Description of problem: virt-rescue --selinux can not work well, when enable selinux in the command line the value of 'getenforce' is still Disabled in virt-rescue appliance Version-Release number of selected component (if applicable): libguestfs-1.27.62-1.1.el7 How reproducible: 100% Steps to Reproduce: 1. Get a rhel guest image: rhel.img 2. #virt-rescue --selinux -a rhel.img ><rescue> getenforce Disabled ><rescue> ls -Z / lrwxrwxrwx root root ? bin -> usr/bin dr-xr-xr-x root root ? boot drwxr-xr-x root root ? dev drwxr-xr-x root root ? etc Actual results: #virt-rescue --selinux -a rhel.img ><rescue> getenforce Disabled ><rescue> ls -Z / lrwxrwxrwx root root ? bin -> usr/bin dr-xr-xr-x root root ? boot drwxr-xr-x root root ? dev drwxr-xr-x root root ? etc Expected results: selinux should be enabled in virt-rescue appliance and works well Additional info:
SELinux is never enabled in enforcing mode within the appliance. Doing so would possibly result in conflicts between the kernel and enforced policy within the appliance (which is usually a copy of the host system) and the SELinux attributes possibly set in file systems of guests. Because of this, in recent versions we had to disable SELinux completely in virt-builder and virt-customize. Thus I don't agree "enabling SELinux" should also make it enforcing, since it might lead to unusable tools.
(In reply to Pino Toscano from comment #1) > SELinux is never enabled in enforcing mode within the appliance. Doing so > would possibly result in conflicts between the kernel and enforced policy > within the appliance (which is usually a copy of the host system) and the > SELinux attributes possibly set in file systems of guests. Because of this, > in recent versions we had to disable SELinux completely in virt-builder and > virt-customize. > > Thus I don't agree "enabling SELinux" should also make it enforcing, since > it might lead to unusable tools. Thanks, i agree with you. If virt-rescue will never enable selinux then the --selinux option should removed from the man page or at least add some text to describe it.
These upstream patches fix things, and also deprecate the old virt-rescue --selinux option. https://github.com/libguestfs/libguestfs/commit/9d205f1c284a69390907120ca44f5c723fecc244 https://github.com/libguestfs/libguestfs/commit/6ec75f8cfe455493b46f1a3a5a00282359e588a5 https://github.com/libguestfs/libguestfs/commit/f3c69fe60bc29ebfcef0ea9d86d407e1a88686b0 https://github.com/libguestfs/libguestfs/commit/b6e92b1100b4ca462a35549bd36322f0510739bc https://github.com/libguestfs/libguestfs/commit/35bac3a6501354e4a3805877d950e741429f169b https://github.com/libguestfs/libguestfs/commit/fc114904848559e02d8f4e4a8bfb57277c349f0f I am closing out this bug since the option never worked and couldn't work by design, but there is now a working virt-customize --selinux-relabel option instead.