From d9a3e3e03f360059c974c10ab9f5267096f3b6ec Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Wed, 13 Aug 2025 20:39:53 +0100
Subject: [PATCH] Fix SELinux relabelling in Linux split-/usr resolves:
 RHEL-109129

---
 ...ace-cpu-host-with-cpu-max-in-example.patch |  30 ++++
 ...for-selinux-relabelling-and-Windows-.patch | 142 ++++++++++++++++++
 ...of-libguestfs-winsupport-features-ex.patch |   2 +-
 ...-builder-Disable-opensuse-repository.patch |   2 +-
 ...d-on-libguestfs-1.56.1-2.el10-for-gu.patch |  25 +++
 guestfs-tools.spec                            |  17 ++-
 6 files changed, 210 insertions(+), 8 deletions(-)
 create mode 100644 0004-builder-Replace-cpu-host-with-cpu-max-in-example.patch
 create mode 100644 0005-customize-Fixes-for-selinux-relabelling-and-Windows-.patch
 rename 0004-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch => 0006-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch (91%)
 rename 0005-RHEL-builder-Disable-opensuse-repository.patch => 0007-RHEL-builder-Disable-opensuse-repository.patch (94%)
 create mode 100644 0008-RHEL-10-m4-Depend-on-libguestfs-1.56.1-2.el10-for-gu.patch

diff --git a/0004-builder-Replace-cpu-host-with-cpu-max-in-example.patch b/0004-builder-Replace-cpu-host-with-cpu-max-in-example.patch
new file mode 100644
index 0000000..9949d39
--- /dev/null
+++ b/0004-builder-Replace-cpu-host-with-cpu-max-in-example.patch
@@ -0,0 +1,30 @@
+From 2e93abca5acaa69cd6fd08b70079e8f432539076 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Mon, 16 Jun 2025 21:47:41 +0100
+Subject: [PATCH] builder: Replace -cpu host with -cpu max in example
+
+When KVM isn't present, some versions of qemu may print:
+
+  qemu-system-x86_64: Could not access KVM kernel module: No such file or directory
+  qemu-system-x86_64: failed to initialize kvm: No such file or directory
+  qemu-system-x86_64: falling back to tcg
+  qemu-system-x86_64: CPU model 'host' requires KVM or HVF
+
+Use -cpu max instead which should work in both cases.
+---
+ builder/virt-builder.pod | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/builder/virt-builder.pod b/builder/virt-builder.pod
+index 05bef1e05..ff0ec250c 100644
+--- a/builder/virt-builder.pod
++++ b/builder/virt-builder.pod
+@@ -1043,7 +1043,7 @@ following could be used to boot the virtual machine:
+ 
+  qemu-system-x86_64 \
+    -machine accel=kvm:tcg \
+-   -cpu host \
++   -cpu max \
+    -m 2048 \
+    -drive file=disk.img,format=raw,if=virtio
+ 
diff --git a/0005-customize-Fixes-for-selinux-relabelling-and-Windows-.patch b/0005-customize-Fixes-for-selinux-relabelling-and-Windows-.patch
new file mode 100644
index 0000000..70b20d6
--- /dev/null
+++ b/0005-customize-Fixes-for-selinux-relabelling-and-Windows-.patch
@@ -0,0 +1,142 @@
+From ea0f9cf0743c3e50a996a9d7ec488d58a9312b11 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Wed, 13 Aug 2025 16:51:39 +0100
+Subject: [PATCH] customize: Fixes for selinux relabelling and Windows
+ firstboot
+
+This updates the common submodule to add the fixes below.  These
+changes allow SELinux relabelling to work correctly on Linux split-
+/usr configurations, and allow Windows firstboot scripts to be
+deferred until after a reboot.
+
+The SELinux relabelling change requires libguestfs >= 1.57.1 (for the
+new guestfs_setfiles API).
+
+  Richard W.M. Jones (4):
+      mlstdutils: Add List.combine4 function
+      mlcustomize/SELinux_relabel.ml: Add comment
+      mlcustomize/SELinux_relabel.ml: Use new guestfs_setfiles API
+      mlcustomize/SELinux_relabel.ml: Relabel every mountpoint
+
+  Vadim Rozenfeld (1):
+      Modify the firstboot script to check the scripts execution return status
+
+Fixes: https://issues.redhat.com/browse/RHEL-108174
+Related: https://issues.redhat.com/browse/RHEL-100682
+---
+ common                  | 2 +-
+ m4/guestfs-libraries.m4 | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+Submodule common d4a81e9dd..89f1eb2d3:
+diff --git a/common/mlcustomize/SELinux_relabel.ml b/common/mlcustomize/SELinux_relabel.ml
+index 2f3a09bf7..f1729e3f4 100644
+--- a/common/mlcustomize/SELinux_relabel.ml
++++ b/common/mlcustomize/SELinux_relabel.ml
+@@ -1,5 +1,5 @@
+ (* virt-customize
+- * Copyright (C) 2016 Red Hat Inc.
++ * Copyright (C) 2016-2025 Red Hat Inc.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -24,6 +24,10 @@ open Printf
+ 
+ module G = Guestfs
+ 
++(* XXX A lot of this code could usefully be moved into
++ * [libguestfs.git/daemon/selinux.ml].
++ *)
++
+ let rec relabel (g : G.guestfs) =
+   (* Is the guest using SELinux?  (Otherwise this is a no-op). *)
+   if is_selinux_guest g then (
+@@ -109,5 +113,13 @@ and use_setfiles g =
+     g#copy_attributes ~all:true old_specfile specfile
+   );
+ 
++  (* Get the list of mountpoints, since setfiles does not cross
++   * filesystems (RHEL-108174).
++   *)
++  let mps = g#mountpoints () |>
++            List.map snd |>       (* the list of directories *)
++            List.sort compare |>  (* sort them for consistency *)
++            Array.of_list in
++
+   (* Relabel everything. *)
+-  g#selinux_relabel ~force:true specfile "/"
++  g#setfiles ~force:true specfile mps
+diff --git a/common/mlcustomize/firstboot.ml b/common/mlcustomize/firstboot.ml
+index 6aca4c34a..5f2642b06 100644
+--- a/common/mlcustomize/firstboot.ml
++++ b/common/mlcustomize/firstboot.ml
+@@ -305,13 +305,19 @@ if not exist \"%%scripts_done%%\" (
+ :: Pick the next script to run.
+ for %%%%f in (\"%%scripts%%\"\\*.bat) do (
+   echo running \"%%%%f\"
+-  move \"%%%%f\" \"%%scripts_done%%\"
+-  pushd \"%%scripts_done%%\"
++  pushd \"%%scripts%%\"
+   call \"%%%%~nf\"
+   set elvl=!errorlevel!
+   echo .... exit code !elvl!
+   popd
+ 
++  if !elvl! NEQ 249 (
++    echo Script succeeded, moving to scripts-done
++    move \"%%%%f\" \"%%scripts_done%%\"
++  ) else (
++    echo Script failed, will retry on next boot
++  )
++
+   :: Reboot the computer.  This is necessary to free any locked
+   :: files which may prevent later scripts from running.
+   shutdown /r /t 0 /y
+diff --git a/common/mlstdutils/std_utils.ml b/common/mlstdutils/std_utils.ml
+index 4850a5598..16032d992 100644
+--- a/common/mlstdutils/std_utils.ml
++++ b/common/mlstdutils/std_utils.ml
+@@ -80,6 +80,12 @@ module List = struct
+       | x::xs, y::ys, z::zs -> (x, y, z) :: combine3 xs ys zs
+       | _ -> invalid_arg "combine3"
+ 
++    let rec combine4 ws xs ys zs =
++      match ws, xs, ys, zs with
++      | [], [], [], [] -> []
++      | w::ws, x::xs, y::ys, z::zs -> (w, x, y, z) :: combine4 ws xs ys zs
++      | _ -> invalid_arg "combine4"
++
+     let rec assoc_lbl ?(cmp = Stdlib.compare) ~default x = function
+       | [] -> default
+       | (y, y') :: _ when cmp x y = 0 -> y'
+diff --git a/common/mlstdutils/std_utils.mli b/common/mlstdutils/std_utils.mli
+index fe6bf1a7c..a20e720c2 100644
+--- a/common/mlstdutils/std_utils.mli
++++ b/common/mlstdutils/std_utils.mli
+@@ -106,6 +106,11 @@ module List : sig
+     (** Like {!List.combine} but for triples.
+         All lists must be the same length. *)
+ 
++    val combine4 : 'a list -> 'b list -> 'c list -> 'd list ->
++                   ('a * 'b * 'c * 'd) list
++    (** Like {!List.combine} but for 4-tuples.
++        All lists must be the same length. *)
++
+     val assoc_lbl : ?cmp:('a -> 'a -> int) -> default:'b -> 'a -> ('a * 'b) list -> 'b
+     (** Like {!assoc} but with a user-defined comparison function, and
+         instead of raising [Not_found], it returns the [~default] value. *)
+diff --git a/m4/guestfs-libraries.m4 b/m4/guestfs-libraries.m4
+index c9fbf58b2..82e62d54f 100644
+--- a/m4/guestfs-libraries.m4
++++ b/m4/guestfs-libraries.m4
+@@ -19,8 +19,8 @@ dnl Any C libraries required by the libguestfs C library (not the daemon).
+ 
+ dnl Of course we need libguestfs.
+ dnl
+-dnl We need libguestfs 1.55.6 for guestfs_sh_out.
+-PKG_CHECK_MODULES([LIBGUESTFS], [libguestfs >= 1.55.6])
++dnl We need libguestfs 1.57.1 for guestfs_setfiles.
++PKG_CHECK_MODULES([LIBGUESTFS], [libguestfs >= 1.57.1])
+ printf "libguestfs version is "; $PKG_CONFIG --modversion libguestfs
+ 
+ dnl Test if it's GNU or XSI strerror_r.
diff --git a/0004-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch b/0006-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
similarity index 91%
rename from 0004-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
rename to 0006-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
index 639b852..f9c9f16 100644
--- a/0004-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
+++ b/0006-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
@@ -1,4 +1,4 @@
-From 38a47670f0699232cd040e7cffa2c815a69531c3 Mon Sep 17 00:00:00 2001
+From 437a345d32fc4f495b116f67747e9ff56e7a6cc7 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Tue, 7 Jul 2015 09:28:03 -0400
 Subject: [PATCH] RHEL: Reject use of libguestfs-winsupport features except for
diff --git a/0005-RHEL-builder-Disable-opensuse-repository.patch b/0007-RHEL-builder-Disable-opensuse-repository.patch
similarity index 94%
rename from 0005-RHEL-builder-Disable-opensuse-repository.patch
rename to 0007-RHEL-builder-Disable-opensuse-repository.patch
index 80bccde..200ce11 100644
--- a/0005-RHEL-builder-Disable-opensuse-repository.patch
+++ b/0007-RHEL-builder-Disable-opensuse-repository.patch
@@ -1,4 +1,4 @@
-From 0e49c685d5176879d83cfd7c89ceb4901ca3b90c Mon Sep 17 00:00:00 2001
+From e0f2a5aa132293d1e5bb3c87a2ff61975a2d91a7 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Mon, 21 Nov 2022 13:03:22 +0000
 Subject: [PATCH] RHEL: builder: Disable opensuse repository
diff --git a/0008-RHEL-10-m4-Depend-on-libguestfs-1.56.1-2.el10-for-gu.patch b/0008-RHEL-10-m4-Depend-on-libguestfs-1.56.1-2.el10-for-gu.patch
new file mode 100644
index 0000000..b3d68be
--- /dev/null
+++ b/0008-RHEL-10-m4-Depend-on-libguestfs-1.56.1-2.el10-for-gu.patch
@@ -0,0 +1,25 @@
+From d7dde127ee7a669db3aad1ddb637abd0cdc075b4 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Wed, 13 Aug 2025 18:03:09 +0100
+Subject: [PATCH] RHEL 10: m4: Depend on libguestfs 1.56.1-2.el10 for
+ guestfs_setfiles
+
+---
+ m4/guestfs-libraries.m4 | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/m4/guestfs-libraries.m4 b/m4/guestfs-libraries.m4
+index 82e62d54f..86fdd0262 100644
+--- a/m4/guestfs-libraries.m4
++++ b/m4/guestfs-libraries.m4
+@@ -19,8 +19,8 @@ dnl Any C libraries required by the libguestfs C library (not the daemon).
+ 
+ dnl Of course we need libguestfs.
+ dnl
+-dnl We need libguestfs 1.57.1 for guestfs_setfiles.
+-PKG_CHECK_MODULES([LIBGUESTFS], [libguestfs >= 1.57.1])
++dnl We need libguestfs 1.56.1-2.el10 for guestfs_setfiles.
++PKG_CHECK_MODULES([LIBGUESTFS], [libguestfs >= 1.56.1])
+ printf "libguestfs version is "; $PKG_CONFIG --modversion libguestfs
+ 
+ dnl Test if it's GNU or XSI strerror_r.
diff --git a/guestfs-tools.spec b/guestfs-tools.spec
index 6d02745..89f0d21 100644
--- a/guestfs-tools.spec
+++ b/guestfs-tools.spec
@@ -16,7 +16,7 @@
 Summary:       Tools to access and modify virtual machine disk images
 Name:          guestfs-tools
 Version:       1.54.0
-Release:       2%{?dist}
+Release:       3%{?dist}
 License:       GPL-2.0-or-later AND LGPL-2.0-or-later
 
 # Build only for architectures that have a kernel
@@ -48,15 +48,18 @@ Source3:       copy-patches.sh
 Patch0001:     0001-docs-Move-release-note-about-GNU-gettext-to-build-se.patch
 Patch0002:     0002-builder-Build-fedora-42-template.patch
 Patch0003:     0003-builder-Update-link-to-templates-to-use-https.patch
-Patch0004:     0004-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
-Patch0005:     0005-RHEL-builder-Disable-opensuse-repository.patch
+Patch0004:     0004-builder-Replace-cpu-host-with-cpu-max-in-example.patch
+Patch0005:     0005-customize-Fixes-for-selinux-relabelling-and-Windows-.patch
+Patch0006:     0006-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
+Patch0007:     0007-RHEL-builder-Disable-opensuse-repository.patch
+Patch0008:     0008-RHEL-10-m4-Depend-on-libguestfs-1.56.1-2.el10-for-gu.patch
 
 # Basic build requirements.
 BuildRequires: autoconf, automake, libtool, gettext-devel
 BuildRequires: gcc, gcc-c++
 BuildRequires: make
 BuildRequires: glibc-utils
-BuildRequires: libguestfs-devel >= 1:1.49.8-1
+BuildRequires: libguestfs-devel >= 1:1.56.1-2.el10
 BuildRequires: libguestfs-xfs
 BuildRequires: perl(Pod::Simple)
 BuildRequires: perl(Pod::Man)
@@ -105,7 +108,7 @@ BuildRequires: gnupg2
 # Ensure a minimum version of libguestfs is installed.  This contains
 # a workaround for openssl bug RHBZ#2133884 and the hang where we
 # called setenv between fork and exec.
-Requires:      libguestfs >= 1.49.6-1
+Requires:      libguestfs >= 1:1.56.1-2.el10
 
 # For virt-builder:
 Requires:      curl
@@ -403,7 +406,7 @@ end
 
 
 %changelog
-* Tue Jun 10 2025 Richard W.M. Jones <rjones@redhat.com> - 1.54.0-2
+* Wed Aug 13 2025 Richard W.M. Jones <rjones@redhat.com> - 1.54.0-3
 - Rebase to guestfs-tools 1.54.0
   resolves: RHEL-81734
 - virt-builder, virt-v2v & other tools with -v and --install causes dnf5 error
@@ -412,6 +415,8 @@ end
   resolves: RHEL-92604
 - builder: Update link to templates to use https
   resolves: RHEL-94873
+- Fix SELinux relabelling in Linux split-/usr
+  resolves: RHEL-109129
 
 * Wed Oct 30 2024 Richard W.M. Jones <rjones@redhat.com> - 1.52.2-2
 - Rebase to guestfs-tools 1.52.2