From 6ea415aa049adaa8339e36a90e7ca6592e7090a4 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Wed, 13 Jul 2016 18:34:21 +0100 Subject: [PATCH] customize: Add module for doing SELinux relabel of filesystem (RHBZ#554829, RHBZ#983969, RHBZ#1089100). This implements the --selinux-relabel option for virt-customize, virt-builder and virt-sysprep. There is no need to autorelabel functionality now. Thanks: Stephen Smalley (cherry picked from commit f3c69fe60bc29ebfcef0ea9d86d407e1a88686b0) --- builder/Makefile.am | 1 + builder/virt-builder.pod | 18 ++++++-------- customize/Makefile.am | 2 ++ customize/SELinux_relabel.ml | 57 +++++++++++++++++++++++++++++++++++++++++++ customize/SELinux_relabel.mli | 29 ++++++++++++++++++++++ customize/customize_run.ml | 14 +---------- po/POTFILES-ml | 1 + sysprep/Makefile.am | 1 + 8 files changed, 100 insertions(+), 23 deletions(-) create mode 100644 customize/SELinux_relabel.ml create mode 100644 customize/SELinux_relabel.mli diff --git a/builder/Makefile.am b/builder/Makefile.am index d69e7ec..d306293 100644 --- a/builder/Makefile.am +++ b/builder/Makefile.am @@ -154,6 +154,7 @@ BOBJECTS = \ $(top_builddir)/customize/perl_edit.cmo \ $(top_builddir)/customize/crypt.cmo \ $(top_builddir)/customize/password.cmo \ + $(top_builddir)/customize/SELinux_relabel.cmo \ $(top_builddir)/customize/ssh_key.cmo \ $(top_builddir)/customize/subscription_manager.cmo \ $(top_builddir)/customize/customize_cmdline.cmo \ diff --git a/builder/virt-builder.pod b/builder/virt-builder.pod index 5e344de..4209245 100644 --- a/builder/virt-builder.pod +++ b/builder/virt-builder.pod @@ -1754,20 +1754,19 @@ two possible strategies it can use to ensure correct labelling: =item Using I<--selinux-relabel> -This runs L just before finalizing the guest, which sets +This runs L just before finalizing the guest, which sets SELinux labels correctly in the disk image. -Sometimes fixfiles is not possible during installation, in which case -this option falls back on: +This is the recommended method. -=item Touching F +=item I<--touch> F -Guest templates may already contain a file called F, or -it is touched if I<--selinux-relabel> cannot run fixfiles. +Guest templates may already contain a file called F or +you may touch it. -For guests that use SELinux, this causes fixfiles to run at first -boot. Guests will reboot themselves once the first time you use them, -which is normal and harmless. +For guests that use SELinux, this causes L to run at +first boot. Guests will reboot themselves once the first time you use +them, which is normal and harmless. =back @@ -1876,7 +1875,6 @@ L, L, L, L, -L, L. =head1 AUTHOR diff --git a/customize/Makefile.am b/customize/Makefile.am index 05f144f..9b48e8f 100644 --- a/customize/Makefile.am +++ b/customize/Makefile.am @@ -43,6 +43,7 @@ SOURCES_MLI = \ password.mli \ perl_edit.mli \ random_seed.mli \ + SELinux_relabel.mli \ ssh_key.mli \ subscription_manager.mli \ timezone.mli \ @@ -58,6 +59,7 @@ SOURCES_ML = \ password.ml \ perl_edit.ml \ random_seed.ml \ + SELinux_relabel.ml \ ssh_key.ml \ subscription_manager.ml \ timezone.ml \ diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml new file mode 100644 index 0000000..fa9603c --- /dev/null +++ b/customize/SELinux_relabel.ml @@ -0,0 +1,57 @@ +(* virt-customize + * Copyright (C) 2016 Red Hat Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + *) + +open Common_gettext.Gettext +open Common_utils + +open Printf + +module G = Guestfs + +let relabel (g : G.guestfs) = + (* Is the guest using SELinux? *) + if g#is_file ~followsymlinks:true "/usr/sbin/load_policy" && + g#is_file ~followsymlinks:true "/etc/selinux/config" then ( + (* Is setfiles / SELinux relabelling functionality available? *) + if g#feature_available [| "selinuxrelabel" |] then ( + (* Use Augeas to parse /etc/selinux/config. *) + g#aug_init "/" (16+32) (* AUG_SAVE_NOOP | AUG_NO_LOAD *); + (* See: https://bugzilla.redhat.com/show_bug.cgi?id=975412#c0 *) + ignore (g#aug_rm "/augeas/load/*[\"/etc/selinux/config/\" !~ regexp('^') + glob(incl) + regexp('/.*')]"); + g#aug_load (); + debug_augeas_errors g; + + (* Get the SELinux policy name, eg. "targeted", "minimum". *) + let policy = g#aug_get "/files/etc/selinux/config/SELINUXTYPE" in + g#aug_close (); + + (* Get the spec file name. *) + let specfile = + sprintf "/etc/selinux/%s/contexts/files/file_contexts" policy in + + (* Relabel everything. *) + g#selinux_relabel ~force:true specfile "/"; + + (* If that worked, we don't need to autorelabel. *) + g#rm_f "/.autorelabel" + ) + else ( + (* SELinux guest, but not SELinux host. Fallback to this. *) + g#touch "/.autorelabel" + ) + ) diff --git a/customize/SELinux_relabel.mli b/customize/SELinux_relabel.mli new file mode 100644 index 0000000..7b4f7ff --- /dev/null +++ b/customize/SELinux_relabel.mli @@ -0,0 +1,29 @@ +(* virt-customize + * Copyright (C) 2016 Red Hat Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + *) + +(** SELinux-relabel the filesystem. *) + +val relabel : Guestfs.guestfs -> unit +(** Relabel the mounted guestfs filesystem using the current SELinux + policy that applies to the guest. + + If the guest does not look like it uses SELinux, this does nothing. + + In case relabelling is not possible (since it is an optional + feature which requires the setfiles(8) program), instead we + fall back to touching [/.autorelabel]. *) diff --git a/customize/customize_run.ml b/customize/customize_run.ml index 10647fd..7d1c806 100644 --- a/customize/customize_run.ml +++ b/customize/customize_run.ml @@ -412,19 +412,7 @@ exec >>%s 2>&1 if ops.flags.selinux_relabel then ( message (f_"SELinux relabelling"); - if guest_arch_compatible then ( - let cmd = sprintf " - if load_policy && fixfiles restore; then - rm -f /.autorelabel - else - touch /.autorelabel - echo '%s: SELinux relabelling failed, will relabel at boot instead.' - fi - " prog in - do_run ~display:"load_policy && fixfiles restore" cmd - ) else ( - g#touch "/.autorelabel" - ) + SELinux_relabel.relabel g ); (* Clean up the log file: diff --git a/po/POTFILES-ml b/po/POTFILES-ml index 4ea49a5..f5e8eba 100644 --- a/po/POTFILES-ml +++ b/po/POTFILES-ml @@ -17,6 +17,7 @@ builder/sources.ml builder/utils.ml builder/yajl.ml builder/yajl_tests.ml +customize/SELinux_relabel.ml customize/crypt.ml customize/customize_cmdline.ml customize/customize_main.ml diff --git a/sysprep/Makefile.am b/sysprep/Makefile.am index 46cc324..b689aef 100644 --- a/sysprep/Makefile.am +++ b/sysprep/Makefile.am @@ -122,6 +122,7 @@ BOBJECTS = \ $(top_builddir)/customize/timezone.cmo \ $(top_builddir)/customize/firstboot.cmo \ $(top_builddir)/customize/perl_edit.cmo \ + $(top_builddir)/customize/SELinux_relabel.cmo \ $(top_builddir)/customize/ssh_key.cmo \ $(top_builddir)/customize/subscription_manager.cmo \ $(top_builddir)/customize/customize_cmdline.cmo \ -- 1.8.3.1