mrc0mmand / rpms / libguestfs

Forked from rpms/libguestfs 3 years ago
Clone
Blob Blame History Raw
From b70675c87da92ca74019a177214deea2597a9b46 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Wed, 13 Jul 2016 21:21:07 +0100
Subject: [PATCH] lib: Deprecate old SELinux APIs, rewrite SELinux
 documentation (RHBZ#1152825).

Also turns the --selinux option of guestfish, guestmount and
virt-rescue into a no-op -- it didn't work before so this is
effectively no change.

(cherry picked from commit 35bac3a6501354e4a3805877d950e741429f169b)
---
 builder/builder.ml          |  6 -----
 customize/customize_main.ml |  5 ----
 dib/dib.ml                  |  6 -----
 fish/fish.c                 |  5 ++--
 fish/guestfish.pod          |  2 +-
 fuse/guestmount.c           |  5 ++--
 fuse/guestmount.pod         |  2 +-
 generator/actions.ml        |  5 ++++
 rescue/rescue.c             |  5 ++--
 rescue/virt-rescue.pod      |  3 +--
 src/guestfs.pod             | 59 +++++++++++++++------------------------------
 test-tool/test-tool.c       |  1 -
 tests/selinux/run-test.pl   |  2 --
 13 files changed, 33 insertions(+), 73 deletions(-)

diff --git a/builder/builder.ml b/builder/builder.ml
index ac4c748..0bffc9a 100644
--- a/builder/builder.ml
+++ b/builder/builder.ml
@@ -630,12 +630,6 @@ let main () =
     may g#set_smp cmdline.smp;
     g#set_network cmdline.network;
 
-    (* Make sure to turn SELinux off to avoid awkward interactions
-     * between the appliance kernel and applications/libraries interacting
-     * with SELinux xattrs.
-     *)
-    g#set_selinux false;
-
     (* The output disk is being created, so use cache=unsafe here. *)
     g#add_drive_opts ~format:output_format ~cachemode:"unsafe" output_filename;
 
diff --git a/customize/customize_main.ml b/customize/customize_main.ml
index 1aa2fb4..7011335 100644
--- a/customize/customize_main.ml
+++ b/customize/customize_main.ml
@@ -169,11 +169,6 @@ read the man page virt-customize(1).
     may g#set_memsize memsize;
     may g#set_smp smp;
     g#set_network network;
-    (* Make sure to turn SELinux off to avoid awkward interactions
-     * between the appliance kernel and applications/libraries interacting
-     * with SELinux xattrs.
-     *)
-    g#set_selinux false;
 
     (* Add disks. *)
     add g dryrun;
diff --git a/dib/dib.ml b/dib/dib.ml
index 382c9d2..de4f242 100644
--- a/dib/dib.ml
+++ b/dib/dib.ml
@@ -634,12 +634,6 @@ let main () =
     may g#set_smp cmdline.smp;
     g#set_network cmdline.network;
 
-    (* Make sure to turn SELinux off to avoid awkward interactions
-     * between the appliance kernel and applications/libraries interacting
-     * with SELinux xattrs.
-     *)
-    g#set_selinux false;
-
     (* Main disk with the built image. *)
     let fmt = "raw" in
     let fn =
diff --git a/fish/fish.c b/fish/fish.c
index ed851ac..bf591e5 100644
--- a/fish/fish.c
+++ b/fish/fish.c
@@ -137,7 +137,7 @@ usage (int status)
               "  --no-progress-bars   Disable progress bars\n"
               "  --remote[=pid]       Send commands to remote %s\n"
               "  -r|--ro              Mount read-only\n"
-              "  --selinux            Enable SELinux support\n"
+              "  --selinux            For backwards compat only, does nothing\n"
               "  -v|--verbose         Verbose messages\n"
               "  -V|--version         Display version and exit\n"
               "  -w|--rw              Mount read-write\n"
@@ -268,8 +268,7 @@ main (int argc, char *argv[])
           }
         }
       } else if (STREQ (long_options[option_index].name, "selinux")) {
-        if (guestfs_set_selinux (g, 1) == -1)
-          exit (EXIT_FAILURE);
+        /* nothing */
       } else if (STREQ (long_options[option_index].name, "keys-from-stdin")) {
         keys_from_stdin = 1;
       } else if (STREQ (long_options[option_index].name, "progress-bars")) {
diff --git a/fish/guestfish.pod b/fish/guestfish.pod
index 05105e8..bdc2298 100644
--- a/fish/guestfish.pod
+++ b/fish/guestfish.pod
@@ -407,7 +407,7 @@ See also L</OPENING DISKS FOR READ AND WRITE> below.
 
 =item B<--selinux>
 
-Enable SELinux support for the guest.  See L<guestfs(3)/SELINUX>.
+This option is provided for backwards compatibility and does nothing.
 
 =item B<-v>
 
diff --git a/fuse/guestmount.c b/fuse/guestmount.c
index 4e9cf86..1fd2f72 100644
--- a/fuse/guestmount.c
+++ b/fuse/guestmount.c
@@ -124,7 +124,7 @@ usage (int status)
               "  -o|--option opt      Pass extra option to FUSE\n"
               "  --pid-file filename  Write PID to filename\n"
               "  -r|--ro              Mount read-only\n"
-              "  --selinux            Enable SELinux support\n"
+              "  --selinux            For backwards compat only, does nothing\n"
               "  -v|--verbose         Verbose messages\n"
               "  -V|--version         Display version and exit\n"
               "  -w|--rw              Mount read-write\n"
@@ -228,8 +228,7 @@ main (int argc, char *argv[])
       else if (STREQ (long_options[option_index].name, "fuse-help"))
         fuse_help ();
       else if (STREQ (long_options[option_index].name, "selinux")) {
-        if (guestfs_set_selinux (g, 1) == -1)
-          exit (EXIT_FAILURE);
+        /* nothing */
       } else if (STREQ (long_options[option_index].name, "format")) {
         OPTION_format;
       } else if (STREQ (long_options[option_index].name, "keys-from-stdin")) {
diff --git a/fuse/guestmount.pod b/fuse/guestmount.pod
index e7f37ae..be075e5 100644
--- a/fuse/guestmount.pod
+++ b/fuse/guestmount.pod
@@ -362,7 +362,7 @@ See also L<guestfish(1)/OPENING DISKS FOR READ AND WRITE>.
 
 =item B<--selinux>
 
-Enable SELinux support for the guest.
+This option is provided for backwards compatibility and does nothing.
 
 =item B<-v>
 
diff --git a/generator/actions.ml b/generator/actions.ml
index 964a42b..a515c4c 100644
--- a/generator/actions.ml
+++ b/generator/actions.ml
@@ -645,6 +645,7 @@ Use C<guestfs_available> or C<guestfs_feature_available> instead." };
     style = RErr, [Bool "selinux"], [];
     fish_alias = ["selinux"]; config_only = true;
     blocking = false;
+    deprecated_by = Some "selinux_relabel";
     shortdesc = "set SELinux enabled or disabled at appliance boot";
     longdesc = "\
 This sets the selinux flag that is passed to the appliance
@@ -660,6 +661,7 @@ see L<guestfs(3)>." };
     name = "get_selinux"; added = (1, 0, 67);
     style = RBool "selinux", [], [];
     blocking = false;
+    deprecated_by = Some "selinux_relabel";
     shortdesc = "get SELinux enabled flag";
     longdesc = "\
 This returns the current setting of the selinux flag which
@@ -7315,6 +7317,7 @@ away any pending events, and deallocates all resources." };
     style = RErr, [String "context"], [];
     proc_nr = Some 185;
     optional = Some "selinux";
+    deprecated_by = Some "selinux_relabel";
     shortdesc = "set SELinux security context";
     longdesc = "\
 This sets the SELinux security context of the daemon
@@ -7327,6 +7330,7 @@ See the documentation about SELINUX in L<guestfs(3)>." };
     style = RString "context", [], [];
     proc_nr = Some 186;
     optional = Some "selinux";
+    deprecated_by = Some "selinux_relabel";
     shortdesc = "get SELinux security context";
     longdesc = "\
 This gets the SELinux security context of the daemon.
@@ -9863,6 +9867,7 @@ This option may not be specified at the same time as the C<correct> option.
     name = "llz"; added = (1, 17, 6);
     style = RString "listing", [Pathname "directory"], [];
     proc_nr = Some 305;
+    deprecated_by = Some "lgetxattrs";
     shortdesc = "list the files in a directory (long format with SELinux contexts)";
     longdesc = "\
 List the files in F<directory> in the format of 'ls -laZ'.
diff --git a/rescue/rescue.c b/rescue/rescue.c
index 982f3c4..f753e6d 100644
--- a/rescue/rescue.c
+++ b/rescue/rescue.c
@@ -72,7 +72,7 @@ usage (int status)
               "  --network            Enable network\n"
               "  -r|--ro              Access read-only\n"
               "  --scratch[=N]        Add scratch disk(s)\n"
-              "  --selinux            Enable SELinux\n"
+              "  --selinux            For backwards compat only, does nothing\n"
               "  --smp N              Enable SMP with N >= 2 virtual CPUs\n"
               "  --suggest            Suggest mount commands for this guest\n"
               "  -v|--verbose         Verbose messages\n"
@@ -148,8 +148,7 @@ main (int argc, char *argv[])
       else if (STREQ (long_options[option_index].name, "short-options"))
         display_short_options (options);
       else if (STREQ (long_options[option_index].name, "selinux")) {
-        if (guestfs_set_selinux (g, 1) == -1)
-          exit (EXIT_FAILURE);
+        /* nothing */
       } else if (STREQ (long_options[option_index].name, "append")) {
         append = optarg;
       } else if (STREQ (long_options[option_index].name, "network")) {
diff --git a/rescue/virt-rescue.pod b/rescue/virt-rescue.pod
index bb563bc..00f03aa 100644
--- a/rescue/virt-rescue.pod
+++ b/rescue/virt-rescue.pod
@@ -209,8 +209,7 @@ command line.
 
 =item B<--selinux>
 
-Enable SELinux in the rescue appliance.  You should read
-L<guestfs(3)/SELINUX> before using this option.
+This option is provided for backwards compatibility and does nothing.
 
 =item B<--smp> N
 
diff --git a/src/guestfs.pod b/src/guestfs.pod
index af30406..9ac7792 100644
--- a/src/guestfs.pod
+++ b/src/guestfs.pod
@@ -433,8 +433,8 @@ an X86 host).
 
 =item *
 
-For SELinux guests, you may need to enable SELinux and load policy
-first.  See L</SELINUX> in this manpage.
+For SELinux guests, you may need to relabel the guest after
+creating new files.  See L</SELINUX> below.
 
 =item *
 
@@ -486,44 +486,23 @@ L<sd-journal(3)>, L<sd_journal_open(3)>.
 
 =head2 SELINUX
 
-We support SELinux guests.  To ensure that labeling happens correctly
-in SELinux guests, you need to enable SELinux and load the guest's
-policy:
-
-=over 4
-
-=item 1.
-
-Before launching, do:
-
- guestfs_set_selinux (g, 1);
-
-=item 2.
-
-After mounting the guest's filesystem(s), load the policy.  This
-is best done by running the L<load_policy(8)> command in the
-guest itself:
-
- guestfs_sh (g, "/usr/sbin/load_policy");
-
-(Older versions of C<load_policy> require you to specify the
-name of the policy file).
-
-=item 3.
-
-Optionally, set the security context for the API.  The correct
-security context to use can only be known by inspecting the
-guest.  As an example:
-
- guestfs_setcon (g, "unconfined_u:unconfined_r:unconfined_t:s0");
-
-=back
-
-This will work for running commands and editing existing files.
-
-When new files are created, you may need to label them explicitly,
-for example by running the external command
-C<restorecon pathname>.
+We support SELinux guests.  However it is not possible to load the
+SELinux policy of the guest into the appliance kernel.  Therefore the
+strategy for dealing with SELinux guests is to relabel them after
+making changes.
+
+In libguestfs E<ge> 1.34 there is a new API, L</guestfs_setfiles>,
+which can be used for this.  To properly use this API you have to
+parse the guest SELinux configuration.  See the L<virt-customize(1)>
+module F<customize/SELinux_relabel.ml> for how to do this.
+
+A simpler but slower alternative is to touch F</.autorelabel> in the
+guest, which means that the guest will relabel itself at next boot.
+
+Libguestfs E<le> 1.32 had APIs C<guestfs_set_selinux>,
+C<guestfs_get_selinux>, C<guestfs_setcon> and C<guestfs_getcon>.
+These did not work properly, are deprecated, and should not be used in
+new code.
 
 =head2 UMASK
 
diff --git a/test-tool/test-tool.c b/test-tool/test-tool.c
index a5ecf5c..6699fc3 100644
--- a/test-tool/test-tool.c
+++ b/test-tool/test-tool.c
@@ -253,7 +253,6 @@ main (int argc, char *argv[])
   printf ("guestfs_get_pgroup: %d\n", guestfs_get_pgroup (g));
   printf ("guestfs_get_program: %s\n", guestfs_get_program (g));
   printf ("guestfs_get_recovery_proc: %d\n", guestfs_get_recovery_proc (g));
-  printf ("guestfs_get_selinux: %d\n", guestfs_get_selinux (g));
   printf ("guestfs_get_smp: %d\n", guestfs_get_smp (g));
   p = guestfs_get_tmpdir (g);
   printf ("guestfs_get_tmpdir: %s\n", p ? : "(null)");
diff --git a/tests/selinux/run-test.pl b/tests/selinux/run-test.pl
index f0f241f..7e4620f 100755
--- a/tests/selinux/run-test.pl
+++ b/tests/selinux/run-test.pl
@@ -105,8 +105,6 @@ if ($test_type eq "selinux" && $test_via eq "fuse") {
 # Create a filesystem that could support xattrs and SELinux labels.
 my $g = Sys::Guestfs->new ();
 
-#$g->set_selinux (1) if $test_type eq "selinux";
-
 $g->add_drive_scratch (256*1024*1024);
 $g->launch ();
 
-- 
1.8.3.1