similar to: [PATCH] daemon: selinux: Add setfiles -m option to suppress extra excludes (RHBZ#1433577).

--- appliance/packagelist.in | 1 + daemon/Makefile.am | 1 + daemon/setfiles.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++++ generator/actions.ml | 22 ++++++++++++ gobject/Makefile.inc | 2 ++ src/MAX_PROC_NR | 2 +- 6 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 daemon/setfiles.c diff --git a/appliance/packagelist.in

Rewrite the relabel API to read the policy configured in the guest, invoking setfiles (added as part of the appliance, as part of policycoreutils) to relabel the specified root. In case of failure at any point of the process, a touch of .autorelabel in the root is tried as last-attempt measure to do the relabel. Considering that running SELinux tools in the appliance might be affected by the

This shows which files are being relabelled. Also only use -q (suppress non-error output) when we are not verbose. --- daemon/selinux-relabel.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/daemon/selinux-relabel.c b/daemon/selinux-relabel.c index 2f48ee6..e7da42d 100644 --- a/daemon/selinux-relabel.c +++ b/daemon/selinux-relabel.c @@ -112,8 +112,11 @@

On Monday, 20 March 2017 19:15:01 CET Richard W.M. Jones wrote: > This shows which files are being relabelled. Also only use -q > (suppress non-error output) when we are not verbose. > --- > daemon/selinux-relabel.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/daemon/selinux-relabel.c b/daemon/selinux-relabel.c > index 2f48ee6..e7da42d

On Monday, 20 March 2017 19:14:46 CET Richard W.M. Jones wrote: > --- Such behaviour changes :-( LGTM, unless the default behaviour of setfiles changes soon... Thanks, -- Pino Toscano

Fixes commit 9d205f1c284a69390907120ca44f5c723fecc244. --- daemon/selinux-relabel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemon/selinux-relabel.c b/daemon/selinux-relabel.c index daafe9e..cfc4cf8 100644 --- a/daemon/selinux-relabel.c +++ b/daemon/selinux-relabel.c @@ -92,7 +92,7 @@ do_selinux_relabel (const char *specfile, const char *path, ADD_ARG (argv, i,

v1 -> v2: - Add simple test of the setfiles API. - Use SELinux_relabel module in virt-v2v (instead of touch /.autorelabel). - Small fixes. Rich.

[ I realized that we were discussing adding this feature, in various private email, IRC, and this long bugzilla thread: https://bugzilla.redhat.com/show_bug.cgi?id=1060423 That's not how we should do things. Let's discuss it on the mailing list. ] One thing that virt-customize/virt-sysprep/virt-builder have to do is relabel SELinux guests. What we do at the moment

[This email is either empty or too large to be displayed at this time]

> -----Original Message----- > From: Richard W.M. Jones [mailto:rjones@redhat.com] > Sent: Tuesday, March 6, 2018 11:49 AM > To: Зиновик Игорь Анатольевич <ZinovikIA@nspk.ru> > Cc: libguestfs@redhat.com > Subject: Re: [Libguestfs] virt-v2v 1.38 fails to convert .vmx VM: setfiles ... > Multiple same specifications for /.*. > > On Tue, Mar 06, 2018 at 08:40:51AM

Hello, Richard. > -----Original Message----- > From: Richard W.M. Jones [mailto:rjones@redhat.com] > Sent: Monday, March 5, 2018 8:42 PM > To: Зиновик Игорь Анатольевич <ZinovikIA@nspk.ru> > Cc: libguestfs@redhat.com > Subject: Re: [Libguestfs] virt-v2v 1.38 fails to convert .vmx VM: setfiles ... > Multiple same specifications for /.*. > > On Mon, Mar 05, 2018 at

Policycoreutils, which includes the 'setfiles' utility which we use, is badly broken in Fedora 26. https://bugzilla.redhat.com/show_bug.cgi?id=1433577 This bug affects a few things because it completely breaks SELinux relabelling. In particular, firstboot functionality fails on Fedora guests because the installed scripts are not labelled correctly. Rich. -- Richard Jones,

We can use the setfiles(8) command to relabel the guest filesystem, even though we don't have a policy loaded nor SELinux enabled in the appliance kernel. This also deprecates or removes the old and broken SELinux support. This patch isn't quite complete - I would like to add some tests to the new API. I'm posting here to garner early feedback. Rich.

On Tuesday 27 May 2014 09:08:27 Richard W.M. Jones wrote: > On Mon, May 26, 2014 at 11:21:59AM +0200, Pino Toscano wrote: > > Rewrite the relabel API to read the policy configured in the guest, > > invoking setfiles (added as part of the appliance, as part of > > policycoreutils) to relabel the specified root. In case of failure > > at > > any point of the process,

GUESTFSD_EXT_CMD was used by OpenSUSE to track which external commands are run by the daemon and package those commands into the appliance. It is no longer used by recent SUSE builds, so remove it. Thanks: Pino Toscano, Olaf Hering. --- daemon/9p.c | 3 +- daemon/available.c | 7 +-- daemon/base64.c | 6 +-- daemon/blkid.c | 10 ++---

GUESTFSD_EXT_CMD is used by OpenSUSE to track which external commands are run by the daemon and package those commands into the appliance. However because this uses linker trickery it won't work from OCaml code. Replace it with a [nearly] standard C mechanism. Files still have to declare the external commands they will use, eg: DECLARE_EXTERNAL_COMMANDS ("btrfs",

On Mon, Mar 19, 2018 at 02:21:24PM +0000, Зиновик Игорь Анатольевич wrote: > > -----Original Message----- > > From: Richard W.M. Jones [mailto:rjones@redhat.com] > > Sent: Monday, March 19, 2018 3:27 PM > > To: Зиновик Игорь Анатольевич <ZinovikIA@nspk.ru> > > Cc: libguestfs@redhat.com > > Subject: Re: [Libguestfs] virt-v2v 1.38 fails to convert .vmx VM:

On Tue, Mar 06, 2018 at 08:40:51AM +0000, Зиновик Игорь Анатольевич wrote: > > What happens if you run these commands (which should be safe to run > > because they only operate on a throw-away overlay): > > > > qemu-img create -f qcow2 throwaway.qcow2 /mnt/knp1-vm-otp02/knp1-vm- > > otp02.vmdk I missed out the -b flag: qemu-img create -f qcow2 throwaway.qcow2 -b

On Mon, Mar 05, 2018 at 02:03:17PM +0000, Зиновик Игорь Анатольевич wrote: > Hello. > > I'm trying to convert VMware based virtual machines (CentOS 7.2) and output them into oVirt. > virt-v2v fails with following error: > setfiles: /sysroot/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /.*. > > File `file_contexts' looks same

Hi, On Wed, November 16, 2016 11:10 am, Richard W.M. Jones wrote: > >> It eventually did complete, after several hours. But I don't understand >> why this particular VM took so long when others (with similar disk >> sizes/usages/configurations) completed in only 1-2 minutes. Each VM is >> effectively exactly the same (it's a build slave), so it's just the