217 lines
9.5 KiB
Diff
217 lines
9.5 KiB
Diff
From b3398f6e90056ac0e38bd0a9751e7aca4316555e Mon Sep 17 00:00:00 2001
|
|
From: Laszlo Ersek <lersek@redhat.com>
|
|
Date: Tue, 10 May 2022 12:53:07 +0200
|
|
Subject: [PATCH] adopt inversion of SELinux relabeling in virt-customize
|
|
|
|
Remove "--selinux-relabel" options.
|
|
|
|
Do not add any "--no-selinux-relabel" options; rely on the internal check
|
|
for SELinux support instead ("is_selinux_guest" in
|
|
"common/mlcustomize/SELinux_relabel.ml").
|
|
|
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1554735
|
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075718
|
|
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
|
Message-Id: <20220510105307.15402-1-lersek@redhat.com>
|
|
Acked-by: Richard W.M. Jones <rjones@redhat.com>
|
|
[lersek@redhat.com: incorporate common submodule update]
|
|
(cherry picked from commit 0c24fc6015ce7719acff3bcead7eb227b6de3f21)
|
|
---
|
|
common | 2 +-
|
|
tests/test-v2v-conversion-of.sh | 7 -------
|
|
2 files changed, 1 insertion(+), 8 deletions(-)
|
|
|
|
Submodule common 0a231b3e..48527b87:
|
|
diff --git a/common/mlcustomize/customize-options.pod b/common/mlcustomize/customize-options.pod
|
|
index 71b545da..a83c80a5 100644
|
|
--- a/common/mlcustomize/customize-options.pod
|
|
+++ b/common/mlcustomize/customize-options.pod
|
|
@@ -206,6 +206,19 @@ the image was built, use this option.
|
|
|
|
See also: L</LOG FILE>.
|
|
|
|
+=item B<--no-selinux-relabel>
|
|
+
|
|
+Do not attempt to correct the SELinux labels of files in the guest.
|
|
+
|
|
+In such guests that support SELinux, customization automatically
|
|
+relabels files so that they have the correct SELinux label. (The
|
|
+relabeling is performed immediately, but if the operation fails,
|
|
+customization will instead touch F</.autorelabel> on the image to
|
|
+schedule a relabel operation for the next time the image boots.) This
|
|
+option disables the automatic relabeling.
|
|
+
|
|
+The option is a no-op for guests that do not support SELinux.
|
|
+
|
|
=item B<--password> USER:SELECTOR
|
|
|
|
Set the password for C<USER>. (Note this option does I<not>
|
|
@@ -297,16 +310,6 @@ It cannot delete directories, only regular files.
|
|
|
|
=back
|
|
|
|
-=item B<--selinux-relabel>
|
|
-
|
|
-Relabel files in the guest so that they have the correct SELinux label.
|
|
-
|
|
-This will attempt to relabel files immediately, but if the operation fails
|
|
-this will instead touch F</.autorelabel> on the image to schedule a
|
|
-relabel operation for the next time the image boots.
|
|
-
|
|
-You should only use this option for guests which support SELinux.
|
|
-
|
|
=item B<--sm-attach> SELECTOR
|
|
|
|
Attach to a pool using C<subscription-manager>.
|
|
diff --git a/common/mlcustomize/customize-synopsis.pod b/common/mlcustomize/customize-synopsis.pod
|
|
index 5f185408..25208538 100644
|
|
--- a/common/mlcustomize/customize-synopsis.pod
|
|
+++ b/common/mlcustomize/customize-synopsis.pod
|
|
@@ -12,5 +12,5 @@
|
|
[--truncate-recursive PATH] [--timezone TIMEZONE] [--touch FILE]
|
|
[--uninstall PKG,PKG..] [--update] [--upload FILE:DEST]
|
|
[--write FILE:CONTENT] [--no-logfile]
|
|
- [--password-crypto md5|sha256|sha512] [--selinux-relabel]
|
|
+ [--password-crypto md5|sha256|sha512] [--no-selinux-relabel]
|
|
[--sm-credentials SELECTOR]
|
|
diff --git a/common/mlcustomize/customize_cmdline.ml b/common/mlcustomize/customize_cmdline.ml
|
|
index 9326baa0..5d404e84 100644
|
|
--- a/common/mlcustomize/customize_cmdline.ml
|
|
+++ b/common/mlcustomize/customize_cmdline.ml
|
|
@@ -109,8 +109,8 @@ and flags = {
|
|
(* --no-logfile *)
|
|
password_crypto : Password.password_crypto option;
|
|
(* --password-crypto md5|sha256|sha512 *)
|
|
- selinux_relabel : bool;
|
|
- (* --selinux-relabel *)
|
|
+ no_selinux_relabel : bool;
|
|
+ (* --no-selinux-relabel *)
|
|
sm_credentials : Subscription_manager.sm_credentials option;
|
|
(* --sm-credentials SELECTOR *)
|
|
}
|
|
@@ -121,7 +121,7 @@ let rec argspec () =
|
|
let ops = ref [] in
|
|
let scrub_logfile = ref false in
|
|
let password_crypto = ref None in
|
|
- let selinux_relabel = ref false in
|
|
+ let no_selinux_relabel = ref false in
|
|
let sm_credentials = ref None in
|
|
|
|
let rec get_ops () = {
|
|
@@ -131,7 +131,7 @@ let rec argspec () =
|
|
and get_flags () = {
|
|
scrub_logfile = !scrub_logfile;
|
|
password_crypto = !password_crypto;
|
|
- selinux_relabel = !selinux_relabel;
|
|
+ no_selinux_relabel = !no_selinux_relabel;
|
|
sm_credentials = !sm_credentials;
|
|
}
|
|
in
|
|
@@ -459,11 +459,11 @@ let rec argspec () =
|
|
),
|
|
Some "md5|sha256|sha512", "When the virt tools change or set a password in the guest, this\noption sets the password encryption of that password to\nC<md5>, C<sha256> or C<sha512>.\n\nC<sha256> and C<sha512> require glibc E<ge> 2.7 (check crypt(3) inside\nthe guest).\n\nC<md5> will work with relatively old Linux guests (eg. RHEL 3), but\nis not secure against modern attacks.\n\nThe default is C<sha512> unless libguestfs detects an old guest that\ndidn't have support for SHA-512, in which case it will use C<md5>.\nYou can override libguestfs by specifying this option.\n\nNote this does not change the default password encryption used\nby the guest when you create new user accounts inside the guest.\nIf you want to do that, then you should use the I<--edit> option\nto modify C</etc/sysconfig/authconfig> (Fedora, RHEL) or\nC</etc/pam.d/common-password> (Debian, Ubuntu).";
|
|
(
|
|
- [ L"selinux-relabel" ],
|
|
- Getopt.Set selinux_relabel,
|
|
- s_"Relabel files with correct SELinux labels"
|
|
+ [ L"no-selinux-relabel" ],
|
|
+ Getopt.Set no_selinux_relabel,
|
|
+ s_"Do not relabel files with correct SELinux labels"
|
|
),
|
|
- None, "Relabel files in the guest so that they have the correct SELinux label.\n\nThis will attempt to relabel files immediately, but if the operation fails\nthis will instead touch F</.autorelabel> on the image to schedule a\nrelabel operation for the next time the image boots.\n\nYou should only use this option for guests which support SELinux.";
|
|
+ None, "Do not attempt to correct the SELinux labels of files in the guest.\n\nIn such guests that support SELinux, customization automatically\nrelabels files so that they have the correct SELinux label. (The\nrelabeling is performed immediately, but if the operation fails,\ncustomization will instead touch F</.autorelabel> on the image to\nschedule a relabel operation for the next time the image boots.) This\noption disables the automatic relabeling.\n\nThe option is a no-op for guests that do not support SELinux.";
|
|
(
|
|
[ L"sm-credentials" ],
|
|
Getopt.String (
|
|
diff --git a/common/mlcustomize/customize_cmdline.mli b/common/mlcustomize/customize_cmdline.mli
|
|
index 14eda49e..7ee882a6 100644
|
|
--- a/common/mlcustomize/customize_cmdline.mli
|
|
+++ b/common/mlcustomize/customize_cmdline.mli
|
|
@@ -101,8 +101,8 @@ and flags = {
|
|
(* --no-logfile *)
|
|
password_crypto : Password.password_crypto option;
|
|
(* --password-crypto md5|sha256|sha512 *)
|
|
- selinux_relabel : bool;
|
|
- (* --selinux-relabel *)
|
|
+ no_selinux_relabel : bool;
|
|
+ (* --no-selinux-relabel *)
|
|
sm_credentials : Subscription_manager.sm_credentials option;
|
|
(* --sm-credentials SELECTOR *)
|
|
}
|
|
diff --git a/common/mlcustomize/test-firstboot.sh b/common/mlcustomize/test-firstboot.sh
|
|
index b9069975..24c67f3e 100755
|
|
--- a/common/mlcustomize/test-firstboot.sh
|
|
+++ b/common/mlcustomize/test-firstboot.sh
|
|
@@ -61,9 +61,6 @@ case "$guestname" in
|
|
extra[${#extra[*]}]='/etc/inittab:
|
|
s,^#([1-9].*respawn.*/sbin/getty.*),$1,'
|
|
;;
|
|
- fedora*|rhel*|centos*)
|
|
- extra[${#extra[*]}]='--selinux-relabel'
|
|
- ;;
|
|
*)
|
|
;;
|
|
esac
|
|
diff --git a/common/mlcustomize/test-selinuxrelabel.sh b/common/mlcustomize/test-selinuxrelabel.sh
|
|
index 86278c63..caf75211 100755
|
|
--- a/common/mlcustomize/test-selinuxrelabel.sh
|
|
+++ b/common/mlcustomize/test-selinuxrelabel.sh
|
|
@@ -41,13 +41,12 @@ virt-builder "$guestname" --quiet -o "$disk"
|
|
# Test #1: relabel with the default configuration works.
|
|
rm -f "$disk_overlay"
|
|
guestfish -- disk-create "$disk_overlay" qcow2 -1 backingfile:"$disk"
|
|
-virt-customize -a "$disk" --selinux-relabel
|
|
+virt-customize -a "$disk"
|
|
|
|
# Test #2: relabel with no SELINUXTYPE in the configuration.
|
|
rm -f "$disk_overlay"
|
|
guestfish -- disk-create "$disk_overlay" qcow2 -1 backingfile:"$disk"
|
|
virt-customize -a "$disk" \
|
|
- --edit /etc/selinux/config:"s,^SELINUXTYPE=,#&,g" \
|
|
- --selinux-relabel
|
|
+ --edit /etc/selinux/config:"s,^SELINUXTYPE=,#&,g"
|
|
|
|
rm "$disk" "$disk_overlay"
|
|
diff --git a/common/options/uri.c b/common/options/uri.c
|
|
index 6b696fc2..84d393c1 100644
|
|
--- a/common/options/uri.c
|
|
+++ b/common/options/uri.c
|
|
@@ -135,7 +135,7 @@ parse (const char *arg, char **path_ret, char **protocol_ret,
|
|
socket = query_get (uri, "socket");
|
|
|
|
if (uri->server && STRNEQ (uri->server, "") && socket) {
|
|
- fprintf (stderr, _("%s: %s: cannot both a server name and a socket query parameter\n"),
|
|
+ fprintf (stderr, _("%s: %s: cannot have both a server name and a socket query parameter\n"),
|
|
getprogname (), arg);
|
|
return -1;
|
|
}
|
|
@@ -347,6 +347,7 @@ make_server (xmlURIPtr uri, const char *socket, char ***ret)
|
|
*ret = malloc (sizeof (char *) * 2);
|
|
if (*ret == NULL) {
|
|
perror ("malloc");
|
|
+ free (server);
|
|
return -1;
|
|
}
|
|
(*ret)[0] = server;
|
|
diff --git a/tests/test-v2v-conversion-of.sh b/tests/test-v2v-conversion-of.sh
|
|
index 5a974d1b..5c5cae7c 100755
|
|
--- a/tests/test-v2v-conversion-of.sh
|
|
+++ b/tests/test-v2v-conversion-of.sh
|
|
@@ -53,13 +53,6 @@ fi
|
|
# Some guests need special virt-builder parameters.
|
|
# See virt-builder --notes "$guestname"
|
|
declare -a extra
|
|
-case "$guestname" in
|
|
- fedora*|rhel*|centos*)
|
|
- extra[${#extra[*]}]='--selinux-relabel'
|
|
- ;;
|
|
- *)
|
|
- ;;
|
|
-esac
|
|
|
|
# Don't try to update Windows versions.
|
|
case "$guestname" in
|
|
--
|
|
2.31.1
|
|
|