux-relabel option.
Do SELinux relabelling properly.
2015 May 15
5
[PATCH 0/2] customize: Allow --selinux-relabel flag to work on cross-architecture builds.
Fixes
https://bugzilla.redhat.com/show_bug.cgi?id=1212807
2016 May 10
1
[PATCH] builder: run/schedule a SELinux relabel if needed
If the guest uses SELinux, then make sure to run a relabel (or at least
schedule one) after the image build: this way the template is
relabelled, or at least it will do that at the next boot, without the
need for the user to ask for a relabel.
This just covers the case of building a new image with no additional
operations on it though.
---
builder/website/centos.sh | 2 ++
2015 May 15
0
[PATCH 2/2] customize: Allow --selinux-relabel flag to work on cross-architecture builds (RHBZ#1212807).
---
customize/customize_run.ml | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/customize/customize_run.ml b/customize/customize_run.ml
index 0f1d72a..cd4616c 100644
--- a/customize/customize_run.ml
+++ b/customize/customize_run.ml
@@ -338,15 +338,19 @@ exec >>%s 2>&1
if ops.flags.selinux_relabel then (
msg (f_"SELinux
2015 Jul 08
0
[PATCH 6/6] customize: add basic subscription-manager operations
Add simple operations for RHEL guests using subscription-manager, so it
is possible to e.g. install software on them.
---
customize/Makefile.am | 8 +++-
customize/customize_run.ml | 58 ++++++++++++++++++++++++++
generator/customize.ml | 101 +++++++++++++++++++++++++++++++++++++++++++++
sysprep/Makefile.am | 8 +++-
4 files changed, 173 insertions(+), 2 deletions(-)
diff
2014 May 27
3
Re: [PATCH 2/2] Use setfiles from the appliance for the SELinux relabel (RHBZ#1089100).
On Tuesday 27 May 2014 09:08:27 Richard W.M. Jones wrote:
> On Mon, May 26, 2014 at 11:21:59AM +0200, Pino Toscano wrote:
> > Rewrite the relabel API to read the policy configured in the guest,
> > invoking setfiles (added as part of the appliance, as part of
> > policycoreutils) to relabel the specified root. In case of failure
> > at
> > any point of the process,
2020 Sep 23
0
[common PATCH 3/3] mlcustomize: do not relabel if not enforcing (RHBZ#1828952)
Do not attempt to relabel a guest in case its SELinux enforcing mode is
not "enforcing", as it is either pointless, or it may fail because of an
invalid policy configured.
---
mlcustomize/SELinux_relabel.ml | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml
index 647aeda..db00e59
2005 Sep 12
1
The role of /.autorelabel
I could not get vsftpd to start; kept getting the "vsftpd Dead Subsys
Locked" error. On doing a Google search, I came across a fix (lost the
site unfortunately) and as I recall, it has something to do with copying
a file and having the incorrect SElinux settings (I have SElinux disabled).
The fix was to do a fixfiles, relabel (commands that I have never used)
or a touch of
2020 Sep 24
0
Re: [common PATCH 3/3] mlcustomize: do not relabel if not enforcing (RHBZ#1828952)
On Thursday, 24 September 2020 12:15:29 CEST Richard W.M. Jones wrote:
> On Wed, Sep 23, 2020 at 05:57:50PM +0200, Pino Toscano wrote:
> > Do not attempt to relabel a guest in case its SELinux enforcing mode is
> > not "enforcing", as it is either pointless, or it may fail because of an
> > invalid policy configured.
> > ---
> >
2020 May 18
2
Re: [PATCH libguestfs-common 2/2] mlcustomize: Fall back to autorelabel if specfile does not exist (RHBZ#1828952).
On Tuesday, 5 May 2020 17:44:15 CEST Richard W.M. Jones wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c2
I think we need to do a different approach than this patch.
The biggest thing is that currently we check only SELINUXTYPE for the
actual policy, however we do not check SELINUX in case SELinux is in
enforcing mode at all.
IMHO we rather need to read