From 6ea415aa049adaa8339e36a90e7ca6592e7090a4 Mon Sep 17 00:00:00 2001

From: "Richard W.M. Jones" <rjones@redhat.com>

Date: Wed, 13 Jul 2016 18:34:21 +0100

Subject: [PATCH] customize: Add module for doing SELinux relabel of filesystem

 (RHBZ#554829, RHBZ#983969, RHBZ#1089100).

This implements the --selinux-relabel option for virt-customize,

virt-builder and virt-sysprep.  There is no need to autorelabel

functionality now.

Thanks: Stephen Smalley

(cherry picked from commit f3c69fe60bc29ebfcef0ea9d86d407e1a88686b0)

---

 builder/Makefile.am           |  1 +

 builder/virt-builder.pod      | 18 ++++++--------

 customize/Makefile.am         |  2 ++

 customize/SELinux_relabel.ml  | 57 +++++++++++++++++++++++++++++++++++++++++++

 customize/SELinux_relabel.mli | 29 ++++++++++++++++++++++

 customize/customize_run.ml    | 14 +----------

 po/POTFILES-ml                |  1 +

 sysprep/Makefile.am           |  1 +

 8 files changed, 100 insertions(+), 23 deletions(-)

 create mode 100644 customize/SELinux_relabel.ml

 create mode 100644 customize/SELinux_relabel.mli

diff --git a/builder/Makefile.am b/builder/Makefile.am

index d69e7ec..d306293 100644

--- a/builder/Makefile.am

+++ b/builder/Makefile.am

@@ -154,6 +154,7 @@ BOBJECTS = \

 	$(top_builddir)/customize/perl_edit.cmo \

 	$(top_builddir)/customize/crypt.cmo \

 	$(top_builddir)/customize/password.cmo \

+	$(top_builddir)/customize/SELinux_relabel.cmo \

 	$(top_builddir)/customize/ssh_key.cmo \

 	$(top_builddir)/customize/subscription_manager.cmo \

 	$(top_builddir)/customize/customize_cmdline.cmo \

diff --git a/builder/virt-builder.pod b/builder/virt-builder.pod

index 5e344de..4209245 100644

--- a/builder/virt-builder.pod

+++ b/builder/virt-builder.pod

@@ -1754,20 +1754,19 @@ two possible strategies it can use to ensure correct labelling:

 =item Using I<--selinux-relabel>

-This runs L<fixfiles(8)> just before finalizing the guest, which sets

+This runs L<setfiles(8)> just before finalizing the guest, which sets

 SELinux labels correctly in the disk image.

-Sometimes fixfiles is not possible during installation, in which case

-this option falls back on:

+This is the recommended method.

-=item Touching F</.autorelabel>

+=item I<--touch> F</.autorelabel>

-Guest templates may already contain a file called F</.autorelabel>, or

-it is touched if I<--selinux-relabel> cannot run fixfiles.

+Guest templates may already contain a file called F</.autorelabel> or

+you may touch it.

-For guests that use SELinux, this causes fixfiles to run at first

-boot.  Guests will reboot themselves once the first time you use them,

-which is normal and harmless.

+For guests that use SELinux, this causes L<restorecon(8)> to run at

+first boot.  Guests will reboot themselves once the first time you use

+them, which is normal and harmless.

 =back

@@ -1876,7 +1875,6 @@ L<gpg(1)>,

 L<curl(1)>,

 L<virt-make-fs(1)>,

 L<genisoimage(1)>,

-L<fixfiles(8)>,

 L<http://libguestfs.org/>.

 =head1 AUTHOR

diff --git a/customize/Makefile.am b/customize/Makefile.am

index 05f144f..9b48e8f 100644

--- a/customize/Makefile.am

+++ b/customize/Makefile.am

@@ -43,6 +43,7 @@ SOURCES_MLI = \

 	password.mli \

 	perl_edit.mli \

 	random_seed.mli \

+	SELinux_relabel.mli \

 	ssh_key.mli \

 	subscription_manager.mli \

 	timezone.mli \

@@ -58,6 +59,7 @@ SOURCES_ML = \

 	password.ml \

 	perl_edit.ml \

 	random_seed.ml \

+	SELinux_relabel.ml \

 	ssh_key.ml \

 	subscription_manager.ml \

 	timezone.ml \

diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml

new file mode 100644

index 0000000..fa9603c

--- /dev/null

+++ b/customize/SELinux_relabel.ml

@@ -0,0 +1,57 @@

+(* virt-customize

+ * Copyright (C) 2016 Red Hat Inc.

+ *

+ * This program is free software; you can redistribute it and/or modify

+ * it under the terms of the GNU General Public License as published by

+ * the Free Software Foundation; either version 2 of the License, or

+ * (at your option) any later version.

+ *

+ * This program is distributed in the hope that it will be useful,

+ * but WITHOUT ANY WARRANTY; without even the implied warranty of

+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ * GNU General Public License for more details.

+ *

+ * You should have received a copy of the GNU General Public License along

+ * with this program; if not, write to the Free Software Foundation, Inc.,

+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

+ *)

+

+open Common_gettext.Gettext

+open Common_utils

+

+open Printf

+

+module G = Guestfs

+

+let relabel (g : G.guestfs) =

+  (* Is the guest using SELinux? *)

+  if g#is_file ~followsymlinks:true "/usr/sbin/load_policy" &&

+     g#is_file ~followsymlinks:true "/etc/selinux/config" then (

+    (* Is setfiles / SELinux relabelling functionality available? *)

+    if g#feature_available [| "selinuxrelabel" |] then (

+      (* Use Augeas to parse /etc/selinux/config. *)

+      g#aug_init "/" (16+32) (* AUG_SAVE_NOOP | AUG_NO_LOAD *);

+      (* See: https://bugzilla.redhat.com/show_bug.cgi?id=975412#c0 *)

+      ignore (g#aug_rm "/augeas/load/*[\"/etc/selinux/config/\" !~ regexp('^') + glob(incl) + regexp('/.*')]");

+      g#aug_load ();

+      debug_augeas_errors g;

+

+      (* Get the SELinux policy name, eg. "targeted", "minimum". *)

+      let policy = g#aug_get "/files/etc/selinux/config/SELINUXTYPE" in

+      g#aug_close ();

+

+      (* Get the spec file name. *)

+      let specfile =

+        sprintf "/etc/selinux/%s/contexts/files/file_contexts" policy in

+

+      (* Relabel everything. *)

+      g#selinux_relabel ~force:true specfile "/";

+

+      (* If that worked, we don't need to autorelabel. *)

+      g#rm_f "/.autorelabel"

+    )

+    else (

+      (* SELinux guest, but not SELinux host.  Fallback to this. *)

+      g#touch "/.autorelabel"

+    )

+  )

diff --git a/customize/SELinux_relabel.mli b/customize/SELinux_relabel.mli

new file mode 100644

index 0000000..7b4f7ff

--- /dev/null

+++ b/customize/SELinux_relabel.mli

@@ -0,0 +1,29 @@

+(* virt-customize

+ * Copyright (C) 2016 Red Hat Inc.

+ *

+ * This program is free software; you can redistribute it and/or modify

+ * it under the terms of the GNU General Public License as published by

+ * the Free Software Foundation; either version 2 of the License, or

+ * (at your option) any later version.

+ *

+ * This program is distributed in the hope that it will be useful,

+ * but WITHOUT ANY WARRANTY; without even the implied warranty of

+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ * GNU General Public License for more details.

+ *

+ * You should have received a copy of the GNU General Public License along

+ * with this program; if not, write to the Free Software Foundation, Inc.,

+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

+ *)

+

+(** SELinux-relabel the filesystem. *)

+

+val relabel : Guestfs.guestfs -> unit

+(** Relabel the mounted guestfs filesystem using the current SELinux

+    policy that applies to the guest.

+

+    If the guest does not look like it uses SELinux, this does nothing.

+

+    In case relabelling is not possible (since it is an optional

+    feature which requires the setfiles(8) program), instead we

+    fall back to touching [/.autorelabel]. *)

diff --git a/customize/customize_run.ml b/customize/customize_run.ml

index 10647fd..7d1c806 100644

--- a/customize/customize_run.ml

+++ b/customize/customize_run.ml

@@ -412,19 +412,7 @@ exec >>%s 2>&1

   if ops.flags.selinux_relabel then (

     message (f_"SELinux relabelling");

-    if guest_arch_compatible then (

-      let cmd = sprintf "

-        if load_policy && fixfiles restore; then

-          rm -f /.autorelabel

-        else

-          touch /.autorelabel

-          echo '%s: SELinux relabelling failed, will relabel at boot instead.'

-        fi

-      " prog in

-      do_run ~display:"load_policy && fixfiles restore" cmd

-    ) else (

-      g#touch "/.autorelabel"

-    )

+    SELinux_relabel.relabel g

   );

   (* Clean up the log file:

diff --git a/po/POTFILES-ml b/po/POTFILES-ml

index 4ea49a5..f5e8eba 100644

--- a/po/POTFILES-ml

+++ b/po/POTFILES-ml

@@ -17,6 +17,7 @@ builder/sources.ml

 builder/utils.ml

 builder/yajl.ml

 builder/yajl_tests.ml

+customize/SELinux_relabel.ml

 customize/crypt.ml

 customize/customize_cmdline.ml

 customize/customize_main.ml

diff --git a/sysprep/Makefile.am b/sysprep/Makefile.am

index 46cc324..b689aef 100644

--- a/sysprep/Makefile.am

+++ b/sysprep/Makefile.am

@@ -122,6 +122,7 @@ BOBJECTS = \

 	$(top_builddir)/customize/timezone.cmo \

 	$(top_builddir)/customize/firstboot.cmo \

 	$(top_builddir)/customize/perl_edit.cmo \

+	$(top_builddir)/customize/SELinux_relabel.cmo \

 	$(top_builddir)/customize/ssh_key.cmo \

 	$(top_builddir)/customize/subscription_manager.cmo \

 	$(top_builddir)/customize/customize_cmdline.cmo \

-- 

1.8.3.1