Description of problem: Adding --selinux-relabel fixes all of the avcs denials I was seeing from a freshly built image. Only one remain type=AVC msg=audit(1397776942.679:469): avc: denied { unlink } for pid=343 comm="NetworkManager" name="resolv.conf" dev="sda3" ino=137360 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file I see it logged each time the instance is rebooted. Running "restorecon -R /" fixes it. This is appears to be a virt-builder bug in how it is relabeling the file system Version-Release number of selected component (if applicable): libguestfs-tools-c-1.26.0-1.fc20.x86_64 libguestfs-tools-1.26.0-1.fc20.noarch libguestfs-1.26.0-1.fc20.x86_64 How reproducible: always Steps to Reproduce: 1. Build image using https://github.com/agroup/instack-undercloud/blob/master/README-virt.md, you may need to use the latest instack-virt-setup script from aster as it includes --selinux-relabel Actual results: avc logged Expected results: no avc logged Additional info:
Created attachment 887366 [details] audit.log from f20 instance using image created by virt-builder
The "autorelabel way" (since libguestfs >= 1.25.47) is to run the following shell snippet on the guest: if load_policy && fixfiles restore; then rm -f /.autorelabel else touch /.autorelabel echo '%s: SELinux relabelling failed, will relabel at boot instead.' fi you should see it in the log of virt-builder, saved by default as /tmp/builder.log (or /builder.log if /tmp does not exist). On our side, running commands in the guest requires the daemon to setup a mini-environment every time, including (if the network in the guest is not disabled) moving away the existing /etc/resolv.conf, copying the one from the appliance root (and restoring the old one after the execution of the command). I didn't do further tests yet, but I suspect that having /etc/resolv.conf restored in its place after the policy fix command should not seen in a good way by selinux. A couple of workarounds/things to check: a) running virt-builder --no-network (so without being able to install stuff from internet, though) should not cause the issue b) forcing the autorelabel, using --run "touch /.autorelabel" Will take a further look (if Rich doesn't beat me to it) in few days.
I've actually seen some SELinux relabelling strangeness with virt-builder from git too. For example I had several files in /usr/lib64 which were not labelled even though autorelabel had been done (bug 1088571). Again I had to manually run restorecon (twice!) to fix things. Something is broken here but I've not had a chance to look at it yet.
There have been discussions and work toward this: https://www.redhat.com/archives/libguestfs/2014-April/msg00070.html https://www.redhat.com/archives/libguestfs/2014-May/msg00067.html https://www.redhat.com/archives/libguestfs/2014-May/msg00094.html with a couple of RFC-like patches posted in the last thread.
*** Bug 1122907 has been marked as a duplicate of this bug. ***
*** Bug 1084221 has been marked as a duplicate of this bug. ***
Hitting this with virt-configure installing ssh keys.
Hitting this with virt-builder --update and/or --install
(In reply to Martin Bukatovic from comment #8) > Hitting this with virt-builder --update and/or --install Please attach the full debug output (virt-builder -v -x)
Created attachment 1036442 [details] Output of virt-builder run with --update and --install options used Attaching full debug output of the following command: virt-builder fedora-22 \ --size 15G \ --format qcow2 \ --hostname bigtopdev.telesto.local \ --update \ --install "gradle,groovy" \ --output reproducer.qcow2 \ -x -v 2>&1 | tee virt-builder.output libguestfs-tools-c-1.28.10-1.fc21.x86_64 used Resulting issue is the same as described in dupl. BZ 1084221.
(In reply to Martin Bukatovic from comment #10) > Created attachment 1036442 [details] > Output of virt-builder run with --update and --install options used > > Attaching full debug output of the following command: > > virt-builder fedora-22 \ > --size 15G \ > --format qcow2 \ > --hostname bigtopdev.telesto.local \ > --update \ > --install "gradle,groovy" \ > --output reproducer.qcow2 \ > -x -v 2>&1 | tee virt-builder.output So to be clear, it works if you add --selinux-relabel to the command line?
(In reply to Richard W.M. Jones from comment #11) > (In reply to Martin Bukatovic from comment #10) > > Created attachment 1036442 [details] > > Output of virt-builder run with --update and --install options used > > > > Attaching full debug output of the following command: > > > > virt-builder fedora-22 \ > > --size 15G \ > > --format qcow2 \ > > --hostname bigtopdev.telesto.local \ > > --update \ > > --install "gradle,groovy" \ > > --output reproducer.qcow2 \ > > -x -v 2>&1 | tee virt-builder.output > > So to be clear, it works if you add --selinux-relabel to the > command line? Yes, then it works.
--selinux-relabel has been rewritten and fixed. The upstream patches are: https://github.com/libguestfs/libguestfs/commit/9d205f1c284a69390907120ca44f5c723fecc244 https://github.com/libguestfs/libguestfs/commit/6ec75f8cfe455493b46f1a3a5a00282359e588a5 https://github.com/libguestfs/libguestfs/commit/f3c69fe60bc29ebfcef0ea9d86d407e1a88686b0 https://github.com/libguestfs/libguestfs/commit/b6e92b1100b4ca462a35549bd36322f0510739bc https://github.com/libguestfs/libguestfs/commit/35bac3a6501354e4a3805877d950e741429f169b https://github.com/libguestfs/libguestfs/commit/fc114904848559e02d8f4e4a8bfb57277c349f0f