Re: [Libguestfs] [PATCH 2/2] Use setfiles from the appliance for the SELinux relabel (RHBZ#1089100).

Rewrite the relabel API to read the policy configured in the guest, invoking setfiles (added as part of the appliance, as part of policycoreutils) to relabel the specified root. In case of failure at any point of the process, a touch of .autorelabel in the root is tried as last-attempt measure to do the relabel. Considering that running SELinux tools in the appliance might be affected by the SELinux state (leading to wrong results), selinux_relabel now bails out if SELinux is enabled in the appliance. As a result of this, virt-builder and virt-customize explicitly disable it if the relabel is enabled.

- g#set_selinux ops.flags.selinux_relabel; + (* If a relabel is needed, make sure to turn SELinux off to avoid + * awkward interactions with the relabel process. + *) + if ops.flags.selinux_relabel then g#set_selinux false;

+ len = length_without_training_slash (root); + + if (asprintf (&selinux_config, "%s%.*s/etc/selinux/config", + sysroot, len, root) == -1) { + if (verbose) + fprintf (stderr, "asprintf/selinux_config failed\n"); + goto do_autorelabel; + } + + r = read_selinux_policy (selinux_config, &policy); + if (r == -1) { + if (verbose) + fprintf (stderr, "cannot read policy from %s\n", selinux_config); + goto do_autorelabel; + } + if (verbose) + fprintf (stderr, "policy in %s: %s\n", root, policy); + + if (policy[0] == '\0') + goto do_autorelabel;