Bug 1554735

Summary: RFE: customize --selinux-relabel should be the default, with --no-selinux-relabel used to opt out
Product: [Community] Virtualization Tools Reporter: Lee Yarwood <lyarwood>
Component: libguestfsAssignee: Laszlo Ersek <lersek>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact: Jiri Herrmann <jherrman>
Priority: medium    
Version: unspecifiedCC: jherrman, kkiwi, laine, lersek, lmanasko, mjahoda, ptoscano, rjones, yoguo
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
.Using `virt-customize` sometimes causes `guestfs-firstboot` to fail After modifying a virtual machine (VM) disk image using the `virt-customize` utility, the `guestfs-firstboot` service in some cases fails due to incorrect SELinux permissions. This causes a variety of problems during VM startup, such as failing user creation or system registration. To avoid this problem, use the `virt-customize` command with the `--selinux-relabel` option.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-11 03:47:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2075718    

Description Lee Yarwood 2018-03-13 09:11:29 UTC 
Description of problem:
Using the --update switch results in the root account being inaccessible.

Version-Release number of selected component (if applicable):
libguestfs-tools-c-1.37.35-1.fc27.x86_64

How reproducible:
Always

Steps to Reproduce:
1. virt-builder -o /var/lib/libvirt/images/test.img --update --root-password password:redhat --size 10G fedora-26
2. virt-install --import --vcpus 6 --ram 1024 --disk format=raw,path=/var/lib/libvirt/images/test.img  --network network=default,model=virtio -noautoconsole --nographics --name test
3. ssh -lroot $(virsh domifaddr test | grep ipv4 | awk '{ print $4 }' | sed -e 's/\/.*//g')

Actual results:
-- root: no shell: Permission denied

Expected results:
Able to log into root account.

Additional info:
Also reproducible when using SSH keys.
Comment 1 Richard W.M. Jones 2018-03-13 10:50:53 UTC 
Does adding --selinux-relabel fix things?
Comment 2 Richard W.M. Jones 2018-03-13 10:54:19 UTC 
There's also discussion of making that flag default to true unless
the user selects ‘--no-selinux-relabel’, which would make it less of
a common trap:
https://gb.redhat.com/archives/libguestfs/2018-February/msg00039.html
Comment 3 Lee Yarwood 2018-03-15 13:44:34 UTC 
(In reply to Richard W.M. Jones from comment #1)
> Does adding --selinux-relabel fix things?

Yes, thanks!

(In reply to Richard W.M. Jones from comment #2)
> There's also discussion of making that flag default to true unless
> the user selects ‘--no-selinux-relabel’, which would make it less of
> a common trap:
> https://gb.redhat.com/archives/libguestfs/2018-February/msg00039.html

Cool, yes that would be useful. Feel free to close this bug out if you don't want to track that here.
Comment 4 Richard W.M. Jones 2018-03-15 14:52:24 UTC 
Let's recycle this bug for this purpose.
Comment 7 Laszlo Ersek 2022-05-11 03:47:50 UTC 
Fixed up-stream in:

libguestfs commit range 00b9ef239342..08c4ac90f5a3
libguestfs-common commit range 81f86a0058a9..48527b8768d7
guestfs-tools commit 19de3d1c8d4e
virt-v2v commit 0c24fc6015ce