From b70675c87da92ca74019a177214deea2597a9b46 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Wed, 13 Jul 2016 21:21:07 +0100
Subject: [PATCH] lib: Deprecate old SELinux APIs, rewrite SELinux
documentation (RHBZ#1152825).
Also turns the --selinux option of guestfish, guestmount and
virt-rescue into a no-op -- it didn't work before so this is
effectively no change.
(cherry picked from commit 35bac3a6501354e4a3805877d950e741429f169b)
---
builder/builder.ml | 6 -----
customize/customize_main.ml | 5 ----
dib/dib.ml | 6 -----
fish/fish.c | 5 ++--
fish/guestfish.pod | 2 +-
fuse/guestmount.c | 5 ++--
fuse/guestmount.pod | 2 +-
generator/actions.ml | 5 ++++
rescue/rescue.c | 5 ++--
rescue/virt-rescue.pod | 3 +--
src/guestfs.pod | 59 +++++++++++++++------------------------------
test-tool/test-tool.c | 1 -
tests/selinux/run-test.pl | 2 --
13 files changed, 33 insertions(+), 73 deletions(-)
diff --git a/builder/builder.ml b/builder/builder.ml
index ac4c748..0bffc9a 100644
--- a/builder/builder.ml
+++ b/builder/builder.ml
@@ -630,12 +630,6 @@ let main () =
may g#set_smp cmdline.smp;
g#set_network cmdline.network;
- (* Make sure to turn SELinux off to avoid awkward interactions
- * between the appliance kernel and applications/libraries interacting
- * with SELinux xattrs.
- *)
- g#set_selinux false;
-
(* The output disk is being created, so use cache=unsafe here. *)
g#add_drive_opts ~format:output_format ~cachemode:"unsafe" output_filename;
diff --git a/customize/customize_main.ml b/customize/customize_main.ml
index 1aa2fb4..7011335 100644
--- a/customize/customize_main.ml
+++ b/customize/customize_main.ml
@@ -169,11 +169,6 @@ read the man page virt-customize(1).
may g#set_memsize memsize;
may g#set_smp smp;
g#set_network network;
- (* Make sure to turn SELinux off to avoid awkward interactions
- * between the appliance kernel and applications/libraries interacting
- * with SELinux xattrs.
- *)
- g#set_selinux false;
(* Add disks. *)
add g dryrun;
diff --git a/dib/dib.ml b/dib/dib.ml
index 382c9d2..de4f242 100644
--- a/dib/dib.ml
+++ b/dib/dib.ml
@@ -634,12 +634,6 @@ let main () =
may g#set_smp cmdline.smp;
g#set_network cmdline.network;
- (* Make sure to turn SELinux off to avoid awkward interactions
- * between the appliance kernel and applications/libraries interacting
- * with SELinux xattrs.
- *)
- g#set_selinux false;
-
(* Main disk with the built image. *)
let fmt = "raw" in
let fn =
diff --git a/fish/fish.c b/fish/fish.c
index ed851ac..bf591e5 100644
--- a/fish/fish.c
+++ b/fish/fish.c
@@ -137,7 +137,7 @@ usage (int status)
" --no-progress-bars Disable progress bars\n"
" --remote[=pid] Send commands to remote %s\n"
" -r|--ro Mount read-only\n"
- " --selinux Enable SELinux support\n"
+ " --selinux For backwards compat only, does nothing\n"
" -v|--verbose Verbose messages\n"
" -V|--version Display version and exit\n"
" -w|--rw Mount read-write\n"
@@ -268,8 +268,7 @@ main (int argc, char *argv[])
}
}
} else if (STREQ (long_options[option_index].name, "selinux")) {
- if (guestfs_set_selinux (g, 1) == -1)
- exit (EXIT_FAILURE);
+ /* nothing */
} else if (STREQ (long_options[option_index].name, "keys-from-stdin")) {
keys_from_stdin = 1;
} else if (STREQ (long_options[option_index].name, "progress-bars")) {
diff --git a/fish/guestfish.pod b/fish/guestfish.pod
index 05105e8..bdc2298 100644
--- a/fish/guestfish.pod
+++ b/fish/guestfish.pod
@@ -407,7 +407,7 @@ See also L</OPENING DISKS FOR READ AND WRITE> below.
=item B<--selinux>
-Enable SELinux support for the guest. See L<guestfs(3)/SELINUX>.
+This option is provided for backwards compatibility and does nothing.
=item B<-v>
diff --git a/fuse/guestmount.c b/fuse/guestmount.c
index 4e9cf86..1fd2f72 100644
--- a/fuse/guestmount.c
+++ b/fuse/guestmount.c
@@ -124,7 +124,7 @@ usage (int status)
" -o|--option opt Pass extra option to FUSE\n"
" --pid-file filename Write PID to filename\n"
" -r|--ro Mount read-only\n"
- " --selinux Enable SELinux support\n"
+ " --selinux For backwards compat only, does nothing\n"
" -v|--verbose Verbose messages\n"
" -V|--version Display version and exit\n"
" -w|--rw Mount read-write\n"
@@ -228,8 +228,7 @@ main (int argc, char *argv[])
else if (STREQ (long_options[option_index].name, "fuse-help"))
fuse_help ();
else if (STREQ (long_options[option_index].name, "selinux")) {
- if (guestfs_set_selinux (g, 1) == -1)
- exit (EXIT_FAILURE);
+ /* nothing */
} else if (STREQ (long_options[option_index].name, "format")) {
OPTION_format;
} else if (STREQ (long_options[option_index].name, "keys-from-stdin")) {
diff --git a/fuse/guestmount.pod b/fuse/guestmount.pod
index e7f37ae..be075e5 100644
--- a/fuse/guestmount.pod
+++ b/fuse/guestmount.pod
@@ -362,7 +362,7 @@ See also L<guestfish(1)/OPENING DISKS FOR READ AND WRITE>.
=item B<--selinux>
-Enable SELinux support for the guest.
+This option is provided for backwards compatibility and does nothing.
=item B<-v>
diff --git a/generator/actions.ml b/generator/actions.ml
index 964a42b..a515c4c 100644
--- a/generator/actions.ml
+++ b/generator/actions.ml
@@ -645,6 +645,7 @@ Use C<guestfs_available> or C<guestfs_feature_available> instead." };
style = RErr, [Bool "selinux"], [];
fish_alias = ["selinux"]; config_only = true;
blocking = false;
+ deprecated_by = Some "selinux_relabel";
shortdesc = "set SELinux enabled or disabled at appliance boot";
longdesc = "\
This sets the selinux flag that is passed to the appliance
@@ -660,6 +661,7 @@ see L<guestfs(3)>." };
name = "get_selinux"; added = (1, 0, 67);
style = RBool "selinux", [], [];
blocking = false;
+ deprecated_by = Some "selinux_relabel";
shortdesc = "get SELinux enabled flag";
longdesc = "\
This returns the current setting of the selinux flag which
@@ -7315,6 +7317,7 @@ away any pending events, and deallocates all resources." };
style = RErr, [String "context"], [];
proc_nr = Some 185;
optional = Some "selinux";
+ deprecated_by = Some "selinux_relabel";
shortdesc = "set SELinux security context";
longdesc = "\
This sets the SELinux security context of the daemon
@@ -7327,6 +7330,7 @@ See the documentation about SELINUX in L<guestfs(3)>." };
style = RString "context", [], [];
proc_nr = Some 186;
optional = Some "selinux";
+ deprecated_by = Some "selinux_relabel";
shortdesc = "get SELinux security context";
longdesc = "\
This gets the SELinux security context of the daemon.
@@ -9863,6 +9867,7 @@ This option may not be specified at the same time as the C<correct> option.
name = "llz"; added = (1, 17, 6);
style = RString "listing", [Pathname "directory"], [];
proc_nr = Some 305;
+ deprecated_by = Some "lgetxattrs";
shortdesc = "list the files in a directory (long format with SELinux contexts)";
longdesc = "\
List the files in F<directory> in the format of 'ls -laZ'.
diff --git a/rescue/rescue.c b/rescue/rescue.c
index 982f3c4..f753e6d 100644
--- a/rescue/rescue.c
+++ b/rescue/rescue.c
@@ -72,7 +72,7 @@ usage (int status)
" --network Enable network\n"
" -r|--ro Access read-only\n"
" --scratch[=N] Add scratch disk(s)\n"
- " --selinux Enable SELinux\n"
+ " --selinux For backwards compat only, does nothing\n"
" --smp N Enable SMP with N >= 2 virtual CPUs\n"
" --suggest Suggest mount commands for this guest\n"
" -v|--verbose Verbose messages\n"
@@ -148,8 +148,7 @@ main (int argc, char *argv[])
else if (STREQ (long_options[option_index].name, "short-options"))
display_short_options (options);
else if (STREQ (long_options[option_index].name, "selinux")) {
- if (guestfs_set_selinux (g, 1) == -1)
- exit (EXIT_FAILURE);
+ /* nothing */
} else if (STREQ (long_options[option_index].name, "append")) {
append = optarg;
} else if (STREQ (long_options[option_index].name, "network")) {
diff --git a/rescue/virt-rescue.pod b/rescue/virt-rescue.pod
index bb563bc..00f03aa 100644
--- a/rescue/virt-rescue.pod
+++ b/rescue/virt-rescue.pod
@@ -209,8 +209,7 @@ command line.
=item B<--selinux>
-Enable SELinux in the rescue appliance. You should read
-L<guestfs(3)/SELINUX> before using this option.
+This option is provided for backwards compatibility and does nothing.
=item B<--smp> N
diff --git a/src/guestfs.pod b/src/guestfs.pod
index af30406..9ac7792 100644
--- a/src/guestfs.pod
+++ b/src/guestfs.pod
@@ -433,8 +433,8 @@ an X86 host).
=item *
-For SELinux guests, you may need to enable SELinux and load policy
-first. See L</SELINUX> in this manpage.
+For SELinux guests, you may need to relabel the guest after
+creating new files. See L</SELINUX> below.
=item *
@@ -486,44 +486,23 @@ L<sd-journal(3)>, L<sd_journal_open(3)>.
=head2 SELINUX
-We support SELinux guests. To ensure that labeling happens correctly
-in SELinux guests, you need to enable SELinux and load the guest's
-policy:
-
-=over 4
-
-=item 1.
-
-Before launching, do:
-
- guestfs_set_selinux (g, 1);
-
-=item 2.
-
-After mounting the guest's filesystem(s), load the policy. This
-is best done by running the L<load_policy(8)> command in the
-guest itself:
-
- guestfs_sh (g, "/usr/sbin/load_policy");
-
-(Older versions of C<load_policy> require you to specify the
-name of the policy file).
-
-=item 3.
-
-Optionally, set the security context for the API. The correct
-security context to use can only be known by inspecting the
-guest. As an example:
-
- guestfs_setcon (g, "unconfined_u:unconfined_r:unconfined_t:s0");
-
-=back
-
-This will work for running commands and editing existing files.
-
-When new files are created, you may need to label them explicitly,
-for example by running the external command
-C<restorecon pathname>.
+We support SELinux guests. However it is not possible to load the
+SELinux policy of the guest into the appliance kernel. Therefore the
+strategy for dealing with SELinux guests is to relabel them after
+making changes.
+
+In libguestfs E<ge> 1.34 there is a new API, L</guestfs_setfiles>,
+which can be used for this. To properly use this API you have to
+parse the guest SELinux configuration. See the L<virt-customize(1)>
+module F<customize/SELinux_relabel.ml> for how to do this.
+
+A simpler but slower alternative is to touch F</.autorelabel> in the
+guest, which means that the guest will relabel itself at next boot.
+
+Libguestfs E<le> 1.32 had APIs C<guestfs_set_selinux>,
+C<guestfs_get_selinux>, C<guestfs_setcon> and C<guestfs_getcon>.
+These did not work properly, are deprecated, and should not be used in
+new code.
=head2 UMASK
diff --git a/test-tool/test-tool.c b/test-tool/test-tool.c
index a5ecf5c..6699fc3 100644
--- a/test-tool/test-tool.c
+++ b/test-tool/test-tool.c
@@ -253,7 +253,6 @@ main (int argc, char *argv[])
printf ("guestfs_get_pgroup: %d\n", guestfs_get_pgroup (g));
printf ("guestfs_get_program: %s\n", guestfs_get_program (g));
printf ("guestfs_get_recovery_proc: %d\n", guestfs_get_recovery_proc (g));
- printf ("guestfs_get_selinux: %d\n", guestfs_get_selinux (g));
printf ("guestfs_get_smp: %d\n", guestfs_get_smp (g));
p = guestfs_get_tmpdir (g);
printf ("guestfs_get_tmpdir: %s\n", p ? : "(null)");
diff --git a/tests/selinux/run-test.pl b/tests/selinux/run-test.pl
index f0f241f..7e4620f 100755
--- a/tests/selinux/run-test.pl
+++ b/tests/selinux/run-test.pl
@@ -105,8 +105,6 @@ if ($test_type eq "selinux" && $test_via eq "fuse") {
# Create a filesystem that could support xattrs and SELinux labels.
my $g = Sys::Guestfs->new ();
-#$g->set_selinux (1) if $test_type eq "selinux";
-
$g->add_drive_scratch (256*1024*1024);
$g->launch ();
--
1.8.3.1