Re: [Libguestfs] [libvirt] [PATCH tck] Relabel SELinux when customizing virt-builder image

On 02/06/2018 10:53 AM, Pino Toscano wrote: > On Tuesday, 6 February 2018 16:40:04 CET Daniel P. Berrangé wrote: >> When you tell virt-builder to install extra RPMs, this potentially >> looses the SELinux labelling that Anaconda had originally setup. Thus we >> must tell virt-builder to enable SELinux relabelling. >> >> Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt; >> --- >> lib/Sys/Virt/TCK.pm | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm >> index e9da8d2..b39f578 100644 >> --- a/lib/Sys/Virt/TCK.pm >> +++ b/lib/Sys/Virt/TCK.pm >> @@ -405,7 +405,7 @@ sub create_virt_builder_disk { >> } >> >> print "# running virt-builder $osname\n"; >> - system "virt-builder", "--install", "dsniff", "--root-password", "password:$password", "--output", $target, $osname; >> + system "virt-builder", "--install", "dsniff", "--selinux-relabel", "--root-password", "password:$password", "--output", $target, $osname; >> >> die "cannot run virt-builder: $?" if $? != 0; > > Reviewed-by: Pino Toscano <ptoscano(a)redhat.com&gt; > This change works, but since the original image came from virt-builder, and virt-builder knows enough about the image to know that it should install packages with dnf (or yum or apt-get or whatever is appropriate for any given image), it should also have enough info available to determine on its own that the selinux labels need to be redone. Especially since the Fedora images provided by virt-builder have selinux set to enforcing, I think the default behavior in this case should be for virt-builder to relabel. This patch fixes the problem for libvirt-tck, but I can imagine that this same problem will be revisited time after time on IRC and the libguestfs mailing list (once the user takes the obligatory troubleshooting trip to discover the source of the problem). In this case the initial symptom was "a guest that was never logged into by a human was failing an automated test". There were several steps from there to "dhcpc was failing to get an IP address due to bad selinux labels", and then learning via IRC that the labels were incorrect because extra packages are installed with the image mounted on the libguestfs appliance, which runs with selinux disabled. What is preventing virt-builder from automatically making a correct determination about whether or not relabeling must be done?