Re: [Libguestfs] [COMMON PATCH 1/1] mlcustomize: skip SELinux relabeling if it's disabled

From: Roman Kagan <rkagan(a)virtuozzo.com&gt; Even if SELinux config file and policy tools are present, SELinux may be turned off by a setting in that config file, "SELINUX", having a value of "disabled". Detect this case and skip relabeling. Signed-off-by: Roman Kagan <rkagan(a)virtuozzo.com&gt; --- mlcustomize/SELinux_relabel.ml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml index 5ecf7bd..df1de7b 100644 --- a/mlcustomize/SELinux_relabel.ml +++ b/mlcustomize/SELinux_relabel.ml @@ -59,14 +59,24 @@ and use_setfiles g = g#aug_load (); debug_augeas_errors g; + let config_path = "/files/etc/selinux/config" in + let config_keys = g#aug_ls config_path in + (* SELinux may be disabled via a setting in config file *) + let selinux_disabled = + let selinuxmode_path = config_path ^ "/SELINUX" in + if array_find selinuxmode_path config_keys then + g#aug_get selinuxmode_path = "disabled" + else + false in + if selinux_disabled then + failwith "selinux disabled"; + (* Get the SELinux policy name, eg. "targeted", "minimum". * Use "targeted" if not specified, just like libselinux does. *) let policy = - let config_path = "/files/etc/selinux/config" in let selinuxtype_path = config_path ^ "/SELINUXTYPE" in - let keys = g#aug_ls config_path in - if array_find selinuxtype_path keys then + if array_find selinuxtype_path config_keys then g#aug_get selinuxtype_path else "targeted" in