similar to: [common PATCH 0/3] SELinux_relabel: relabel only if enforcing (RHBZ#1828952)

This shouldn't change the effect of this code. --- mlcustomize/SELinux_relabel.ml | 121 ++++++++++++++++++--------------- 1 file changed, 65 insertions(+), 56 deletions(-) diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml index 44995df..5df1f08 100644 --- a/mlcustomize/SELinux_relabel.ml +++ b/mlcustomize/SELinux_relabel.ml @@ -28,65 +28,74 @@ module G = Guestfs

On Wed, Sep 23, 2020 at 05:57:50PM +0200, Pino Toscano wrote: > Do not attempt to relabel a guest in case its SELinux enforcing mode is > not "enforcing", as it is either pointless, or it may fail because of an > invalid policy configured. > --- > mlcustomize/SELinux_relabel.ml | 26 +++++++++++++++++++++++++- > 1 file changed, 25 insertions(+), 1 deletion(-) >

Since it is available only in OCaml >= 4.03, which is higher than our requirement, add a simple reimplementation of it. Fixes commit 719d68fa247cc3885ecf7ec1c010faf83267d786. --- customize/SELinux_relabel.ml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml index e7d440c29..7cc166edb 100644 ---

v1 -> v2: Match more specifically. Rich.

Instead of just documenting this bug, fix it in the file_contexts file. Replaces commit ad3c8fe7f49c4991e1aa536856a1a408f55d5409. --- customize/SELinux_relabel.ml | 19 +++++++++++++++++++ v2v/virt-v2v.pod | 11 ----------- 2 files changed, 19 insertions(+), 11 deletions(-) diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml index fa9603c..69a4779 100644 ---

Do not attempt to relabel a guest in case its SELinux enforcing mode is not "enforcing", as it is either pointless, or it may fail because of an invalid policy configured. --- mlcustomize/SELinux_relabel.ml | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml index 647aeda..db00e59

On Thursday, 24 September 2020 12:15:29 CEST Richard W.M. Jones wrote: > On Wed, Sep 23, 2020 at 05:57:50PM +0200, Pino Toscano wrote: > > Do not attempt to relabel a guest in case its SELinux enforcing mode is > > not "enforcing", as it is either pointless, or it may fail because of an > > invalid policy configured. > > --- > >

libselinux defaults to "targeted" when no SELINUXTYPE is specified in /etc/config/selinux. Hence do the same here, instead of failing because of the missing key. Add a slow test for checking SELinux relabeling on a Fedora 27 guest, both with no changes, and with a modified configuration. --- customize/Makefile.am | 2 ++ customize/SELinux_relabel.ml | 14 ++++++++++--

https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c2 If SELINUXTYPE is set to some value other than targeted then we look for a directory /etc/selinux/<SELINUXTYPE> which does not exist. However this should not cause a fatal error. Using setfiles to do the relabelling immediately is a nice-to-have, but we can fallback to using autorelabel if we're unable to achieve it. ---

[This email is either empty or too large to be displayed at this time]

Instead of just documenting this bug, fix it in the file_contexts file. Replaces commit ad3c8fe7f49c4991e1aa536856a1a408f55d5409. --- customize/SELinux_relabel.ml | 20 ++++++++++++++++++++ v2v/virt-v2v.pod | 11 ----------- 2 files changed, 20 insertions(+), 11 deletions(-) diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml index fa9603c..d3b9325 100644 ---

I got a little way into this. The two attached patches are preliminary work. My proposed split is: libguestfs.git common -> git submodule libguestfs-common.git generator/ lib/ all language bindings C based tools (eg. virt-df, virt-edit, guestfish) guestfs-tools.git common -> git submodule libguestfs-common.git

On Wednesday, 23 September 2020 17:57:47 CET Pino Toscano wrote: > Continuation/rework of: > https://www.redhat.com/archives/libguestfs/2020-May/msg00020.html > > This is my approach, as I explained here: > https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c4 > https://www.redhat.com/archives/libguestfs/2020-May/msg00035.html > IOW: do not attempt to relabel if the guest is

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2168506 This small set covers the new /dev/mapper/VG-LV "--key" ID format in the libguestfs LUKS-on-LVM inspection test. Thanks, Laszlo Laszlo Ersek (3): update common submodule LUKS-on-LVM inspection test: rename VGs and LVs LUKS-on-LVM inspection test: test /dev/mapper/VG-LV translation common

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2168506 This small set covers the new /dev/mapper/VG-LV "--key" ID format in the LUKS-on-LVM virt-inspector test. Thanks, Laszlo Laszlo Ersek (3): update common submodule inspector: rename VGs and LVs in LUKS-on-LVM test inspector: test /dev/mapper/VG-LV translation in LUKS-on-LVM test common

Hello, Richard. > -----Original Message----- > From: Richard W.M. Jones [mailto:rjones@redhat.com] > Sent: Monday, March 5, 2018 8:42 PM > To: Зиновик Игорь Анатольевич <ZinovikIA@nspk.ru> > Cc: libguestfs@redhat.com > Subject: Re: [Libguestfs] virt-v2v 1.38 fails to convert .vmx VM: setfiles ... > Multiple same specifications for /.*. > > On Mon, Mar 05, 2018 at

Discussion on v1 https://listman.redhat.com/archives/libguestfs/2023-February/030849.html https://listman.redhat.com/archives/libguestfs/2023-March/030917.html v1 -> v2: * Drop the logic where default is switched to "vioscsi". Keep virtio-blk as default. * Adapt the patch suggested by Richard: https://listman.redhat.com/archives/libguestfs/2023-March/030974.html This

Discussion on v2: https://listman.redhat.com/archives/libguestfs/2023-March/030989.html v2 -> v3: * Patch 1/4 ("inject_virtio_win: match only vendor/device/revision"): do not omit PCI Revision ID. Adjust commit message accordingly; * Patch 2/4 ("inject_virtio_win: add Virtio_SCSI to block_type"): add non-empty commit message body. * Patch 4/4

We can use the setfiles(8) command to relabel the guest filesystem, even though we don't have a policy loaded nor SELinux enabled in the appliance kernel. This also deprecates or removes the old and broken SELinux support. This patch isn't quite complete - I would like to add some tests to the new API. I'm posting here to garner early feedback. Rich.

v1 -> v2: - Add simple test of the setfiles API. - Use SELinux_relabel module in virt-v2v (instead of touch /.autorelabel). - Small fixes. Rich.