Re: [Libguestfs] [PATCH 2/2] Use setfiles from the appliance for the SELinux relabel (RHBZ#1089100).

On Mon, May 26, 2014 at 11:21:59AM +0200, Pino Toscano wrote: > Rewrite the relabel API to read the policy configured in the guest, > invoking setfiles (added as part of the appliance, as part of > policycoreutils) to relabel the specified root. In case of failure > at > any point of the process, a touch of .autorelabel in the root is > tried as last-attempt measure to do the relabel. > > Considering that running SELinux tools in the appliance might be > affected by the SELinux state (leading to wrong results), > selinux_relabel now bails out if SELinux is enabled in the > appliance. > As a result of this, virt-builder and virt-customize explicitly > disable it if the relabel is enabled. > > - g#set_selinux ops.flags.selinux_relabel; > + (* If a relabel is needed, make sure to turn SELinux off to > avoid + * awkward interactions with the relabel process. > + *) > + if ops.flags.selinux_relabel then g#set_selinux false; This defaults to false, so AFAICT you could just remove this hunk. Or call g#set_selinux false unconditionally to make your intention explicit? (Same for the customize_main.ml hunk)

> + len = length_without_training_slash (root); > + > + if (asprintf (&selinux_config, "%s%.*s/etc/selinux/config", > + sysroot, len, root) == -1) { > + if (verbose) > + fprintf (stderr, "asprintf/selinux_config failed\n"); > + goto do_autorelabel; > + } > + > + r = read_selinux_policy (selinux_config, &policy); > + if (r == -1) { > + if (verbose) > + fprintf (stderr, "cannot read policy from %s\n", > selinux_config); + goto do_autorelabel; > + } > + if (verbose) > + fprintf (stderr, "policy in %s: %s\n", root, policy); > + > + if (policy[0] == '\0') > + goto do_autorelabel; You'll probably find this is much easier to write and a lot more robust using augeas calls.