similar to: [PATCH] customize: allow missing SELINUXTYPE in SELinux config

Since it is available only in OCaml >= 4.03, which is higher than our requirement, add a simple reimplementation of it. Fixes commit 719d68fa247cc3885ecf7ec1c010faf83267d786. --- customize/SELinux_relabel.ml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml index e7d440c29..7cc166edb 100644 ---

This shouldn't change the effect of this code. --- mlcustomize/SELinux_relabel.ml | 121 ++++++++++++++++++--------------- 1 file changed, 65 insertions(+), 56 deletions(-) diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml index 44995df..5df1f08 100644 --- a/mlcustomize/SELinux_relabel.ml +++ b/mlcustomize/SELinux_relabel.ml @@ -28,65 +28,74 @@ module G = Guestfs

Continuation/rework of: https://www.redhat.com/archives/libguestfs/2020-May/msg00020.html This is my approach, as I explained here: https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c4 https://www.redhat.com/archives/libguestfs/2020-May/msg00035.html IOW: do not attempt to relabel if the guest is not enforcing, as it is either useless or may fail; few words more are in the comments of patch #3.

Rewrite the relabel API to read the policy configured in the guest, invoking setfiles (added as part of the appliance, as part of policycoreutils) to relabel the specified root. In case of failure at any point of the process, a touch of .autorelabel in the root is tried as last-attempt measure to do the relabel. Considering that running SELinux tools in the appliance might be affected by the

https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c2 If SELINUXTYPE is set to some value other than targeted then we look for a directory /etc/selinux/<SELINUXTYPE> which does not exist. However this should not cause a fatal error. Using setfiles to do the relabelling immediately is a nice-to-have, but we can fallback to using autorelabel if we're unable to achieve it. ---

On Wed, Sep 23, 2020 at 05:57:50PM +0200, Pino Toscano wrote: > Do not attempt to relabel a guest in case its SELinux enforcing mode is > not "enforcing", as it is either pointless, or it may fail because of an > invalid policy configured. > --- > mlcustomize/SELinux_relabel.ml | 26 +++++++++++++++++++++++++- > 1 file changed, 25 insertions(+), 1 deletion(-) >

Do not attempt to relabel a guest in case its SELinux enforcing mode is not "enforcing", as it is either pointless, or it may fail because of an invalid policy configured. --- mlcustomize/SELinux_relabel.ml | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml index 647aeda..db00e59

This implements the --selinux-relabel option for virt-customize, virt-builder and virt-sysprep. There is no need to autorelabel functionality now. Thanks: Stephen Smalley --- builder/Makefile.am | 1 + builder/virt-builder.pod | 20 +++++++++---------- customize/Makefile.am | 2 ++ customize/SELinux_relabel.ml | 46 +++++++++++++++++++++++++++++++++++++++++++

On Tuesday, 5 May 2020 17:44:15 CEST Richard W.M. Jones wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c2 I think we need to do a different approach than this patch. The biggest thing is that currently we check only SELINUXTYPE for the actual policy, however we do not check SELINUX in case SELinux is in enforcing mode at all. IMHO we rather need to read

Hey guys, For some reason I can't seem to enable SELinux on this one host. Here's my SELinux config file: [root at beta-new:~] #cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. #

I have some centos 4.4 server. i have disable selinux for some software problem: # cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disable #

[ I realized that we were discussing adding this feature, in various private email, IRC, and this long bugzilla thread: https://bugzilla.redhat.com/show_bug.cgi?id=1060423 That's not how we should do things. Let's discuss it on the mailing list. ] One thing that virt-customize/virt-sysprep/virt-builder have to do is relabel SELinux guests. What we do at the moment

I'm probably dense - CentOS 4.1 # cat /etc/sysconfig/selinux ..snip... SELINUXTYPE=targeted # su - Alec # tail -n 3 /var/log/messages Aug 31 08:48:26 srv1 su(pam_unix)[31435]: session opened for user Alec by root(uid=0) Aug 31 08:48:26 srv1 su[31435]: Warning! Could not relabel /dev/pts/0 with user_u:object_r:devpts_t, not relabeling.Operation not permitted Aug 31 08:48:27 srv1

> On 7 Nov 2016, at 22:16, Derek Atkins <derek@ihtfp.com> wrote: > > Hi, > > My last VM imported in 2 minutes. This one has been sitting for three > hours. I think this is a bug. well, some time it does take a long time. Are you sure it was hung? No I/O going on? adding libguestfs list Thanks, michal > > Just in case it helps, here's a larger piece of

Instead of just documenting this bug, fix it in the file_contexts file. Replaces commit ad3c8fe7f49c4991e1aa536856a1a408f55d5409. --- customize/SELinux_relabel.ml | 19 +++++++++++++++++++ v2v/virt-v2v.pod | 11 ----------- 2 files changed, 19 insertions(+), 11 deletions(-) diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml index fa9603c..69a4779 100644 ---

Instead of just documenting this bug, fix it in the file_contexts file. Replaces commit ad3c8fe7f49c4991e1aa536856a1a408f55d5409. --- customize/SELinux_relabel.ml | 20 ++++++++++++++++++++ v2v/virt-v2v.pod | 11 ----------- 2 files changed, 20 insertions(+), 11 deletions(-) diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml index fa9603c..d3b9325 100644 ---

On Mon, May 18, 2020 at 11:12:29AM +0200, Pino Toscano wrote: > On Tuesday, 5 May 2020 17:44:15 CEST Richard W.M. Jones wrote: > > https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c2 > > I think we need to do a different approach than this patch. > > The biggest thing is that currently we check only SELINUXTYPE for the > actual policy, however we do not check SELINUX

On Monday, 6 March 2017 11:43:14 CET Richard W.M. Jones wrote: > Instead of just documenting this bug, fix it in the file_contexts > file. > > Replaces commit ad3c8fe7f49c4991e1aa536856a1a408f55d5409. > --- > customize/SELinux_relabel.ml | 19 +++++++++++++++++++ > v2v/virt-v2v.pod | 11 ----------- > 2 files changed, 19 insertions(+), 11 deletions(-) >

On Thursday, 24 September 2020 12:15:29 CEST Richard W.M. Jones wrote: > On Wed, Sep 23, 2020 at 05:57:50PM +0200, Pino Toscano wrote: > > Do not attempt to relabel a guest in case its SELinux enforcing mode is > > not "enforcing", as it is either pointless, or it may fail because of an > > invalid policy configured. > > --- > >

Hi Rich, I tried to implement the logging feature, but I can't though compiling with this patch now, could you please give me some comments? The error message is below, --- ocamlfind ocamlopt -g -warn-error CDEFLMPSUVYZX -package unix -I ../src/.libs -I ../ocaml -c sysprep_operation.ml -o sysprep_operation.cmx File "sysprep_operation.ml", line 1, characters 0-1: Error: The