From b70675c87da92ca74019a177214deea2597a9b46 Mon Sep 17 00:00:00 2001

From: "Richard W.M. Jones" <rjones@redhat.com>

Date: Wed, 13 Jul 2016 21:21:07 +0100

Subject: [PATCH] lib: Deprecate old SELinux APIs, rewrite SELinux

 documentation (RHBZ#1152825).

Also turns the --selinux option of guestfish, guestmount and

virt-rescue into a no-op -- it didn't work before so this is

effectively no change.

(cherry picked from commit 35bac3a6501354e4a3805877d950e741429f169b)

---

 builder/builder.ml          |  6 -----

 customize/customize_main.ml |  5 ----

 dib/dib.ml                  |  6 -----

 fish/fish.c                 |  5 ++--

 fish/guestfish.pod          |  2 +-

 fuse/guestmount.c           |  5 ++--

 fuse/guestmount.pod         |  2 +-

 generator/actions.ml        |  5 ++++

 rescue/rescue.c             |  5 ++--

 rescue/virt-rescue.pod      |  3 +--

 src/guestfs.pod             | 59 +++++++++++++++------------------------------

 test-tool/test-tool.c       |  1 -

 tests/selinux/run-test.pl   |  2 --

 13 files changed, 33 insertions(+), 73 deletions(-)

diff --git a/builder/builder.ml b/builder/builder.ml

index ac4c748..0bffc9a 100644

--- a/builder/builder.ml

+++ b/builder/builder.ml

@@ -630,12 +630,6 @@ let main () =

     may g#set_smp cmdline.smp;

     g#set_network cmdline.network;

-    (* Make sure to turn SELinux off to avoid awkward interactions

-     * between the appliance kernel and applications/libraries interacting

-     * with SELinux xattrs.

-     *)

-    g#set_selinux false;

-

     (* The output disk is being created, so use cache=unsafe here. *)

     g#add_drive_opts ~format:output_format ~cachemode:"unsafe" output_filename;

diff --git a/customize/customize_main.ml b/customize/customize_main.ml

index 1aa2fb4..7011335 100644

--- a/customize/customize_main.ml

+++ b/customize/customize_main.ml

@@ -169,11 +169,6 @@ read the man page virt-customize(1).

     may g#set_memsize memsize;

     may g#set_smp smp;

     g#set_network network;

-    (* Make sure to turn SELinux off to avoid awkward interactions

-     * between the appliance kernel and applications/libraries interacting

-     * with SELinux xattrs.

-     *)

-    g#set_selinux false;

     (* Add disks. *)

     add g dryrun;

diff --git a/dib/dib.ml b/dib/dib.ml

index 382c9d2..de4f242 100644

--- a/dib/dib.ml

+++ b/dib/dib.ml

@@ -634,12 +634,6 @@ let main () =

     may g#set_smp cmdline.smp;

     g#set_network cmdline.network;

-    (* Make sure to turn SELinux off to avoid awkward interactions

-     * between the appliance kernel and applications/libraries interacting

-     * with SELinux xattrs.

-     *)

-    g#set_selinux false;

-

     (* Main disk with the built image. *)

     let fmt = "raw" in

     let fn =

diff --git a/fish/fish.c b/fish/fish.c

index ed851ac..bf591e5 100644

--- a/fish/fish.c

+++ b/fish/fish.c

@@ -137,7 +137,7 @@ usage (int status)

               "  --no-progress-bars   Disable progress bars\n"

               "  --remote[=pid]       Send commands to remote %s\n"

               "  -r|--ro              Mount read-only\n"

-              "  --selinux            Enable SELinux support\n"

+              "  --selinux            For backwards compat only, does nothing\n"

               "  -v|--verbose         Verbose messages\n"

               "  -V|--version         Display version and exit\n"

               "  -w|--rw              Mount read-write\n"

@@ -268,8 +268,7 @@ main (int argc, char *argv[])

           }

         }

       } else if (STREQ (long_options[option_index].name, "selinux")) {

-        if (guestfs_set_selinux (g, 1) == -1)

-          exit (EXIT_FAILURE);

+        /* nothing */

       } else if (STREQ (long_options[option_index].name, "keys-from-stdin")) {

         keys_from_stdin = 1;

       } else if (STREQ (long_options[option_index].name, "progress-bars")) {

diff --git a/fish/guestfish.pod b/fish/guestfish.pod

index 05105e8..bdc2298 100644

--- a/fish/guestfish.pod

+++ b/fish/guestfish.pod

@@ -407,7 +407,7 @@ See also L</OPENING DISKS FOR READ AND WRITE> below.

 =item B<--selinux>

-Enable SELinux support for the guest.  See L<guestfs(3)/SELINUX>.

+This option is provided for backwards compatibility and does nothing.

 =item B<-v>

diff --git a/fuse/guestmount.c b/fuse/guestmount.c

index 4e9cf86..1fd2f72 100644

--- a/fuse/guestmount.c

+++ b/fuse/guestmount.c

@@ -124,7 +124,7 @@ usage (int status)

               "  -o|--option opt      Pass extra option to FUSE\n"

               "  --pid-file filename  Write PID to filename\n"

               "  -r|--ro              Mount read-only\n"

-              "  --selinux            Enable SELinux support\n"

+              "  --selinux            For backwards compat only, does nothing\n"

               "  -v|--verbose         Verbose messages\n"

               "  -V|--version         Display version and exit\n"

               "  -w|--rw              Mount read-write\n"

@@ -228,8 +228,7 @@ main (int argc, char *argv[])

       else if (STREQ (long_options[option_index].name, "fuse-help"))

         fuse_help ();

       else if (STREQ (long_options[option_index].name, "selinux")) {

-        if (guestfs_set_selinux (g, 1) == -1)

-          exit (EXIT_FAILURE);

+        /* nothing */

       } else if (STREQ (long_options[option_index].name, "format")) {

         OPTION_format;

       } else if (STREQ (long_options[option_index].name, "keys-from-stdin")) {

diff --git a/fuse/guestmount.pod b/fuse/guestmount.pod

index e7f37ae..be075e5 100644

--- a/fuse/guestmount.pod

+++ b/fuse/guestmount.pod

@@ -362,7 +362,7 @@ See also L<guestfish(1)/OPENING DISKS FOR READ AND WRITE>.

 =item B<--selinux>

-Enable SELinux support for the guest.

+This option is provided for backwards compatibility and does nothing.

 =item B<-v>

diff --git a/generator/actions.ml b/generator/actions.ml

index 964a42b..a515c4c 100644

--- a/generator/actions.ml

+++ b/generator/actions.ml

@@ -645,6 +645,7 @@ Use C<guestfs_available> or C<guestfs_feature_available> instead." };

     style = RErr, [Bool "selinux"], [];

     fish_alias = ["selinux"]; config_only = true;

     blocking = false;

+    deprecated_by = Some "selinux_relabel";

     shortdesc = "set SELinux enabled or disabled at appliance boot";

     longdesc = "\

 This sets the selinux flag that is passed to the appliance

@@ -660,6 +661,7 @@ see L<guestfs(3)>." };

     name = "get_selinux"; added = (1, 0, 67);

     style = RBool "selinux", [], [];

     blocking = false;

+    deprecated_by = Some "selinux_relabel";

     shortdesc = "get SELinux enabled flag";

     longdesc = "\

 This returns the current setting of the selinux flag which

@@ -7315,6 +7317,7 @@ away any pending events, and deallocates all resources." };

     style = RErr, [String "context"], [];

     proc_nr = Some 185;

     optional = Some "selinux";

+    deprecated_by = Some "selinux_relabel";

     shortdesc = "set SELinux security context";

     longdesc = "\

 This sets the SELinux security context of the daemon

@@ -7327,6 +7330,7 @@ See the documentation about SELINUX in L<guestfs(3)>." };

     style = RString "context", [], [];

     proc_nr = Some 186;

     optional = Some "selinux";

+    deprecated_by = Some "selinux_relabel";

     shortdesc = "get SELinux security context";

     longdesc = "\

 This gets the SELinux security context of the daemon.

@@ -9863,6 +9867,7 @@ This option may not be specified at the same time as the C<correct> option.

     name = "llz"; added = (1, 17, 6);

     style = RString "listing", [Pathname "directory"], [];

     proc_nr = Some 305;

+    deprecated_by = Some "lgetxattrs";

     shortdesc = "list the files in a directory (long format with SELinux contexts)";

     longdesc = "\

 List the files in F<directory> in the format of 'ls -laZ'.

diff --git a/rescue/rescue.c b/rescue/rescue.c

index 982f3c4..f753e6d 100644

--- a/rescue/rescue.c

+++ b/rescue/rescue.c

@@ -72,7 +72,7 @@ usage (int status)

               "  --network            Enable network\n"

               "  -r|--ro              Access read-only\n"

               "  --scratch[=N]        Add scratch disk(s)\n"

-              "  --selinux            Enable SELinux\n"

+              "  --selinux            For backwards compat only, does nothing\n"

               "  --smp N              Enable SMP with N >= 2 virtual CPUs\n"

               "  --suggest            Suggest mount commands for this guest\n"

               "  -v|--verbose         Verbose messages\n"

@@ -148,8 +148,7 @@ main (int argc, char *argv[])

       else if (STREQ (long_options[option_index].name, "short-options"))

         display_short_options (options);

       else if (STREQ (long_options[option_index].name, "selinux")) {

-        if (guestfs_set_selinux (g, 1) == -1)

-          exit (EXIT_FAILURE);

+        /* nothing */

       } else if (STREQ (long_options[option_index].name, "append")) {

         append = optarg;

       } else if (STREQ (long_options[option_index].name, "network")) {

diff --git a/rescue/virt-rescue.pod b/rescue/virt-rescue.pod

index bb563bc..00f03aa 100644

--- a/rescue/virt-rescue.pod

+++ b/rescue/virt-rescue.pod

@@ -209,8 +209,7 @@ command line.

 =item B<--selinux>

-Enable SELinux in the rescue appliance.  You should read

-L<guestfs(3)/SELINUX> before using this option.

+This option is provided for backwards compatibility and does nothing.

 =item B<--smp> N

diff --git a/src/guestfs.pod b/src/guestfs.pod

index af30406..9ac7792 100644

--- a/src/guestfs.pod

+++ b/src/guestfs.pod

@@ -433,8 +433,8 @@ an X86 host).

 =item *

-For SELinux guests, you may need to enable SELinux and load policy

-first.  See L</SELINUX> in this manpage.

+For SELinux guests, you may need to relabel the guest after

+creating new files.  See L</SELINUX> below.

 =item *

@@ -486,44 +486,23 @@ L<sd-journal(3)>, L<sd_journal_open(3)>.

 =head2 SELINUX

-We support SELinux guests.  To ensure that labeling happens correctly

-in SELinux guests, you need to enable SELinux and load the guest's

-policy:

-

-=over 4

-

-=item 1.

-

-Before launching, do:

-

- guestfs_set_selinux (g, 1);

-

-=item 2.

-

-After mounting the guest's filesystem(s), load the policy.  This

-is best done by running the L<load_policy(8)> command in the

-guest itself:

-

- guestfs_sh (g, "/usr/sbin/load_policy");

-

-(Older versions of C<load_policy> require you to specify the

-name of the policy file).

-

-=item 3.

-

-Optionally, set the security context for the API.  The correct

-security context to use can only be known by inspecting the

-guest.  As an example:

-

- guestfs_setcon (g, "unconfined_u:unconfined_r:unconfined_t:s0");

-

-=back

-

-This will work for running commands and editing existing files.

-

-When new files are created, you may need to label them explicitly,

-for example by running the external command

-C<restorecon pathname>.

+We support SELinux guests.  However it is not possible to load the

+SELinux policy of the guest into the appliance kernel.  Therefore the

+strategy for dealing with SELinux guests is to relabel them after

+making changes.

+

+In libguestfs E<ge> 1.34 there is a new API, L</guestfs_setfiles>,

+which can be used for this.  To properly use this API you have to

+parse the guest SELinux configuration.  See the L<virt-customize(1)>

+module F<customize/SELinux_relabel.ml> for how to do this.

+

+A simpler but slower alternative is to touch F</.autorelabel> in the

+guest, which means that the guest will relabel itself at next boot.

+

+Libguestfs E<le> 1.32 had APIs C<guestfs_set_selinux>,

+C<guestfs_get_selinux>, C<guestfs_setcon> and C<guestfs_getcon>.

+These did not work properly, are deprecated, and should not be used in

+new code.

 =head2 UMASK

diff --git a/test-tool/test-tool.c b/test-tool/test-tool.c

index a5ecf5c..6699fc3 100644

--- a/test-tool/test-tool.c

+++ b/test-tool/test-tool.c

@@ -253,7 +253,6 @@ main (int argc, char *argv[])

   printf ("guestfs_get_pgroup: %d\n", guestfs_get_pgroup (g));

   printf ("guestfs_get_program: %s\n", guestfs_get_program (g));

   printf ("guestfs_get_recovery_proc: %d\n", guestfs_get_recovery_proc (g));

-  printf ("guestfs_get_selinux: %d\n", guestfs_get_selinux (g));

   printf ("guestfs_get_smp: %d\n", guestfs_get_smp (g));

   p = guestfs_get_tmpdir (g);

   printf ("guestfs_get_tmpdir: %s\n", p ? : "(null)");

diff --git a/tests/selinux/run-test.pl b/tests/selinux/run-test.pl

index f0f241f..7e4620f 100755

--- a/tests/selinux/run-test.pl

+++ b/tests/selinux/run-test.pl

@@ -105,8 +105,6 @@ if ($test_type eq "selinux" && $test_via eq "fuse") {

 # Create a filesystem that could support xattrs and SELinux labels.

 my $g = Sys::Guestfs->new ();

-#$g->set_selinux (1) if $test_type eq "selinux";

-

 $g->add_drive_scratch (256*1024*1024);

 $g->launch ();

-- 

1.8.3.1