Bug 1362669

Summary: Backport improved --selinux-relabel support for virt-sysprep, virt-builder, virt-customize
Product: Red Hat Enterprise Linux 7 Reporter: Richard W.M. Jones <rjones>
Component: libguestfsAssignee: Richard W.M. Jones <rjones>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: ptoscano, xchen
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libguestfs-1.32.6-4.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-03 18:03:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Richard W.M. Jones 2016-08-02 19:53:10 UTC 
Description of problem:

In upstream libguestfs the behaviour of the --selinux-relabel
flag on the tools virt-sysprep, virt-builder and virt-customize
has been greatly improved.  In most cases we no longer require
a reboot to relabel a guest.  Also the relabelling works for
any guest, silently ignoring non-selinux guests.

Version-Release number of selected component (if applicable):

libguestfs 1.32.6-2.el7

Additional info:

The upstream commits required are:

9d205f1c284a69390907120ca44f5c723fecc244
6ec75f8cfe455493b46f1a3a5a00282359e588a5
f3c69fe60bc29ebfcef0ea9d86d407e1a88686b0
b6e92b1100b4ca462a35549bd36322f0510739bc
35bac3a6501354e4a3805877d950e741429f169b
fc114904848559e02d8f4e4a8bfb57277c349f0f
fcce1f694e46933dd5d6a0ef1369cef3c5152fc5
8689bfa4375c9de920b0b8587465be24d425bb4f
Comment 1 Richard W.M. Jones 2016-08-02 20:26:32 UTC 
How to test:

$ virt-builder fedora-23 \
    --install "@Xfce Desktop" --update --root-password password:123456 --selinux-relabel

$ guestfish --ro -a fedora-23.img -i

Using guestfish check that /.autorelabel is *not* created.

$ virt-install --import --name test --ram 2048 --disk path=fedora-23.img,format=raw --os-variant fedora23

When it boots for the first time, ensure that services start up
correctly (not lots of "FAIL" lines or other errors during boot), and
ensure it does *not* reboot automatically because of autorelabel.

Inside the guest:

* You can log in as root (password: 123456).
* SELinux should be enforcing.

X11 should probably work too, but I cannot get it to start.  I think I'm
missing some packages, and it's not a SELinux error.
Comment 3 Xianghua Chen 2016-08-15 09:52:17 UTC 
Verified with packages:
libguestfs-1.32.7-1.el7.x86_64


Verify steps:
1. Create a new guest image: fedora-22.img
# virt-builder fedora-22  --install "@Xfce Desktop" --update --root-password password:123456 --selinux-relabel
2. 
# guestfish --ro -a fedora-22.img -i
><fs> ls /
Check that /.autorelabel is *not* created
3. Start the guest image:
# virt-install --import --name test --ram 2048 --disk path=fedora22.img,format=raw --os-variant fedora22
# virsh list --all
 Id    Name                           State
----------------------------------------------------
 12    test                           running
# virsh console 12
4. Log into the guest use root , password is 123456
# cat /var/log/boot.log
Check the /var/log/boot.log that services start up correctly (not lots of "FAIL" lines or other errors during boot), and ensure it does *not* reboot automatically because of autorelabel.
Comment 5 errata-xmlrpc 2016-11-03 18:03:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2576.html