[Libguestfs] SELinux relabeling: do it by default

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1554735 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075718 I'm going to post four patches or patch-sets in response to this email. Due to how the libguestfs-common module is organized & consumed, and how the generator in libguestfs works, this work is very awkward. (See more below.) The idea is to *replace* "--selinux-relabel" with "--no-selinux-relabel", and to invert the SELinux relabeling choice: that is, to do it by default, and allow users to prevent it with "--no-selinux-relabel" if they desire so. This is being requested in the above two BZs. I've intentionally avoided introducing "--no-selinux-relabel" *in addition* to "--selinux-relabel". While some utilities support a similar dual form (such as virt-builder's "--network" and "--no-network"), with one being the default, those options are special in that they are *not shared* between different utilities, and they are not generated by the generator in libguestfs. The key difference is that the *non-shared* options use Getopt.Set and Getopt.Clear on the *same* boolean reference cell, whereas the generator introduces a *separate* boolean reference cell for each option it generates (and then it uses *either* Getopt.Clear *or* Getopt.Set when the option is passed on the command line, dependent on the default value of the reference cell). This means that "--no-selinux-relabel" and "--selinux-relabel", if they both existed, would work on different booleans, and that would be the source of a lot of fun (priority? command line order? documentation? etc etc). So, nope to that. Back to the structuring of these patches / patch sets. The generator lives and runs solely in libguestfs. However, it generates such code as well that is owned by libguestfs-common. Normally we don't notice, because the generator overwrites "common" submodule contents with identical files; thus, "git" does not complain about the submodule checkout being modified locally. This no longer holds with these patches. Therefore: - as first step, libguestfs needs to be modified - the generator is run as a part of "make", which creates a local diff in the "common" submodule checkout under the libguestfs worktree - that diff is reflected to, and captured as a commit, in libguestfs-common - this returns libguestfs to an "everything in sync" state, but more importantly - it exposes the new stuff to virt-v2v and guestfs-tools, - virt-v2v and guestfs-tools need to be updated to consider the disappearance of "--selinux-relabel". The fact that documentation and test cases are shared in various ways only makes this more complicated. For example, the virt-builder(1) manual speaks words on SELinux in the auto-generated (and shared), and the private (non-shared) sections *both*. One thing to note is that libguestfs itself does not *consume* the particular "common" contents that it generates. Therefore we don't have a reference loop in practice. What we have is this dependency graph: libguestfs (generator) | v libguestfs-common (generated content) / \ v v guestfs-tools virt-v2v Because of that, the usual "update common submodule" hunk *need not* be squashed into the libguestfs (generator) patches, when merging this. However, said "update common submodule" hunk does have to be squashed into the (single) guestfs-tools and virt-v2v patches, when merging. I meticulously tested this stuff: - libguestfs: - "make check" and "make check-slow" complete fine - There is no documentation (under the "website/" subdir) that is updated by the patches. - guestfs-tools: - Checked the rendered documentation regarding "--no-selinux-relabel" that comes from "common": virt-builder.1.html virt-customize.1.html virt-sysprep.1.html - Checked the rendered documentation changes that come from guestfs-tools itself: virt-builder.1.html - Checked the "--help" output of: virt-builder virt-customize virt-sysprep - "make check" completes OK. - "make check-slow" completes OK: - PASS for test-firstboot-*.sh (Linux guests -- Windows guests are SKIPped), - same for test-settings-*.sh - except for "test-settings-ubuntu-18.04.sh". It fails for an independent reason: "libguestfs: error: download: /etc/sysconfig/network: No such file or directory" - PASS for test-selinuxrelabel.sh - "test-console-ubuntu-20.04.sh" fails for an independent reason: "didn't see login banner in serial console output" -- but no serial output was actually shown in the log. - virt-v2v: - "make check" completes OK. - "make check-slow" completes fine - in particular, PASS for test-v2v-conversion-of-*.sh (Linux guests -- Windows guests are SKIPped) Thanks, Laszlo