Fix SELinux relabelling in Linux split-/usr

resolves: RHEL-109129
2025-08-13 20:39:53 +01:00 · 2025-08-13 20:39:53 +01:00 · d9a3e3e03f
commit d9a3e3e03f
parent 1663b01889
6 changed files with 210 additions and 8 deletions
--- a/0004-builder-Replace-cpu-host-with-cpu-max-in-example.patch
+++ b/0004-builder-Replace-cpu-host-with-cpu-max-in-example.patch
@ -0,0 +1,30 @@
 From 2e93abca5acaa69cd6fd08b70079e8f432539076 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Mon, 16 Jun 2025 21:47:41 +0100
 Subject: [PATCH] builder: Replace -cpu host with -cpu max in example
 When KVM isn't present, some versions of qemu may print:
  qemu-system-x86_64: Could not access KVM kernel module: No such file or directory
  qemu-system-x86_64: failed to initialize kvm: No such file or directory
  qemu-system-x86_64: falling back to tcg
  qemu-system-x86_64: CPU model 'host' requires KVM or HVF
 Use -cpu max instead which should work in both cases.
 ---
 builder/virt-builder.pod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/builder/virt-builder.pod b/builder/virt-builder.pod
 index 05bef1e05..ff0ec250c 100644
 --- a/builder/virt-builder.pod
 +++ b/builder/virt-builder.pod
@@ -1043,7 +1043,7 @@ following could be used to boot the virtual machine:
  qemu-system-x86_64 \
    -machine accel=kvm:tcg \
 -   -cpu host \
 +   -cpu max \
    -m 2048 \
    -drive file=disk.img,format=raw,if=virtio
--- a/0005-customize-Fixes-for-selinux-relabelling-and-Windows-.patch
+++ b/0005-customize-Fixes-for-selinux-relabelling-and-Windows-.patch
@ -0,0 +1,142 @@
 From ea0f9cf0743c3e50a996a9d7ec488d58a9312b11 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Wed, 13 Aug 2025 16:51:39 +0100
 Subject: [PATCH] customize: Fixes for selinux relabelling and Windows
 firstboot
 This updates the common submodule to add the fixes below.  These
 changes allow SELinux relabelling to work correctly on Linux split-
 /usr configurations, and allow Windows firstboot scripts to be
 deferred until after a reboot.
 The SELinux relabelling change requires libguestfs >= 1.57.1 (for the
 new guestfs_setfiles API).
  Richard W.M. Jones (4):
      mlstdutils: Add List.combine4 function
      mlcustomize/SELinux_relabel.ml: Add comment
      mlcustomize/SELinux_relabel.ml: Use new guestfs_setfiles API
      mlcustomize/SELinux_relabel.ml: Relabel every mountpoint
  Vadim Rozenfeld (1):
      Modify the firstboot script to check the scripts execution return status
 Fixes: https://issues.redhat.com/browse/RHEL-108174
 Related: https://issues.redhat.com/browse/RHEL-100682
 ---
 common                  | 2 +-
 m4/guestfs-libraries.m4 | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)
 Submodule common d4a81e9dd..89f1eb2d3:
 diff --git a/common/mlcustomize/SELinux_relabel.ml b/common/mlcustomize/SELinux_relabel.ml
 index 2f3a09bf7..f1729e3f4 100644
 --- a/common/mlcustomize/SELinux_relabel.ml
 +++ b/common/mlcustomize/SELinux_relabel.ml
@@ -1,5 +1,5 @@
 (* virt-customize
 - * Copyright (C) 2016 Red Hat Inc.
 + * Copyright (C) 2016-2025 Red Hat Inc.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -24,6 +24,10 @@ open Printf
 module G = Guestfs
 +(* XXX A lot of this code could usefully be moved into
 + * [libguestfs.git/daemon/selinux.ml].
 + *)
 +
 let rec relabel (g : G.guestfs) =
   (* Is the guest using SELinux?  (Otherwise this is a no-op). *)
   if is_selinux_guest g then (
@@ -109,5 +113,13 @@ and use_setfiles g =
     g#copy_attributes ~all:true old_specfile specfile
   );
 +  (* Get the list of mountpoints, since setfiles does not cross
 +   * filesystems (RHEL-108174).
 +   *)
 +  let mps = g#mountpoints () |>
 +            List.map snd |>       (* the list of directories *)
 +            List.sort compare |>  (* sort them for consistency *)
 +            Array.of_list in
 +
   (* Relabel everything. *)
 -  g#selinux_relabel ~force:true specfile "/"
 +  g#setfiles ~force:true specfile mps
 diff --git a/common/mlcustomize/firstboot.ml b/common/mlcustomize/firstboot.ml
 index 6aca4c34a..5f2642b06 100644
 --- a/common/mlcustomize/firstboot.ml
 +++ b/common/mlcustomize/firstboot.ml
@@ -305,13 +305,19 @@ if not exist \"%%scripts_done%%\" (
 :: Pick the next script to run.
 for %%%%f in (\"%%scripts%%\"\\*.bat) do (
   echo running \"%%%%f\"
 -  move \"%%%%f\" \"%%scripts_done%%\"
 -  pushd \"%%scripts_done%%\"
 +  pushd \"%%scripts%%\"
   call \"%%%%~nf\"
   set elvl=!errorlevel!
   echo .... exit code !elvl!
   popd
 +  if !elvl! NEQ 249 (
 +    echo Script succeeded, moving to scripts-done
 +    move \"%%%%f\" \"%%scripts_done%%\"
 +  ) else (
 +    echo Script failed, will retry on next boot
 +  )
 +
   :: Reboot the computer.  This is necessary to free any locked
   :: files which may prevent later scripts from running.
   shutdown /r /t 0 /y
 diff --git a/common/mlstdutils/std_utils.ml b/common/mlstdutils/std_utils.ml
 index 4850a5598..16032d992 100644
 --- a/common/mlstdutils/std_utils.ml
 +++ b/common/mlstdutils/std_utils.ml
@@ -80,6 +80,12 @@ module List = struct
       | x::xs, y::ys, z::zs -> (x, y, z) :: combine3 xs ys zs
       | _ -> invalid_arg "combine3"
 +    let rec combine4 ws xs ys zs =
 +      match ws, xs, ys, zs with
 +      | [], [], [], [] -> []
 +      | w::ws, x::xs, y::ys, z::zs -> (w, x, y, z) :: combine4 ws xs ys zs
 +      | _ -> invalid_arg "combine4"
 +
     let rec assoc_lbl ?(cmp = Stdlib.compare) ~default x = function
       | [] -> default
       | (y, y') :: _ when cmp x y = 0 -> y'
 diff --git a/common/mlstdutils/std_utils.mli b/common/mlstdutils/std_utils.mli
 index fe6bf1a7c..a20e720c2 100644
 --- a/common/mlstdutils/std_utils.mli
 +++ b/common/mlstdutils/std_utils.mli
@@ -106,6 +106,11 @@ module List : sig
     (** Like {!List.combine} but for triples.
         All lists must be the same length. *)
 +    val combine4 : 'a list -> 'b list -> 'c list -> 'd list ->
 +                   ('a * 'b * 'c * 'd) list
 +    (** Like {!List.combine} but for 4-tuples.
 +        All lists must be the same length. *)
 +
     val assoc_lbl : ?cmp:('a -> 'a -> int) -> default:'b -> 'a -> ('a * 'b) list -> 'b
     (** Like {!assoc} but with a user-defined comparison function, and
         instead of raising [Not_found], it returns the [~default] value. *)
 diff --git a/m4/guestfs-libraries.m4 b/m4/guestfs-libraries.m4
 index c9fbf58b2..82e62d54f 100644
 --- a/m4/guestfs-libraries.m4
 +++ b/m4/guestfs-libraries.m4
@@ -19,8 +19,8 @@ dnl Any C libraries required by the libguestfs C library (not the daemon).
 dnl Of course we need libguestfs.
 dnl
 -dnl We need libguestfs 1.55.6 for guestfs_sh_out.
 -PKG_CHECK_MODULES([LIBGUESTFS], [libguestfs >= 1.55.6])
 +dnl We need libguestfs 1.57.1 for guestfs_setfiles.
 +PKG_CHECK_MODULES([LIBGUESTFS], [libguestfs >= 1.57.1])
 printf "libguestfs version is "; $PKG_CONFIG --modversion libguestfs
 dnl Test if it's GNU or XSI strerror_r.
--- a/0006-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
+++ b/0006-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
@ -1,4 +1,4 @@
-From 38a47670f0699232cd040e7cffa2c815a69531c3 Mon Sep 17 00:00:00 2001
+From 437a345d32fc4f495b116f67747e9ff56e7a6cc7 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Tue, 7 Jul 2015 09:28:03 -0400
 Subject: [PATCH] RHEL: Reject use of libguestfs-winsupport features except for
--- a/0007-RHEL-builder-Disable-opensuse-repository.patch
+++ b/0007-RHEL-builder-Disable-opensuse-repository.patch
@ -1,4 +1,4 @@
-From 0e49c685d5176879d83cfd7c89ceb4901ca3b90c Mon Sep 17 00:00:00 2001
+From e0f2a5aa132293d1e5bb3c87a2ff61975a2d91a7 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Mon, 21 Nov 2022 13:03:22 +0000
 Subject: [PATCH] RHEL: builder: Disable opensuse repository
--- a/0008-RHEL-10-m4-Depend-on-libguestfs-1.56.1-2.el10-for-gu.patch
+++ b/0008-RHEL-10-m4-Depend-on-libguestfs-1.56.1-2.el10-for-gu.patch
@ -0,0 +1,25 @@
 From d7dde127ee7a669db3aad1ddb637abd0cdc075b4 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Wed, 13 Aug 2025 18:03:09 +0100
 Subject: [PATCH] RHEL 10: m4: Depend on libguestfs 1.56.1-2.el10 for
 guestfs_setfiles
 ---
 m4/guestfs-libraries.m4 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/m4/guestfs-libraries.m4 b/m4/guestfs-libraries.m4
 index 82e62d54f..86fdd0262 100644
 --- a/m4/guestfs-libraries.m4
 +++ b/m4/guestfs-libraries.m4
@@ -19,8 +19,8 @@ dnl Any C libraries required by the libguestfs C library (not the daemon).
 dnl Of course we need libguestfs.
 dnl
 -dnl We need libguestfs 1.57.1 for guestfs_setfiles.
 -PKG_CHECK_MODULES([LIBGUESTFS], [libguestfs >= 1.57.1])
 +dnl We need libguestfs 1.56.1-2.el10 for guestfs_setfiles.
 +PKG_CHECK_MODULES([LIBGUESTFS], [libguestfs >= 1.56.1])
 printf "libguestfs version is "; $PKG_CONFIG --modversion libguestfs
 dnl Test if it's GNU or XSI strerror_r.
--- a/guestfs-tools.spec
+++ b/guestfs-tools.spec
@ -16,7 +16,7 @@
 Summary:       Tools to access and modify virtual machine disk images
 Name:          guestfs-tools
 Version:       1.54.0
-Release:       2%{?dist}
+Release:       3%{?dist}
 License:       GPL-2.0-or-later AND LGPL-2.0-or-later
 # Build only for architectures that have a kernel
@ -48,15 +48,18 @@ Source3:       copy-patches.sh
 Patch0001:     0001-docs-Move-release-note-about-GNU-gettext-to-build-se.patch
 Patch0002:     0002-builder-Build-fedora-42-template.patch
 Patch0003:     0003-builder-Update-link-to-templates-to-use-https.patch
-Patch0004:     0004-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
+Patch0004:     0004-builder-Replace-cpu-host-with-cpu-max-in-example.patch
-Patch0005:     0005-RHEL-builder-Disable-opensuse-repository.patch
+Patch0005:     0005-customize-Fixes-for-selinux-relabelling-and-Windows-.patch
 Patch0006:     0006-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
 Patch0007:     0007-RHEL-builder-Disable-opensuse-repository.patch
 Patch0008:     0008-RHEL-10-m4-Depend-on-libguestfs-1.56.1-2.el10-for-gu.patch
 # Basic build requirements.
 BuildRequires: autoconf, automake, libtool, gettext-devel
 BuildRequires: gcc, gcc-c++
 BuildRequires: make
 BuildRequires: glibc-utils
-BuildRequires: libguestfs-devel >= 1:1.49.8-1
+BuildRequires: libguestfs-devel >= 1:1.56.1-2.el10
 BuildRequires: libguestfs-xfs
 BuildRequires: perl(Pod::Simple)
 BuildRequires: perl(Pod::Man)
@ -105,7 +108,7 @@ BuildRequires: gnupg2
 # Ensure a minimum version of libguestfs is installed.  This contains
 # a workaround for openssl bug RHBZ#2133884 and the hang where we
 # called setenv between fork and exec.
-Requires:      libguestfs >= 1.49.6-1
+Requires:      libguestfs >= 1:1.56.1-2.el10
 # For virt-builder:
 Requires:      curl
@ -403,7 +406,7 @@ end
 %changelog
-* Tue Jun 10 2025 Richard W.M. Jones <rjones@redhat.com> - 1.54.0-2
+* Wed Aug 13 2025 Richard W.M. Jones <rjones@redhat.com> - 1.54.0-3
 - Rebase to guestfs-tools 1.54.0
  resolves: RHEL-81734
 - virt-builder, virt-v2v & other tools with -v and --install causes dnf5 error
@ -412,6 +415,8 @@ end
  resolves: RHEL-92604
 - builder: Update link to templates to use https
  resolves: RHEL-94873
 - Fix SELinux relabelling in Linux split-/usr
  resolves: RHEL-109129
 * Wed Oct 30 2024 Richard W.M. Jones <rjones@redhat.com> - 1.52.2-2
 - Rebase to guestfs-tools 1.52.2