[Libguestfs] [common PATCH 3/3] mlcustomize: do not relabel if not enforcing (RHBZ#1828952)

Do not attempt to relabel a guest in case its SELinux enforcing mode is not "enforcing", as it is either pointless, or it may fail because of an invalid policy configured. --- mlcustomize/SELinux_relabel.ml | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml index 647aeda..db00e59 100644 --- a/mlcustomize/SELinux_relabel.ml +++ b/mlcustomize/SELinux_relabel.ml @@ -24,6 +24,9 @@ open Printf module G = Guestfs +exception SELinux_not_enforcing +(* Interal exception to signal a non-enforcing SELinux. *) + (* Simple reimplementation of Array.mem, available only with OCaml >= 4.03. *) let array_find a l = List.mem a (Array.to_list l) @@ -35,12 +38,18 @@ let rec relabel (g : G.guestfs) = use_setfiles g; (* That worked, so we don't need to autorelabel. *) g#rm_f "/.autorelabel" - with Failure _ -> + with + | Failure _ -> (* This is the fallback in case something in the setfiles * method didn't work. That includes the case where a non-SELinux * host is processing an SELinux guest, and other things. *) g#touch "/.autorelabel" + | SELinux_not_enforcing -> + (* This means that SELinux was not configured to be in enforcing mode, + * so silently accept this. + *) + () ) and is_selinux_guest g = @@ -59,6 +68,21 @@ and use_setfiles g = g#aug_load (); debug_augeas_errors g; + (* Get the SELinux enforcing mode, eg "enforcing", "permissive", + * "disabled". + * Use "disabled" if not specified, just like libselinux seems to do. + *) + let typ = read_selinux_config_key g "SELINUX" "disabled" in + (* Do not attempt any relabelling if the SELinux is not "enforcing": + * - in "permissive" mode SELinux is still running, however nothing is + * enforced: this means labels can be wrong, and "it is fine" + * - when "disabled" means SELinux is not running, so any relabelling + * is pointless (other than potentially fail due to an invalid + * SELINUXTYPE configuration) + *) + if typ <> "enforcing" then + raise SELinux_not_enforcing; + (* Get the SELinux policy name, eg. "targeted", "minimum". * Use "targeted" if not specified, just like libselinux does. *) -- 2.26.2