6:57 a.m.
Having SELinux enabled (even if not enforcing) in the appliance causes
troubles to applications/libraries that read/write SELinux attributes.
---
builder/builder.ml | 6 +++++-
customize/customize_main.ml | 6 +++++-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/builder/builder.ml b/builder/builder.ml
index a407924..5195cfd 100644
--- a/builder/builder.ml
+++ b/builder/builder.ml
@@ -633,7 +633,11 @@ let main () =
(match smp with None -> () | Some smp -> g#set_smp smp);
g#set_network network;
- g#set_selinux ops.flags.selinux_relabel;
+ (* Make sure to turn SELinux off to avoid awkward interactions
+ * between the appliance kernel and applications/libraries interacting
+ * with SELinux xattrs.
+ *)
+ g#set_selinux false;
(* The output disk is being created, so use cache=unsafe here. *)
g#add_drive_opts ~format:output_format ~cachemode:"unsafe"
output_filename;
diff --git a/customize/customize_main.ml b/customize/customize_main.ml
index 6e0ba2d..2c8b2ef 100644
--- a/customize/customize_main.ml
+++ b/customize/customize_main.ml
@@ -208,7 +208,11 @@ read the man page virt-customize(1).
(match memsize with None -> () | Some memsize -> g#set_memsize memsize);
(match smp with None -> () | Some smp -> g#set_smp smp);
g#set_network network;
- g#set_selinux ops.flags.selinux_relabel;
+ (* Make sure to turn SELinux off to avoid awkward interactions
+ * between the appliance kernel and applications/libraries interacting
+ * with SELinux xattrs.
+ *)
+ g#set_selinux false;
(* Add disks. *)
add g dryrun;
--
1.9.3
6:57 a.m.
New subject: [PATCH 2/2] customize: fix attributes of /etc/shadow (RHBZ#1146275)
When saving a configuration file, Augeas creates a new file and
replaces the old one with it; this creates a /etc/shadow file without
the SELinux xattrs, since they are missing.
Thus, create a temporary file with all the attributes of /etc/shadow, so
all the attributes of it (permissions and xattrs, among others) can be
restored properly on the new /etc/shadow.
As side effect, if a guest is already properly SELinux-labelled, then
there should be no more need to relabel it to make sure /etc/shadow
still has the right SELinux xattrs.
---
customize/password.ml | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/customize/password.ml b/customize/password.ml
index 3437bf0..2bbfbbc 100644
--- a/customize/password.ml
+++ b/customize/password.ml
@@ -81,12 +81,19 @@ and read_password_from_file filename =
(* Permissible characters in a salt. *)
let chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./"
-let rec set_linux_passwords ~prog ?password_crypto g root passwords =
+let rec set_linux_passwords ~prog ?password_crypto (g : Guestfs.guestfs) root passwords
=
let crypto =
match password_crypto with
| None -> default_crypto ~prog g root
| Some c -> c in
+ (* Create a (almost) empty temporary file with the attributes of
+ * /etc/shadow, so we can restore them later.
+ *)
+ let tempfile = g#mktemp "/etc/shadow.guestfsXXXXXX" in
+ g#write tempfile "*";
+ g#copy_attributes ~all:true "/etc/shadow" tempfile;
+
g#aug_init "/" 0;
let users = Array.to_list (g#aug_ls "/files/etc/shadow") in
List.iter (
@@ -116,9 +123,11 @@ let rec set_linux_passwords ~prog ?password_crypto g root passwords
=
with Not_found -> ()
) users;
g#aug_save ();
+ g#aug_close ();
- (* In virt-sysprep /.autorelabel will label it correctly. *)
- g#chmod 0 "/etc/shadow"
+ (* Restore all the attributes from the temporary file, and remove it. *)
+ g#copy_attributes ~all:true tempfile "/etc/shadow";
+ g#rm tempfile
(* Encrypt each password. Use glibc (on the host). See:
*
https://rwmj.wordpress.com/2013/07/09/setting-the-root-or-other-passwords...
--
1.9.3
7:18 a.m.
New subject: [PATCH 2/2] customize: fix attributes of /etc/shadow (RHBZ#1146275)
On Mon, Sep 29, 2014 at 01:57:24PM +0200, Pino Toscano wrote:
When saving a configuration file, Augeas creates a new file and
replaces the old one with it; this creates a /etc/shadow file without
the SELinux xattrs, since they are missing.
Thus, create a temporary file with all the attributes of /etc/shadow, so
all the attributes of it (permissions and xattrs, among others) can be
restored properly on the new /etc/shadow.
As side effect, if a guest is already properly SELinux-labelled, then
there should be no more need to relabel it to make sure /etc/shadow
still has the right SELinux xattrs.
---
customize/password.ml | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/customize/password.ml b/customize/password.ml
index 3437bf0..2bbfbbc 100644
--- a/customize/password.ml
+++ b/customize/password.ml
@@ -81,12 +81,19 @@ and read_password_from_file filename =
(* Permissible characters in a salt. *)
let chars =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./"
-let rec set_linux_passwords ~prog ?password_crypto g root passwords =
+let rec set_linux_passwords ~prog ?password_crypto (g : Guestfs.guestfs) root passwords
=
let crypto =
match password_crypto with
| None -> default_crypto ~prog g root
| Some c -> c in
+ (* Create a (almost) empty temporary file with the attributes of
+ * /etc/shadow, so we can restore them later.
+ *)
+ let tempfile = g#mktemp "/etc/shadow.guestfsXXXXXX" in
+ g#write tempfile "*";
+ g#copy_attributes ~all:true "/etc/shadow" tempfile;
+
g#aug_init "/" 0;
let users = Array.to_list (g#aug_ls "/files/etc/shadow") in
List.iter (
@@ -116,9 +123,11 @@ let rec set_linux_passwords ~prog ?password_crypto g root passwords
=
with Not_found -> ()
) users;
g#aug_save ();
+ g#aug_close ();
- (* In virt-sysprep /.autorelabel will label it correctly. *)
- g#chmod 0 "/etc/shadow"
+ (* Restore all the attributes from the temporary file, and remove it. *)
+ g#copy_attributes ~all:true tempfile "/etc/shadow";
+ g#rm tempfile
(* Encrypt each password. Use glibc (on the host). See:
*
https://rwmj.wordpress.com/2013/07/09/setting-the-root-or-other-passwords...
--
1.9.3
ACK to both.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
3707
days inactive
3707
days old
2 comments
2 participants
participants (2)
-
Pino Toscano -
Richard W.M. Jones