Re: [Libguestfs] [v2v PATCH 4/4] convert_linux: install the QEMU guest agent with a firstboot script
On Tue, Jun 07, 2022 at 01:59:30PM +0100, Richard W.M. Jones wrote:
On Mon, Jun 06, 2022 at 04:19:41PM +0200, Laszlo Ersek wrote:
> + (* Disable SELinux temporarily around package installation. Refer to
> + * <https://bugzilla.redhat.com/show_bug.cgi?id=2028764#c7> and
> + * <https://bugzilla.redhat.com/show_bug.cgi?id=2028764#c8>;.
> + *)
> + fbs "setenforce 0"
> + (sprintf "#!/bin/sh\n\
> + rm -f %s\n\
> + if command -v getenforce >/dev/null &&\n\
> + \ \ test Enforcing = \"$(getenforce)\"\n\
> + then\n\
> + \ \ touch %s\n\
> + \ \ setenforce 0\n\
> + fi\n" selinux_enforcing selinux_enforcing);
> + fbs "install qga" inst_cmd;
> + fbs "setenforce restore"
> + (sprintf "#!/bin/sh\n\
> + if test -f %s; then\n\
> + \ \ setenforce 1\n\
> + \ \ rm -f %s\n\
> + fi\n" selinux_enforcing selinux_enforcing);
Sounds horrible! But if that's what is needed ...
OK, now I caught up with the BZ comments, it really seems odd to me
that a service or script can run dnf, but that dnf doesn't transition
to the right SELinux context in order to do its work, but also dnf
doesn't fail immediately ("error: wrong context!") either.
However I don't know enough about SELinux to really understand whether
this is how it's supposed to work or not.
In reply to your other comment about --firstboot-install, it is
possible that this did work but has seen been broken by some change.
I don't believe we test it thoroughly anywhere.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top