From b70675c87da92ca74019a177214deea2597a9b46 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Wed, 13 Jul 2016 21:21:07 +0100 Subject: [PATCH] lib: Deprecate old SELinux APIs, rewrite SELinux documentation (RHBZ#1152825). Also turns the --selinux option of guestfish, guestmount and virt-rescue into a no-op -- it didn't work before so this is effectively no change. (cherry picked from commit 35bac3a6501354e4a3805877d950e741429f169b) --- builder/builder.ml | 6 ----- customize/customize_main.ml | 5 ---- dib/dib.ml | 6 ----- fish/fish.c | 5 ++-- fish/guestfish.pod | 2 +- fuse/guestmount.c | 5 ++-- fuse/guestmount.pod | 2 +- generator/actions.ml | 5 ++++ rescue/rescue.c | 5 ++-- rescue/virt-rescue.pod | 3 +-- src/guestfs.pod | 59 +++++++++++++++------------------------------ test-tool/test-tool.c | 1 - tests/selinux/run-test.pl | 2 -- 13 files changed, 33 insertions(+), 73 deletions(-) diff --git a/builder/builder.ml b/builder/builder.ml index ac4c748..0bffc9a 100644 --- a/builder/builder.ml +++ b/builder/builder.ml @@ -630,12 +630,6 @@ let main () = may g#set_smp cmdline.smp; g#set_network cmdline.network; - (* Make sure to turn SELinux off to avoid awkward interactions - * between the appliance kernel and applications/libraries interacting - * with SELinux xattrs. - *) - g#set_selinux false; - (* The output disk is being created, so use cache=unsafe here. *) g#add_drive_opts ~format:output_format ~cachemode:"unsafe" output_filename; diff --git a/customize/customize_main.ml b/customize/customize_main.ml index 1aa2fb4..7011335 100644 --- a/customize/customize_main.ml +++ b/customize/customize_main.ml @@ -169,11 +169,6 @@ read the man page virt-customize(1). may g#set_memsize memsize; may g#set_smp smp; g#set_network network; - (* Make sure to turn SELinux off to avoid awkward interactions - * between the appliance kernel and applications/libraries interacting - * with SELinux xattrs. - *) - g#set_selinux false; (* Add disks. *) add g dryrun; diff --git a/dib/dib.ml b/dib/dib.ml index 382c9d2..de4f242 100644 --- a/dib/dib.ml +++ b/dib/dib.ml @@ -634,12 +634,6 @@ let main () = may g#set_smp cmdline.smp; g#set_network cmdline.network; - (* Make sure to turn SELinux off to avoid awkward interactions - * between the appliance kernel and applications/libraries interacting - * with SELinux xattrs. - *) - g#set_selinux false; - (* Main disk with the built image. *) let fmt = "raw" in let fn = diff --git a/fish/fish.c b/fish/fish.c index ed851ac..bf591e5 100644 --- a/fish/fish.c +++ b/fish/fish.c @@ -137,7 +137,7 @@ usage (int status) " --no-progress-bars Disable progress bars\n" " --remote[=pid] Send commands to remote %s\n" " -r|--ro Mount read-only\n" - " --selinux Enable SELinux support\n" + " --selinux For backwards compat only, does nothing\n" " -v|--verbose Verbose messages\n" " -V|--version Display version and exit\n" " -w|--rw Mount read-write\n" @@ -268,8 +268,7 @@ main (int argc, char *argv[]) } } } else if (STREQ (long_options[option_index].name, "selinux")) { - if (guestfs_set_selinux (g, 1) == -1) - exit (EXIT_FAILURE); + /* nothing */ } else if (STREQ (long_options[option_index].name, "keys-from-stdin")) { keys_from_stdin = 1; } else if (STREQ (long_options[option_index].name, "progress-bars")) { diff --git a/fish/guestfish.pod b/fish/guestfish.pod index 05105e8..bdc2298 100644 --- a/fish/guestfish.pod +++ b/fish/guestfish.pod @@ -407,7 +407,7 @@ See also L below. =item B<--selinux> -Enable SELinux support for the guest. See L. +This option is provided for backwards compatibility and does nothing. =item B<-v> diff --git a/fuse/guestmount.c b/fuse/guestmount.c index 4e9cf86..1fd2f72 100644 --- a/fuse/guestmount.c +++ b/fuse/guestmount.c @@ -124,7 +124,7 @@ usage (int status) " -o|--option opt Pass extra option to FUSE\n" " --pid-file filename Write PID to filename\n" " -r|--ro Mount read-only\n" - " --selinux Enable SELinux support\n" + " --selinux For backwards compat only, does nothing\n" " -v|--verbose Verbose messages\n" " -V|--version Display version and exit\n" " -w|--rw Mount read-write\n" @@ -228,8 +228,7 @@ main (int argc, char *argv[]) else if (STREQ (long_options[option_index].name, "fuse-help")) fuse_help (); else if (STREQ (long_options[option_index].name, "selinux")) { - if (guestfs_set_selinux (g, 1) == -1) - exit (EXIT_FAILURE); + /* nothing */ } else if (STREQ (long_options[option_index].name, "format")) { OPTION_format; } else if (STREQ (long_options[option_index].name, "keys-from-stdin")) { diff --git a/fuse/guestmount.pod b/fuse/guestmount.pod index e7f37ae..be075e5 100644 --- a/fuse/guestmount.pod +++ b/fuse/guestmount.pod @@ -362,7 +362,7 @@ See also L. =item B<--selinux> -Enable SELinux support for the guest. +This option is provided for backwards compatibility and does nothing. =item B<-v> diff --git a/generator/actions.ml b/generator/actions.ml index 964a42b..a515c4c 100644 --- a/generator/actions.ml +++ b/generator/actions.ml @@ -645,6 +645,7 @@ Use C or C instead." }; style = RErr, [Bool "selinux"], []; fish_alias = ["selinux"]; config_only = true; blocking = false; + deprecated_by = Some "selinux_relabel"; shortdesc = "set SELinux enabled or disabled at appliance boot"; longdesc = "\ This sets the selinux flag that is passed to the appliance @@ -660,6 +661,7 @@ see L." }; name = "get_selinux"; added = (1, 0, 67); style = RBool "selinux", [], []; blocking = false; + deprecated_by = Some "selinux_relabel"; shortdesc = "get SELinux enabled flag"; longdesc = "\ This returns the current setting of the selinux flag which @@ -7315,6 +7317,7 @@ away any pending events, and deallocates all resources." }; style = RErr, [String "context"], []; proc_nr = Some 185; optional = Some "selinux"; + deprecated_by = Some "selinux_relabel"; shortdesc = "set SELinux security context"; longdesc = "\ This sets the SELinux security context of the daemon @@ -7327,6 +7330,7 @@ See the documentation about SELINUX in L." }; style = RString "context", [], []; proc_nr = Some 186; optional = Some "selinux"; + deprecated_by = Some "selinux_relabel"; shortdesc = "get SELinux security context"; longdesc = "\ This gets the SELinux security context of the daemon. @@ -9863,6 +9867,7 @@ This option may not be specified at the same time as the C option. name = "llz"; added = (1, 17, 6); style = RString "listing", [Pathname "directory"], []; proc_nr = Some 305; + deprecated_by = Some "lgetxattrs"; shortdesc = "list the files in a directory (long format with SELinux contexts)"; longdesc = "\ List the files in F in the format of 'ls -laZ'. diff --git a/rescue/rescue.c b/rescue/rescue.c index 982f3c4..f753e6d 100644 --- a/rescue/rescue.c +++ b/rescue/rescue.c @@ -72,7 +72,7 @@ usage (int status) " --network Enable network\n" " -r|--ro Access read-only\n" " --scratch[=N] Add scratch disk(s)\n" - " --selinux Enable SELinux\n" + " --selinux For backwards compat only, does nothing\n" " --smp N Enable SMP with N >= 2 virtual CPUs\n" " --suggest Suggest mount commands for this guest\n" " -v|--verbose Verbose messages\n" @@ -148,8 +148,7 @@ main (int argc, char *argv[]) else if (STREQ (long_options[option_index].name, "short-options")) display_short_options (options); else if (STREQ (long_options[option_index].name, "selinux")) { - if (guestfs_set_selinux (g, 1) == -1) - exit (EXIT_FAILURE); + /* nothing */ } else if (STREQ (long_options[option_index].name, "append")) { append = optarg; } else if (STREQ (long_options[option_index].name, "network")) { diff --git a/rescue/virt-rescue.pod b/rescue/virt-rescue.pod index bb563bc..00f03aa 100644 --- a/rescue/virt-rescue.pod +++ b/rescue/virt-rescue.pod @@ -209,8 +209,7 @@ command line. =item B<--selinux> -Enable SELinux in the rescue appliance. You should read -L before using this option. +This option is provided for backwards compatibility and does nothing. =item B<--smp> N diff --git a/src/guestfs.pod b/src/guestfs.pod index af30406..9ac7792 100644 --- a/src/guestfs.pod +++ b/src/guestfs.pod @@ -433,8 +433,8 @@ an X86 host). =item * -For SELinux guests, you may need to enable SELinux and load policy -first. See L in this manpage. +For SELinux guests, you may need to relabel the guest after +creating new files. See L below. =item * @@ -486,44 +486,23 @@ L, L. =head2 SELINUX -We support SELinux guests. To ensure that labeling happens correctly -in SELinux guests, you need to enable SELinux and load the guest's -policy: - -=over 4 - -=item 1. - -Before launching, do: - - guestfs_set_selinux (g, 1); - -=item 2. - -After mounting the guest's filesystem(s), load the policy. This -is best done by running the L command in the -guest itself: - - guestfs_sh (g, "/usr/sbin/load_policy"); - -(Older versions of C require you to specify the -name of the policy file). - -=item 3. - -Optionally, set the security context for the API. The correct -security context to use can only be known by inspecting the -guest. As an example: - - guestfs_setcon (g, "unconfined_u:unconfined_r:unconfined_t:s0"); - -=back - -This will work for running commands and editing existing files. - -When new files are created, you may need to label them explicitly, -for example by running the external command -C. +We support SELinux guests. However it is not possible to load the +SELinux policy of the guest into the appliance kernel. Therefore the +strategy for dealing with SELinux guests is to relabel them after +making changes. + +In libguestfs E 1.34 there is a new API, L, +which can be used for this. To properly use this API you have to +parse the guest SELinux configuration. See the L +module F for how to do this. + +A simpler but slower alternative is to touch F in the +guest, which means that the guest will relabel itself at next boot. + +Libguestfs E 1.32 had APIs C, +C, C and C. +These did not work properly, are deprecated, and should not be used in +new code. =head2 UMASK diff --git a/test-tool/test-tool.c b/test-tool/test-tool.c index a5ecf5c..6699fc3 100644 --- a/test-tool/test-tool.c +++ b/test-tool/test-tool.c @@ -253,7 +253,6 @@ main (int argc, char *argv[]) printf ("guestfs_get_pgroup: %d\n", guestfs_get_pgroup (g)); printf ("guestfs_get_program: %s\n", guestfs_get_program (g)); printf ("guestfs_get_recovery_proc: %d\n", guestfs_get_recovery_proc (g)); - printf ("guestfs_get_selinux: %d\n", guestfs_get_selinux (g)); printf ("guestfs_get_smp: %d\n", guestfs_get_smp (g)); p = guestfs_get_tmpdir (g); printf ("guestfs_get_tmpdir: %s\n", p ? : "(null)"); diff --git a/tests/selinux/run-test.pl b/tests/selinux/run-test.pl index f0f241f..7e4620f 100755 --- a/tests/selinux/run-test.pl +++ b/tests/selinux/run-test.pl @@ -105,8 +105,6 @@ if ($test_type eq "selinux" && $test_via eq "fuse") { # Create a filesystem that could support xattrs and SELinux labels. my $g = Sys::Guestfs->new (); -#$g->set_selinux (1) if $test_type eq "selinux"; - $g->add_drive_scratch (256*1024*1024); $g->launch (); -- 1.8.3.1