Bug 1828952
| Summary: | virt-customize --selinux-relabel (and other tools) do not work if SELINUXTYPE != targeted | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | John Hobach <jhobach> |
| Component: | libguestfs | Assignee: | Richard W.M. Jones <rjones> |
| Status: | CLOSED ERRATA | QA Contact: | YongkuiGuo <yoguo> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.1 | CC: | ben.carbery, jsuchane, knoel, ptoscano, rjones, virt-maint, yoguo |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libguestfs-1.40.2-27.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 15:21:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
John Hobach
2020-04-28 16:17:43 UTC
Rich, can you please have a look. Thanks. The actual problem is when SELINUXTYPE != targeted. We're looking for a directory /etc/selinux/<SELINUXTYPE>/... which does not exist. An easy way to reproduce this is to take a guest and edit /etc/selinux/config, setting SELINUXTYPE to anything except targeted, eg: SELINUX=enforcing SELINUXTYPE=foobar Then run virt-customize --selinux-relabel: $ virt-customize --selinux-relabel -a fedora-30.img [ 0.0] Examining the guest ... [ 6.0] Setting a random seed [ 6.1] SELinux relabelling virt-customize: error: libguestfs error: grep: /etc/selinux/foobar/contexts/files/file_contexts: No such file or directory Simple patch coming shortly. https://www.redhat.com/archives/libguestfs/2020-May/msg00020.html https://www.redhat.com/archives/libguestfs/2020-May/msg00021.html (In reply to Richard W.M. Jones from comment #2) > The actual problem is when SELINUXTYPE != targeted. We're looking for > a directory /etc/selinux/<SELINUXTYPE>/... which does not exist. > > An easy way to reproduce this is to take a guest and edit > /etc/selinux/config, > setting SELINUXTYPE to anything except targeted, eg: > > SELINUX=enforcing > SELINUXTYPE=foobar Most probably this setup will create issues in the guest, as SELinux is configured to enforce a policy that does not exist. As I wrote in a reply to the patch sent for this issue [1], we rather need to look at SELINUX first, and peform a relabel only when enforcing. Therefore I think the initial subject (mentioning "SELINUX=disabled" instead of "SELINUXTYPE != targeted") was correct. [1] https://www.redhat.com/archives/libguestfs/2020-May/msg00035.html Is there any available workaround for this problem? Simpler than I thought. In my case the error was the 'targeted' policy files not being found. Since selinux was disabled, the package was not needed and not installed.
The /etc/selinux/config was simply:
SELINUX=disabled
Restarting the guest and installing the targeted policy before converting was a valid workaround, e.g.:
yum install selinux-policy-targeted-3.13.1-266.el7
In response to Pino's proposed fix..
> we rather need to look at SELINUX first, and peform a relabel only when enforcing.
.. it seems to me that this package shouldn't be be expected if selinux is disabled, since in this case selinux is unlikely to be used. But I would think it is required for either the enforcing OR permissive case since this is more of a runtime state that requires the policy package.
Fixed upstream in: https://github.com/libguestfs/libguestfs-common/commit/3493d9fcaab6de1c09528e55a01bc24f0fb6c03c https://github.com/libguestfs/libguestfs-common/commit/101dac2eac8c61f0081c343b5d69cfa4efbc2a98 Verified with package: libguestfs-1.40.2-27.module+el8.4.0+9282+0bdec052.x86_64 Steps: 1.Prepare a rhel8.3 guest image and modify /etc/selinux/config file as follows: SELINUX=enforcing SELINUXTYPE=foobar 2. $ virt-customize -v -x --selinux-relabel -a RHEL-Server-8.3.0-64-hvm.raw [ 0.0] Examining the guest ... [ 5.6] Setting a random seed [ 5.6] SELinux relabelling ... libguestfs: trace: aug_get = "foobar" libguestfs: trace: aug_close guestfsd: <= aug_close (0x1a) request length 40 bytes libguestfs: trace: aug_close = 0ok 0.01 secs libguestfs: trace: is_file "/etc/selinux/foobar/contexts/files/file_contexts" "followsymlinks:true" guestfsd: <= is_file (0x25) request length 96 bytes chroot: /sysroot: running 'is_file: /etc/selinux/foobar/contexts/files/file_contexts' guestfsd: => is_file (0x25) took 0.00 secs libguestfs: trace: is_file = 0 libguestfs: trace: touch "/.autorelabel" ... [ 6.2] Finishing off No error like this '/etc/selinux/foobar/contexts/files/file_contexts: No such file or directory'. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1762 |