[Libguestfs] [libvirt] [PATCH tck] Relabel SELinux when customizing virt-builder image
Richard W.M. Jones
rjones at redhat.com
Wed Feb 7 11:10:25 UTC 2018
On Tue, Feb 06, 2018 at 12:50:51PM -0500, Laine Stump wrote:
> On 02/06/2018 10:53 AM, Pino Toscano wrote:
> > On Tuesday, 6 February 2018 16:40:04 CET Daniel P. Berrangé wrote:
> >> When you tell virt-builder to install extra RPMs, this potentially
> >> looses the SELinux labelling that Anaconda had originally setup. Thus we
> >> must tell virt-builder to enable SELinux relabelling.
> >>
> >> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> >> ---
> >> lib/Sys/Virt/TCK.pm | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm
> >> index e9da8d2..b39f578 100644
> >> --- a/lib/Sys/Virt/TCK.pm
> >> +++ b/lib/Sys/Virt/TCK.pm
> >> @@ -405,7 +405,7 @@ sub create_virt_builder_disk {
> >> }
> >>
> >> print "# running virt-builder $osname\n";
> >> - system "virt-builder", "--install", "dsniff", "--root-password", "password:$password", "--output", $target, $osname;
> >> + system "virt-builder", "--install", "dsniff", "--selinux-relabel", "--root-password", "password:$password", "--output", $target, $osname;
> >>
> >> die "cannot run virt-builder: $?" if $? != 0;
> >
> > Reviewed-by: Pino Toscano <ptoscano at redhat.com>
> >
>
> This change works, but since the original image came from virt-builder,
> and virt-builder knows enough about the image to know that it should
> install packages with dnf (or yum or apt-get or whatever is appropriate
> for any given image), it should also have enough info available to
> determine on its own that the selinux labels need to be redone.
> Especially since the Fedora images provided by virt-builder have selinux
> set to enforcing, I think the default behavior in this case should be
> for virt-builder to relabel.
>
> This patch fixes the problem for libvirt-tck, but I can imagine that
> this same problem will be revisited time after time on IRC and the
> libguestfs mailing list (once the user takes the obligatory
> troubleshooting trip to discover the source of the problem). In this
> case the initial symptom was "a guest that was never logged into by a
> human was failing an automated test". There were several steps from
> there to "dhcpc was failing to get an IP address due to bad selinux
> labels", and then learning via IRC that the labels were incorrect
> because extra packages are installed with the image mounted on the
> libguestfs appliance, which runs with selinux disabled.
>
> What is preventing virt-builder from automatically making a correct
> determination about whether or not relabeling must be done?
Yes, in fact I think it could go further and just call
SELinux_relabel.relabel on every guest, since that code just ignores
non-SELinux guests.
Basically the reasons it doesn't do this are historical and possibly a
fear of breaking if some guest has broken SELinux files. We could
retain the ‘--no-selinux-relabel’ flag to mean don't do any
relabelling.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
More information about the Libguestfs
mailing list