Also turns the --selinux option of guestfish, guestmount and
virt-rescue into a no-op -- it didn't work before so this is
effectively no change.
---
builder/builder.ml | 6 -----
customize/customize_main.ml | 5 ----
dib/dib.ml | 6 -----
fish/fish.c | 5 ++--
fish/guestfish.pod | 2 +-
fuse/guestmount.c | 5 ++--
fuse/guestmount.pod | 2 +-
generator/actions.ml | 5 ++++
rescue/rescue.c | 5 ++--
rescue/virt-rescue.pod | 3 +--
src/guestfs.pod | 59 +++++++++++++++------------------------------
test-tool/test-tool.c | 1 -
tests/selinux/run-test.pl | 2 --
13 files changed, 33 insertions(+), 73 deletions(-)
diff --git a/builder/builder.ml b/builder/builder.ml
index b513ca3..15e1696 100644
--- a/builder/builder.ml
+++ b/builder/builder.ml
@@ -642,12 +642,6 @@ let main () =
may g#set_smp cmdline.smp;
g#set_network cmdline.network;
- (* Make sure to turn SELinux off to avoid awkward interactions
- * between the appliance kernel and applications/libraries interacting
- * with SELinux xattrs.
- *)
- g#set_selinux false;
-
(* The output disk is being created, so use cache=unsafe here. *)
g#add_drive_opts ~format:output_format ~cachemode:"unsafe"
output_filename;
diff --git a/customize/customize_main.ml b/customize/customize_main.ml
index 3681b32..82e70b7 100644
--- a/customize/customize_main.ml
+++ b/customize/customize_main.ml
@@ -169,11 +169,6 @@ read the man page virt-customize(1).
may g#set_memsize memsize;
may g#set_smp smp;
g#set_network network;
- (* Make sure to turn SELinux off to avoid awkward interactions
- * between the appliance kernel and applications/libraries interacting
- * with SELinux xattrs.
- *)
- g#set_selinux false;
(* Add disks. *)
add g dryrun;
diff --git a/dib/dib.ml b/dib/dib.ml
index 382c9d2..de4f242 100644
--- a/dib/dib.ml
+++ b/dib/dib.ml
@@ -634,12 +634,6 @@ let main () =
may g#set_smp cmdline.smp;
g#set_network cmdline.network;
- (* Make sure to turn SELinux off to avoid awkward interactions
- * between the appliance kernel and applications/libraries interacting
- * with SELinux xattrs.
- *)
- g#set_selinux false;
-
(* Main disk with the built image. *)
let fmt = "raw" in
let fn =
diff --git a/fish/fish.c b/fish/fish.c
index f2f288e..49e1aaa 100644
--- a/fish/fish.c
+++ b/fish/fish.c
@@ -142,7 +142,7 @@ usage (int status)
" --no-progress-bars Disable progress bars\n"
" --remote[=pid] Send commands to remote %s\n"
" -r|--ro Mount read-only\n"
- " --selinux Enable SELinux support\n"
+ " --selinux For backwards compat only, does
nothing\n"
" -v|--verbose Verbose messages\n"
" -V|--version Display version and exit\n"
" -w|--rw Mount read-write\n"
@@ -267,8 +267,7 @@ main (int argc, char *argv[])
" to the PID of the remote process"));
}
} else if (STREQ (long_options[option_index].name, "selinux")) {
- if (guestfs_set_selinux (g, 1) == -1)
- exit (EXIT_FAILURE);
+ /* nothing */
} else if (STREQ (long_options[option_index].name, "keys-from-stdin")) {
keys_from_stdin = 1;
} else if (STREQ (long_options[option_index].name, "progress-bars")) {
diff --git a/fish/guestfish.pod b/fish/guestfish.pod
index bbeea82..257c659 100644
--- a/fish/guestfish.pod
+++ b/fish/guestfish.pod
@@ -407,7 +407,7 @@ See also L</OPENING DISKS FOR READ AND WRITE> below.
=item B<--selinux>
-Enable SELinux support for the guest. See L<guestfs(3)/SELINUX>.
+This option is provided for backwards compatibility and does nothing.
=item B<-v>
diff --git a/fuse/guestmount.c b/fuse/guestmount.c
index f72ecb8..4461c65 100644
--- a/fuse/guestmount.c
+++ b/fuse/guestmount.c
@@ -123,7 +123,7 @@ usage (int status)
" -o|--option opt Pass extra option to FUSE\n"
" --pid-file filename Write PID to filename\n"
" -r|--ro Mount read-only\n"
- " --selinux Enable SELinux support\n"
+ " --selinux For backwards compat only, does
nothing\n"
" -v|--verbose Verbose messages\n"
" -V|--version Display version and exit\n"
" -w|--rw Mount read-write\n"
@@ -225,8 +225,7 @@ main (int argc, char *argv[])
else if (STREQ (long_options[option_index].name, "fuse-help"))
fuse_help ();
else if (STREQ (long_options[option_index].name, "selinux")) {
- if (guestfs_set_selinux (g, 1) == -1)
- exit (EXIT_FAILURE);
+ /* nothing */
} else if (STREQ (long_options[option_index].name, "format")) {
OPTION_format;
} else if (STREQ (long_options[option_index].name, "keys-from-stdin")) {
diff --git a/fuse/guestmount.pod b/fuse/guestmount.pod
index e7f37ae..be075e5 100644
--- a/fuse/guestmount.pod
+++ b/fuse/guestmount.pod
@@ -362,7 +362,7 @@ See also L<guestfish(1)/OPENING DISKS FOR READ AND WRITE>.
=item B<--selinux>
-Enable SELinux support for the guest.
+This option is provided for backwards compatibility and does nothing.
=item B<-v>
diff --git a/generator/actions.ml b/generator/actions.ml
index 49c360c..0621350 100644
--- a/generator/actions.ml
+++ b/generator/actions.ml
@@ -645,6 +645,7 @@ Use C<guestfs_available> or C<guestfs_feature_available>
instead." };
style = RErr, [Bool "selinux"], [];
fish_alias = ["selinux"]; config_only = true;
blocking = false;
+ deprecated_by = None;
shortdesc = "set SELinux enabled or disabled at appliance boot";
longdesc = "\
This sets the selinux flag that is passed to the appliance
@@ -660,6 +661,7 @@ see L<guestfs(3)>." };
name = "get_selinux"; added = (1, 0, 67);
style = RBool "selinux", [], [];
blocking = false;
+ deprecated_by = None;
shortdesc = "get SELinux enabled flag";
longdesc = "\
This returns the current setting of the selinux flag which
@@ -7555,6 +7557,7 @@ away any pending events, and deallocates all resources." };
style = RErr, [String "context"], [];
proc_nr = Some 185;
optional = Some "selinux";
+ deprecated_by = None;
shortdesc = "set SELinux security context";
longdesc = "\
This sets the SELinux security context of the daemon
@@ -7567,6 +7570,7 @@ See the documentation about SELINUX in L<guestfs(3)>."
};
style = RString "context", [], [];
proc_nr = Some 186;
optional = Some "selinux";
+ deprecated_by = None;
shortdesc = "get SELinux security context";
longdesc = "\
This gets the SELinux security context of the daemon.
@@ -10126,6 +10130,7 @@ This option may not be specified at the same time as the
C<correct> option.
name = "llz"; added = (1, 17, 6);
style = RString "listing", [Pathname "directory"], [];
proc_nr = Some 305;
+ deprecated_by = None;
shortdesc = "list the files in a directory (long format with SELinux
contexts)";
longdesc = "\
List the files in F<directory> in the format of 'ls -laZ'.
diff --git a/rescue/rescue.c b/rescue/rescue.c
index 135c9e6..ba123a3 100644
--- a/rescue/rescue.c
+++ b/rescue/rescue.c
@@ -73,7 +73,7 @@ usage (int status)
" --network Enable network\n"
" -r|--ro Access read-only\n"
" --scratch[=N] Add scratch disk(s)\n"
- " --selinux Enable SELinux\n"
+ " --selinux For backwards compat only, does
nothing\n"
" --smp N Enable SMP with N >= 2 virtual
CPUs\n"
" --suggest Suggest mount commands for this guest\n"
" -v|--verbose Verbose messages\n"
@@ -147,8 +147,7 @@ main (int argc, char *argv[])
else if (STREQ (long_options[option_index].name, "short-options"))
display_short_options (options);
else if (STREQ (long_options[option_index].name, "selinux")) {
- if (guestfs_set_selinux (g, 1) == -1)
- exit (EXIT_FAILURE);
+ /* nothing */
} else if (STREQ (long_options[option_index].name, "append")) {
append = optarg;
} else if (STREQ (long_options[option_index].name, "network")) {
diff --git a/rescue/virt-rescue.pod b/rescue/virt-rescue.pod
index bb563bc..00f03aa 100644
--- a/rescue/virt-rescue.pod
+++ b/rescue/virt-rescue.pod
@@ -209,8 +209,7 @@ command line.
=item B<--selinux>
-Enable SELinux in the rescue appliance. You should read
-L<guestfs(3)/SELINUX> before using this option.
+This option is provided for backwards compatibility and does nothing.
=item B<--smp> N
diff --git a/src/guestfs.pod b/src/guestfs.pod
index 2a199c0..2855d70 100644
--- a/src/guestfs.pod
+++ b/src/guestfs.pod
@@ -458,8 +458,8 @@ an X86 host).
=item *
-For SELinux guests, you may need to enable SELinux and load policy
-first. See L</SELINUX> in this manpage.
+For SELinux guests, you may need to relabel the guest after
+creating new files. See L</SELINUX> below.
=item *
@@ -511,44 +511,23 @@ L<sd-journal(3)>, L<sd_journal_open(3)>.
=head2 SELINUX
-We support SELinux guests. To ensure that labeling happens correctly
-in SELinux guests, you need to enable SELinux and load the guest's
-policy:
-
-=over 4
-
-=item 1.
-
-Before launching, do:
-
- guestfs_set_selinux (g, 1);
-
-=item 2.
-
-After mounting the guest's filesystem(s), load the policy. This
-is best done by running the L<load_policy(8)> command in the
-guest itself:
-
- guestfs_sh (g, "/usr/sbin/load_policy");
-
-(Older versions of C<load_policy> require you to specify the
-name of the policy file).
-
-=item 3.
-
-Optionally, set the security context for the API. The correct
-security context to use can only be known by inspecting the
-guest. As an example:
-
- guestfs_setcon (g, "unconfined_u:unconfined_r:unconfined_t:s0");
-
-=back
-
-This will work for running commands and editing existing files.
-
-When new files are created, you may need to label them explicitly,
-for example by running the external command
-C<restorecon pathname>.
+We support SELinux guests. However it is not possible to load the
+SELinux policy of the guest into the appliance kernel. Therefore the
+strategy for dealing with SELinux guests is to relabel them after
+making changes.
+
+In libguestfs E<ge> 1.34 there is a new API, L</guestfs_setfiles>,
+which can be used for this. To properly use this API you have to
+parse the guest SELinux configuration. See the L<virt-customize(1)>
+module F<customize/SELinux_relabel.ml> for how to do this.
+
+A simpler but slower alternative is to touch F</.autorelabel> in the
+guest, which means that the guest will relabel itself at next boot.
+
+Libguestfs E<le> 1.32 had APIs C<guestfs_set_selinux>,
+C<guestfs_get_selinux>, C<guestfs_setcon> and C<guestfs_getcon>.
+These did not work properly, are deprecated, and should not be used in
+new code.
=head2 UMASK
diff --git a/test-tool/test-tool.c b/test-tool/test-tool.c
index c632440..ad1601c 100644
--- a/test-tool/test-tool.c
+++ b/test-tool/test-tool.c
@@ -234,7 +234,6 @@ main (int argc, char *argv[])
printf ("guestfs_get_pgroup: %d\n", guestfs_get_pgroup (g));
printf ("guestfs_get_program: %s\n", guestfs_get_program (g));
printf ("guestfs_get_recovery_proc: %d\n", guestfs_get_recovery_proc (g));
- printf ("guestfs_get_selinux: %d\n", guestfs_get_selinux (g));
printf ("guestfs_get_smp: %d\n", guestfs_get_smp (g));
p = guestfs_get_sockdir (g);
printf ("guestfs_get_sockdir: %s\n", p ? : "(null)");
diff --git a/tests/selinux/run-test.pl b/tests/selinux/run-test.pl
index f0f241f..7e4620f 100755
--- a/tests/selinux/run-test.pl
+++ b/tests/selinux/run-test.pl
@@ -105,8 +105,6 @@ if ($test_type eq "selinux" && $test_via eq
"fuse") {
# Create a filesystem that could support xattrs and SELinux labels.
my $g = Sys::Guestfs->new ();
-#$g->set_selinux (1) if $test_type eq "selinux";
-
$g->add_drive_scratch (256*1024*1024);
$g->launch ();
--
2.7.4