Re: [PATCH tck] Relabel SELinux when customizing virt-builder image

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02/06/2018 10:53 AM, Pino Toscano wrote:
> On Tuesday, 6 February 2018 16:40:04 CET Daniel P. Berrangé wrote:
>> When you tell virt-builder to install extra RPMs, this potentially
>> looses the SELinux labelling that Anaconda had originally setup. Thus we
>> must tell virt-builder to enable SELinux relabelling.
>>
>> Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
>> ---
>>  lib/Sys/Virt/TCK.pm | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm
>> index e9da8d2..b39f578 100644
>> --- a/lib/Sys/Virt/TCK.pm
>> +++ b/lib/Sys/Virt/TCK.pm
>> @@ -405,7 +405,7 @@ sub create_virt_builder_disk {
>>      }
>>  
>>      print "# running virt-builder $osname\n";
>> -    system "virt-builder", "--install", "dsniff", "--root-password", "password:$password", "--output", $target, $osname;
>> +    system "virt-builder", "--install", "dsniff", "--selinux-relabel", "--root-password", "password:$password", "--output", $target, $osname;
>>  
>>      die "cannot run virt-builder: $?" if $? != 0;
> 
> Reviewed-by: Pino Toscano <ptoscano@xxxxxxxxxx>
> 

This change works, but since the original image came from virt-builder,
and virt-builder knows enough about the image to know that it should
install packages with dnf (or yum or apt-get or whatever is appropriate
for any given image), it should also have enough info available to
determine on its own that the selinux labels need to be redone.
Especially since the Fedora images provided by virt-builder have selinux
set to enforcing, I think the default behavior in this case should be
for virt-builder to relabel.

This patch fixes the problem for libvirt-tck, but I can imagine that
this same problem will be revisited time after time on IRC and the
libguestfs mailing list (once the user takes the obligatory
troubleshooting trip to discover the source of the problem). In this
case the initial symptom was "a guest that was never logged into by a
human was failing an automated test". There were several steps from
there to "dhcpc was failing to get an IP address due to bad selinux
labels", and then learning via IRC that the labels were incorrect
because extra packages are installed with the image mounted on the
libguestfs appliance, which runs with selinux disabled.

What is preventing virt-builder from automatically making a correct
determination about whether or not relabeling must be done?

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux