Fix SELinux relabelling in Linux split-/usr

resolves: RHEL-109129
2025-08-13 20:39:53 +01:00 · 2025-08-13 20:39:53 +01:00 · d9a3e3e03f
commit d9a3e3e03f
parent 1663b01889
6 changed files with 210 additions and 8 deletions
--- a/0004-builder-Replace-cpu-host-with-cpu-max-in-example.patch
+++ b/0004-builder-Replace-cpu-host-with-cpu-max-in-example.patch
@ -0,0 +1,30 @@
+From 2e93abca5acaa69cd6fd08b70079e8f432539076 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Mon, 16 Jun 2025 21:47:41 +0100
+Subject: [PATCH] builder: Replace -cpu host with -cpu max in example
+
+When KVM isn't present, some versions of qemu may print:
+
+  qemu-system-x86_64: Could not access KVM kernel module: No such file or directory
+  qemu-system-x86_64: failed to initialize kvm: No such file or directory
+  qemu-system-x86_64: falling back to tcg
+  qemu-system-x86_64: CPU model 'host' requires KVM or HVF
+
+Use -cpu max instead which should work in both cases.
+---
+ builder/virt-builder.pod | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/builder/virt-builder.pod b/builder/virt-builder.pod
+index 05bef1e05..ff0ec250c 100644
+--- a/builder/virt-builder.pod
+++ b/builder/virt-builder.pod
+@@ -1043,7 +1043,7 @@ following could be used to boot the virtual machine:
+ 
+  qemu-system-x86_64 \
+    -machine accel=kvm:tcg \
+-   -cpu host \
+   -cpu max \
+    -m 2048 \
+    -drive file=disk.img,format=raw,if=virtio
+ 
--- a/0005-customize-Fixes-for-selinux-relabelling-and-Windows-.patch
+++ b/0005-customize-Fixes-for-selinux-relabelling-and-Windows-.patch
@ -0,0 +1,142 @@
+From ea0f9cf0743c3e50a996a9d7ec488d58a9312b11 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Wed, 13 Aug 2025 16:51:39 +0100
+Subject: [PATCH] customize: Fixes for selinux relabelling and Windows
+ firstboot
+
+This updates the common submodule to add the fixes below.  These
+changes allow SELinux relabelling to work correctly on Linux split-
+/usr configurations, and allow Windows firstboot scripts to be
+deferred until after a reboot.
+
+The SELinux relabelling change requires libguestfs >= 1.57.1 (for the
+new guestfs_setfiles API).
+
+  Richard W.M. Jones (4):
+      mlstdutils: Add List.combine4 function
+      mlcustomize/SELinux_relabel.ml: Add comment
+      mlcustomize/SELinux_relabel.ml: Use new guestfs_setfiles API
+      mlcustomize/SELinux_relabel.ml: Relabel every mountpoint
+
+  Vadim Rozenfeld (1):
+      Modify the firstboot script to check the scripts execution return status
+
+Fixes: https://issues.redhat.com/browse/RHEL-108174
+Related: https://issues.redhat.com/browse/RHEL-100682
+---
+ common                  | 2 +-
+ m4/guestfs-libraries.m4 | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+Submodule common d4a81e9dd..89f1eb2d3:
+diff --git a/common/mlcustomize/SELinux_relabel.ml b/common/mlcustomize/SELinux_relabel.ml
+index 2f3a09bf7..f1729e3f4 100644
+--- a/common/mlcustomize/SELinux_relabel.ml
+++ b/common/mlcustomize/SELinux_relabel.ml
+@@ -1,5 +1,5 @@
+ (* virt-customize
+- * Copyright (C) 2016 Red Hat Inc.
+ * Copyright (C) 2016-2025 Red Hat Inc.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -24,6 +24,10 @@ open Printf
+ 
+ module G = Guestfs
+ 
+(* XXX A lot of this code could usefully be moved into
+ * [libguestfs.git/daemon/selinux.ml].
+ *)
+
+ let rec relabel (g : G.guestfs) =
+   (* Is the guest using SELinux?  (Otherwise this is a no-op). *)
+   if is_selinux_guest g then (
+@@ -109,5 +113,13 @@ and use_setfiles g =
+     g#copy_attributes ~all:true old_specfile specfile
+   );
+ 
+  (* Get the list of mountpoints, since setfiles does not cross
+   * filesystems (RHEL-108174).
+   *)
+  let mps = g#mountpoints () |>
+            List.map snd |>       (* the list of directories *)
+            List.sort compare |>  (* sort them for consistency *)
+            Array.of_list in
+
+   (* Relabel everything. *)
+-  g#selinux_relabel ~force:true specfile "/"
+  g#setfiles ~force:true specfile mps
+diff --git a/common/mlcustomize/firstboot.ml b/common/mlcustomize/firstboot.ml
+index 6aca4c34a..5f2642b06 100644
+--- a/common/mlcustomize/firstboot.ml
+++ b/common/mlcustomize/firstboot.ml
+@@ -305,13 +305,19 @@ if not exist \"%%scripts_done%%\" (
+ :: Pick the next script to run.
+ for %%%%f in (\"%%scripts%%\"\\*.bat) do (
+   echo running \"%%%%f\"
+-  move \"%%%%f\" \"%%scripts_done%%\"
+-  pushd \"%%scripts_done%%\"
+  pushd \"%%scripts%%\"
+   call \"%%%%~nf\"
+   set elvl=!errorlevel!
+   echo .... exit code !elvl!
+   popd
+ 
+  if !elvl! NEQ 249 (
+    echo Script succeeded, moving to scripts-done
+    move \"%%%%f\" \"%%scripts_done%%\"
+  ) else (
+    echo Script failed, will retry on next boot
+  )
+
+   :: Reboot the computer.  This is necessary to free any locked
+   :: files which may prevent later scripts from running.
+   shutdown /r /t 0 /y
+diff --git a/common/mlstdutils/std_utils.ml b/common/mlstdutils/std_utils.ml
+index 4850a5598..16032d992 100644
+--- a/common/mlstdutils/std_utils.ml
+++ b/common/mlstdutils/std_utils.ml
+@@ -80,6 +80,12 @@ module List = struct
+       | x::xs, y::ys, z::zs -> (x, y, z) :: combine3 xs ys zs
+       | _ -> invalid_arg "combine3"
+ 
+    let rec combine4 ws xs ys zs =
+      match ws, xs, ys, zs with
+      | [], [], [], [] -> []
+      | w::ws, x::xs, y::ys, z::zs -> (w, x, y, z) :: combine4 ws xs ys zs
+      | _ -> invalid_arg "combine4"
+
+     let rec assoc_lbl ?(cmp = Stdlib.compare) ~default x = function
+       | [] -> default
+       | (y, y') :: _ when cmp x y = 0 -> y'
+diff --git a/common/mlstdutils/std_utils.mli b/common/mlstdutils/std_utils.mli
+index fe6bf1a7c..a20e720c2 100644
+--- a/common/mlstdutils/std_utils.mli
+++ b/common/mlstdutils/std_utils.mli
+@@ -106,6 +106,11 @@ module List : sig
+     (** Like {!List.combine} but for triples.
+         All lists must be the same length. *)
+ 
+    val combine4 : 'a list -> 'b list -> 'c list -> 'd list ->
+                   ('a * 'b * 'c * 'd) list
+    (** Like {!List.combine} but for 4-tuples.
+        All lists must be the same length. *)
+
+     val assoc_lbl : ?cmp:('a -> 'a -> int) -> default:'b -> 'a -> ('a * 'b) list -> 'b
+     (** Like {!assoc} but with a user-defined comparison function, and
+         instead of raising [Not_found], it returns the [~default] value. *)
+diff --git a/m4/guestfs-libraries.m4 b/m4/guestfs-libraries.m4
+index c9fbf58b2..82e62d54f 100644
+--- a/m4/guestfs-libraries.m4
+++ b/m4/guestfs-libraries.m4
+@@ -19,8 +19,8 @@ dnl Any C libraries required by the libguestfs C library (not the daemon).
+ 
+ dnl Of course we need libguestfs.
+ dnl
+-dnl We need libguestfs 1.55.6 for guestfs_sh_out.
+-PKG_CHECK_MODULES([LIBGUESTFS], [libguestfs >= 1.55.6])
+dnl We need libguestfs 1.57.1 for guestfs_setfiles.
+PKG_CHECK_MODULES([LIBGUESTFS], [libguestfs >= 1.57.1])
+ printf "libguestfs version is "; $PKG_CONFIG --modversion libguestfs
+ 
+ dnl Test if it's GNU or XSI strerror_r.
--- a/0006-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
+++ b/0006-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
@ -1,4 +1,4 @@
-From 38a47670f0699232cd040e7cffa2c815a69531c3 Mon Sep 17 00:00:00 2001
+From 437a345d32fc4f495b116f67747e9ff56e7a6cc7 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Tue, 7 Jul 2015 09:28:03 -0400
 Subject: [PATCH] RHEL: Reject use of libguestfs-winsupport features except for
--- a/0007-RHEL-builder-Disable-opensuse-repository.patch
+++ b/0007-RHEL-builder-Disable-opensuse-repository.patch
@ -1,4 +1,4 @@
-From 0e49c685d5176879d83cfd7c89ceb4901ca3b90c Mon Sep 17 00:00:00 2001
+From e0f2a5aa132293d1e5bb3c87a2ff61975a2d91a7 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Mon, 21 Nov 2022 13:03:22 +0000
 Subject: [PATCH] RHEL: builder: Disable opensuse repository
--- a/0008-RHEL-10-m4-Depend-on-libguestfs-1.56.1-2.el10-for-gu.patch
+++ b/0008-RHEL-10-m4-Depend-on-libguestfs-1.56.1-2.el10-for-gu.patch
@ -0,0 +1,25 @@
+From d7dde127ee7a669db3aad1ddb637abd0cdc075b4 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Wed, 13 Aug 2025 18:03:09 +0100
+Subject: [PATCH] RHEL 10: m4: Depend on libguestfs 1.56.1-2.el10 for
+ guestfs_setfiles
+
+---
+ m4/guestfs-libraries.m4 | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/m4/guestfs-libraries.m4 b/m4/guestfs-libraries.m4
+index 82e62d54f..86fdd0262 100644
+--- a/m4/guestfs-libraries.m4
+++ b/m4/guestfs-libraries.m4
+@@ -19,8 +19,8 @@ dnl Any C libraries required by the libguestfs C library (not the daemon).
+ 
+ dnl Of course we need libguestfs.
+ dnl
+-dnl We need libguestfs 1.57.1 for guestfs_setfiles.
+-PKG_CHECK_MODULES([LIBGUESTFS], [libguestfs >= 1.57.1])
+dnl We need libguestfs 1.56.1-2.el10 for guestfs_setfiles.
+PKG_CHECK_MODULES([LIBGUESTFS], [libguestfs >= 1.56.1])
+ printf "libguestfs version is "; $PKG_CONFIG --modversion libguestfs
+ 
+ dnl Test if it's GNU or XSI strerror_r.
--- a/guestfs-tools.spec
+++ b/guestfs-tools.spec
@ -16,7 +16,7 @@
 Summary:       Tools to access and modify virtual machine disk images
 Name:          guestfs-tools
 Version:       1.54.0
-Release:       2%{?dist}
+Release:       3%{?dist}
 License:       GPL-2.0-or-later AND LGPL-2.0-or-later

 # Build only for architectures that have a kernel
@ -48,15 +48,18 @@ Source3:       copy-patches.sh
 Patch0001:     0001-docs-Move-release-note-about-GNU-gettext-to-build-se.patch
 Patch0002:     0002-builder-Build-fedora-42-template.patch
 Patch0003:     0003-builder-Update-link-to-templates-to-use-https.patch
-Patch0004:     0004-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
-Patch0005:     0005-RHEL-builder-Disable-opensuse-repository.patch
+Patch0004:     0004-builder-Replace-cpu-host-with-cpu-max-in-example.patch
+Patch0005:     0005-customize-Fixes-for-selinux-relabelling-and-Windows-.patch
+Patch0006:     0006-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
+Patch0007:     0007-RHEL-builder-Disable-opensuse-repository.patch
+Patch0008:     0008-RHEL-10-m4-Depend-on-libguestfs-1.56.1-2.el10-for-gu.patch

 # Basic build requirements.
 BuildRequires: autoconf, automake, libtool, gettext-devel
 BuildRequires: gcc, gcc-c++
 BuildRequires: make
 BuildRequires: glibc-utils
-BuildRequires: libguestfs-devel >= 1:1.49.8-1
+BuildRequires: libguestfs-devel >= 1:1.56.1-2.el10
 BuildRequires: libguestfs-xfs
 BuildRequires: perl(Pod::Simple)
 BuildRequires: perl(Pod::Man)
@ -105,7 +108,7 @@ BuildRequires: gnupg2
 # Ensure a minimum version of libguestfs is installed.  This contains
 # a workaround for openssl bug RHBZ#2133884 and the hang where we
 # called setenv between fork and exec.
-Requires:      libguestfs >= 1.49.6-1
+Requires:      libguestfs >= 1:1.56.1-2.el10

 # For virt-builder:
 Requires:      curl
@ -403,7 +406,7 @@ end


 %changelog
-* Tue Jun 10 2025 Richard W.M. Jones <rjones@redhat.com> - 1.54.0-2
+* Wed Aug 13 2025 Richard W.M. Jones <rjones@redhat.com> - 1.54.0-3
 - Rebase to guestfs-tools 1.54.0
  resolves: RHEL-81734
 - virt-builder, virt-v2v & other tools with -v and --install causes dnf5 error
@ -412,6 +415,8 @@ end
  resolves: RHEL-92604
 - builder: Update link to templates to use https
  resolves: RHEL-94873
+- Fix SELinux relabelling in Linux split-/usr
+  resolves: RHEL-109129

 * Wed Oct 30 2024 Richard W.M. Jones <rjones@redhat.com> - 1.52.2-2
 - Rebase to guestfs-tools 1.52.2