1374232 – selinux relabel fails on RHEL 6.2 guests with "libguestfs error: selinux_relabel: : Success"

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1374232 - selinux relabel fails on RHEL 6.2 guests with "libguestfs error: selinux_relabel: : Success"

Summary: selinux relabel fails on RHEL 6.2 guests with "libguestfs error: selinux_rela...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libguestfs
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Pino Toscano
QA Contact:	Virtualization Bugs
Docs Contact:	Yehuda Zimmerman
URL:
Whiteboard:	V2V
Depends On:	1359086
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-08 09:56 UTC by laitao
Modified:	2020-01-17 15:55 UTC (History)
CC List:	8 users (show)
Fixed In Version:	libguestfs-1.36.2-1.el7
Doc Type:	Bug Fix
Doc Text:	Red Hat Enterprise Linux 6.2 - 6.5 guest virtual machines can now be converted using virt-v2v Previously, an error in the SELinux `file_contexts` file in Red Hat Enterprise Linux versions 6.2 - 6.5 prevented conversion of these guests using the virt-v2v utiltiy. With this update, virt-v2v automatically fixes the error in the SElinux `file_contexts` file. As a result, Red Hat Enterprise Linux 6.2-6.5 guest virtual machines can now be converted using virt-v2v.
Clone Of:
Environment:
Last Closed:	2017-08-01 22:08:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2023	0	normal	SHIPPED_LIVE	libguestfs bug fix and enhancement update	2017-08-01 19:32:01 UTC

Description laitao 2016-09-08 09:56:05 UTC

Description of problem:


Version-Release number of selected component (if applicable):

virt-v2v 1.32
libguestfs 1.32


when i use rel7 virt-v2v to convert all the linux system ,this problem appeal: virt-v2v: error: libguestfs error: selinux_relabel: : Success, i do not know how to fix it .

guestfsd: main_loop: proc 467 (selinux_relabel) took 1.76 seconds
libguestfs: trace: v2v: selinux_relabel = -1 (error)
virt-v2v: error: libguestfs error: selinux_relabel: : Success
rm -rf '/var/tmp/ova.Q8TNG6'
rm -rf '/var/tmp/null.fkFo25'
libguestfs: trace: v2v: close

Comment 1 Richard W.M. Jones 2016-09-08 10:22:25 UTC

Which exact version of libguestfs and virt-v2v, and where did
you get them from?

Secondly please run virt-v2v with the -v -x options and attach
the complete output to this bug.

Comment 3 laitao 2016-09-09 02:39:32 UTC

virt-v2v-1.32.7-1.el7.x86_64

libguestfs-1.32.7-1.el7.x86_64

get them from yum : http://people.redhat.com/~rjones/libguestfs-RHEL-7.3-preview/

error:
[root@bao-test-3 ~]# virt-v2v -i ova /usr/BXTT1V10152/ -o local -os /var/tmp -of qcow2
[   0.0] Opening the source -i ova /usr/BXTT1V10152/
[   0.0] Creating an overlay to protect the source from being modified
[   0.1] Initializing the target -o local -os /var/tmp
[   0.1] Opening the overlay
[  10.2] Inspecting the overlay
[  38.3] Checking for sufficient free disk space in the guest
[  38.3] Estimating space required on target for each disk
[  38.3] Converting Red Hat Enterprise Linux Server release 6.2 (Santiago) to run on KVM
virt-v2v: error: libguestfs error: selinux_relabel: : Success

If reporting bugs, run virt-v2v with debugging enabled and include the
complete output:

while:
[root@bao-test-3 ~]# virt-v2v -v -x -i ova /usr/BXTT1V10152/ -o local -os /var/tmp -of qcow2

libguestfs: trace: v2v: is_file "/usr/sbin/load_policy" "followsymlinks:true"
guestfsd: main_loop: proc 50 (command) took 172.13 seconds
guestfsd: main_loop: new request, len 0x48
guestfsd: main_loop: proc 37 (is_file) took 0.00 seconds
libguestfs: trace: v2v: is_file = 1
libguestfs: trace: v2v: is_file "/etc/selinux/config" "followsymlinks:true"
guestfsd: main_loop: new request, len 0x44
libguestfs: trace: v2v: is_file = 1
libguestfs: trace: v2v: feature_available "selinuxrelabel"
libguestfs: trace: v2v: internal_feature_available "selinuxrelabel"
guestfsd: main_loop: proc 37 (is_file) took 0.00 seconds
guestfsd: main_loop: new request, len 0x3c
guestfsd: main_loop: proc 458 (internal_feature_available) took 0.00 secondslibg                 uestfs: trace: v2v: internal_feature_available = 0
libguestfs: trace: v2v: feature_available = 1
libguestfs: trace: v2v: aug_init "/" 48

guestfsd: main_loop: new request, len 0x34
libguestfs: trace: v2v: aug_init = 0
libguestfs: trace: v2v: aug_rm "/augeas/load/*["/etc/selinux/config/" !~ regexp(                 '^') + glob(incl) + regexp('/.*')]"
guestfsd: main_loop: proc 16 (aug_init) took 4.06 seconds
guestfsd: main_loop: new request, len 0x80
libguestfs: trace: v2v: aug_rm = 1161
libguestfs: trace: v2v: aug_load
guestfsd: main_loop: proc 22 (aug_rm) took 0.17 seconds
guestfsd: main_loop: new request, len 0x28
libguestfs: trace: v2v: aug_load = 0
libguestfs: trace: v2v: aug_match "/augeas/files//error"
guestfsd: main_loop: proc 27 (aug_load) took 0.37 seconds
guestfsd: main_loop: new request, len 0x40
guestfsd: main_loop: proc 24 (aug_match) took 0.00 seconds
libguestfs: trace: v2v: aug_match = []
libguestfs: trace: v2v: aug_get "/files/etc/selinux/config/SELINUXTYPE"
guestfsd: main_loop: new request, len 0x54
guestfsd: main_loop: proc 19 (aug_get) took 0.00 seconds
libguestfs: trace: v2v: aug_get = "targeted"
libguestfs: trace: v2v: aug_close
guestfsd: main_loop: new request, len 0x28
libguestfs: trace: v2v: aug_close = 0
libguestfs: trace: v2v: selinux_relabel "/etc/selinux/targeted/contexts/files/fi                 le_contexts" "/" "force:true"
guestfsd: main_loop: proc 26 (aug_close) took 0.26 seconds
guestfsd: main_loop: new request, len 0x6c
commandrvf: stdout=n stderr=y flags=0x0
commandrvf: setfiles -F -e /sysroot/dev -e /sysroot/proc -e /sysroot/selinux -e                  /sysroot/sys -r /sysroot -q /sysroot/etc/selinux/targeted/contexts/files/file_co                 ntexts /sysroot/
[  952.895254] hrtimer: interrupt took 2425878 ns
guestfsd: error: : Success
libguestfs: trace: v2v: selinux_relabel = -1 (error)
virt-v2v: error: libguestfs error: selinux_relabel: : Success
rm -rf '/var/tmp/ova.DwHLIj'
rm -rf '/var/tmp/null.PcWnKl'
libguestfs: trace: v2v: close
libguestfs: closing guestfs handle 0x284e580 (state 2)
libguestfs: trace: v2v: internal_autosync
guestfsd: main_loop: proc 467 (selinux_relabel) took 518.76 seconds
guestfsd: main_loop: new request, len 0x28
umount-all: /proc/mounts: fsname=rootfs dir=/ type=rootfs opts=rw freq=0 passno=0
umount-all: /proc/mounts: fsname=proc dir=/proc type=proc opts=rw,relatime freq=0 passno=0
umount-all: /proc/mounts: fsname=/dev/root dir=/ type=ext2 opts=rw,noatime freq=0 passno=0
umount-all: /proc/mounts: fsname=/proc dir=/proc type=proc opts=rw,relatime freq=0 passno=0
umount-all: /proc/mounts: fsname=/sys dir=/sys type=sysfs opts=rw,relatime freq=0 passno=0
umount-all: /proc/mounts: fsname=tmpfs dir=/run type=tmpfs opts=rw,nosuid,relatime,size=158048k,mode=755 freq=0 passno=0
umount-all: /proc/unts: fsname=/dev dir=/dev type=devtmpfs opts=rw,relatime,size=392944k,nr_inodes=98236,mode=755 freq=0 passno=0
umount-all: /proc/mounts: fsname=/dev/mapper/VolGroup-lv_root dir=/sysroot type=ext4 opts=rw,relatime,data=ordered freq=0 passno=0
umount-all: /proc/mounts: fsname=/dev/sda1 dir=/sysroot/boot type=ext4 opts=rw,relatime,data=ordered freq=0 passno=0
commandrvf: stdout=n stderr=y flags=0x0
commandrvf: umount /sysroot/boot
commandrvf: stdout=n stderr=y flags=0x0
commandrvf: umount /sysroot
fsync /dev/sda
guestfsd: main_loop: proc 282 (internal_autosync) took 3.57 seconds
libguestfs: trace: v2v: internal_autosync = 0
libguestfs: calling virDomainDestroy flags=0
libguestfs: command: run: rm
libguestfs: command: run: \ -rf /tmp/libguestfs7jY9Sh



(In reply to Richard W.M. Jones from comment #1)
> Which exact version of libguestfs and virt-v2v, and where did
> you get them from?
> 
> Secondly please run virt-v2v with the -v -x options and attach
> the complete output to this bug.

Comment 4 Richard W.M. Jones 2016-09-09 08:06:34 UTC

It looks as if the setfiles command doesn't send all errors
to stderr.  It also does a lot of stupid stuff like:

https://github.com/SELinuxProject/selinux/blob/master/policycoreutils/setfiles/setfiles.c#L165
https://github.com/SELinuxProject/selinux/blob/master/policycoreutils/setfiles/setfiles.c#L463
(and more)

Anyway I'll see if I can reproduce this with a RHEL 6.2 guest.

Comment 5 Richard W.M. Jones 2016-09-09 08:14:15 UTC

The two line reproducer is:

$ virt-builder rhel-6.2

$ guestfish --ro -a rhel-6.2.img -i selinux-relabel /etc/selinux/targeted/contexts/files/file_contexts / force:true
libguestfs: error: selinux_relabel: /sysroot/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument: Success

Comment 6 tingting zheng 2016-09-09 08:31:15 UTC

(In reply to Richard W.M. Jones from comment #5)
> The two line reproducer is:
> 
> $ virt-builder rhel-6.2
> 
> $ guestfish --ro -a rhel-6.2.img -i selinux-relabel
> /etc/selinux/targeted/contexts/files/file_contexts / force:true
> libguestfs: error: selinux_relabel:
> /sysroot/etc/selinux/targeted/contexts/files/file_contexts: Invalid
> argument: Success

Hi,Richard

I saw you set devel_ack+ on this bug,will the bug be targeted for rhel7.3?

Comment 7 Richard W.M. Jones 2016-09-09 09:23:43 UTC

The problem turns out to be a faulty line in the RHEL 6.2
/etc/selinux/targeted/contexts/files/file_contexts.  The
problematic line is:

/var/run/spice-vdagentd.\pid   --      system_u:object_r:vdagent_var_run_t:s0  

setfiles doesn't exactly help because it hides the error amongst
a load of other irrelevant messages, but the actual error is:

contexts:  line 1838 has invalid regex /var/run/spice-vdagentd.\pid:  unknown property name after \P or \p

I believe the problem is: "spice-vdagentd.\pid" was intended to
be: "spice-vdagentd\.pid" but the backslash got misplaced.

Because this occurs in the guest filesystem (RHEL 6.2), it's
difficult to control from libguestfs/virt-v2v.  It was fixed
between 6.2 and 6.8, but I cannot find any Red Hat bug about it.

This is the same as the following Gentoo bug:
https://bugs.gentoo.org/show_bug.cgi?id=436688

Since this only affects unsupported RHEL 6, I'm going to defer it
to RHEL 7.4.

Comment 8 Richard W.M. Jones 2016-09-09 09:26:02 UTC

To the reporter:

To work around this you will need to edit
the file /etc/selinux/targeted/contexts/files/file_contexts in
the source guest.  Find the line which has the incorrect
\p regexp (see comment 7) and repair it.

Or: upgrade the guest to a more recent version of RHEL 6 before
trying to convert it.

Comment 9 laitao 2016-09-12 02:42:46 UTC

(In reply to Richard W.M. Jones from comment #8)
> To the reporter:
> 
> To work around this you will need to edit
> the file /etc/selinux/targeted/contexts/files/file_contexts in
> the source guest.  Find the line which has the incorrect
> \p regexp (see comment 7) and repair it.
> 
> Or: upgrade the guest to a more recent version of RHEL 6 before
> trying to convert it.

You are right, after I edit the /etc/selinux/targeted/contexts/files/file_contexts in the source guest,the conversion successed. what a amazing bug in the redhat...

Comment 10 mxie@redhat.com 2016-09-12 06:23:34 UTC

I can reproduce this bug with below builds when convert a rhel6.5 guest from ova file by virt-v2v

Packages:
virt-v2v-1.32.7-3.el7.x86_64
libguestfs-1.32.7-3.el7.x86_64
qemu-kvm-rhev-2.6.0-24.el7.x86_64
libvirt-2.0.0-8.el7.x86_64

Step:
1.# virt-v2v -i ova esx-rhel6-ova.tar -os default -of raw
[   0.0] Opening the source -i ova esx-rhel6-ova.tar
[  13.6] Creating an overlay to protect the source from being modified
[  14.2] Initializing the target -o libvirt -os default
[  14.3] Opening the overlay
[  51.5] Inspecting the overlay
[  59.9] Checking for sufficient free disk space in the guest
[  59.9] Estimating space required on target for each disk
[  59.9] Converting Red Hat Enterprise Linux Server release 6.5 (Santiago) to run on KVM
virt-v2v: error: libguestfs error: selinux_relabel: 
/sysroot/etc/selinux/targeted/contexts/files/file_contexts: Invalid 
argument: Success

If reporting bugs, run virt-v2v with debugging enabled and include the 
complete output:

  virt-v2v -v -x [...]

Comment 11 Richard W.M. Jones 2017-02-16 14:07:37 UTC

Fixed upstream in ad3c8fe7f49c4991e1aa536856a1a408f55d5409.

Comment 13 Christopher Brown 2017-03-03 17:01:21 UTC

I can confirm that updating selinux-policy* for RHEL 6.4 fixed this.

Comment 14 mxie@redhat.com 2017-03-06 09:48:34 UTC

Verify the bug with builds:
virt-v2v-1.36.1-1.el7.x86_64
libvirt-3.1.0-1.el7.x86_64
qemu-kvm-rhev-2.8.0-5.el7.x86_64
libguestfs-1.36.1-1.el7.x86_64

Steps:
1.Convert a rhel6.2 guest by virt-v2v
# virt-v2v -ic xen+ssh://root.3.21 xen-hvm-rhel6.2-i386 -of qcow2[   0.0] Opening the source -i libvirt -ic xen+ssh://root.3.21 xen-hvm-rhel6.2-i386
[   0.3] Creating an overlay to protect the source from being modified
[   0.8] Initializing the target -o libvirt -os default
[   1.0] Opening the overlay
[  15.1] Inspecting the overlay
[  27.2] Checking for sufficient free disk space in the guest
[  27.2] Estimating space required on target for each disk
[  27.2] Converting Red Hat Enterprise Linux Server release 6.2 Beta (Santiago) to run on KVM
virt-v2v: error: libguestfs error: selinux_relabel: 
/sysroot/etc/selinux/targeted/contexts/files/file_contexts: Invalid 
argument

If reporting bugs, run virt-v2v with debugging enabled and include the 
complete output:

  virt-v2v -v -x [...]

2.Convert a rhel6.5 guest from ova file by virt-v2v
# virt-v2v -i ova esx-rhel6-ova.tar -of raw
[   0.0] Opening the source -i ova esx-rhel6-ova.tar
[   1.7] Creating an overlay to protect the source from being modified
[   1.9] Initializing the target -o libvirt -os default
[   1.9] Opening the overlay
[   2.8] Inspecting the overlay
[   9.5] Checking for sufficient free disk space in the guest
[   9.5] Estimating space required on target for each disk
[   9.5] Converting Red Hat Enterprise Linux Server release 6.5 (Santiago) to run on KVM
virt-v2v: error: libguestfs error: selinux_relabel: 
/sysroot/etc/selinux/targeted/contexts/files/file_contexts: Invalid 
argument

If reporting bugs, run virt-v2v with debugging enabled and include the 
complete output:

  virt-v2v -v -x [...]


According to the above verify result, the bug has not been fixed yet

Comment 15 Richard W.M. Jones 2017-03-06 09:55:30 UTC

The fix is a documentation fix.

https://github.com/libguestfs/libguestfs/commit/ad3c8fe7f49c4991e1aa536856a1a408f55d5409

The real bug is essentially impossible to fix because it's a problem
with a broken regular expression in a file in the guest filesystem.

Comment 16 Richard W.M. Jones 2017-03-06 10:44:04 UTC

I posted an alternative fix upstream which rewrites the
invalid regexp in the file_contexts file:

https://www.redhat.com/archives/libguestfs/2017-March/msg00076.html

Comment 17 Richard W.M. Jones 2017-03-06 16:04:15 UTC

Improved fix for this is upstream in:

https://github.com/libguestfs/libguestfs/commit/25772a8123a1a800caf3472fb79c8eb3b4a074f3

Needs backporting to RHEL 7.4.

Comment 18 Richard W.M. Jones 2017-03-06 16:08:26 UTC

Sorry, there was a typo in the commit.  The full list of commits
needed to fix this is:

https://github.com/libguestfs/libguestfs/commit/25772a8123a1a800caf3472fb79c8eb3b4a074f3
https://github.com/libguestfs/libguestfs/commit/c6d8d68a4643794128c1d617bc83fc22438cc7c5

Comment 19 mxie@redhat.com 2017-03-09 14:44:59 UTC

Verify the bug again with builds:
virt-v2v-1.36.2-1.el7.x86_64
libguestfs-1.36.2-1.el7.x86_64
libvirt-3.1.0-2.el7.x86_64
qemu-kvm-rhev-2.8.0-6.el7.x86_64

Steps:
1.Convert a rhel6.2 guest from rhel5 host by virt-v2v
 virt-v2v -ic xen+ssh://root.3.21 xen-hvm-rhel6.2-i386 -of qcow2
[   0.0] Opening the source -i libvirt -ic xen+ssh://root.3.21 xen-hvm-rhel6.2-i386
[   0.4] Creating an overlay to protect the source from being modified
[   0.9] Initializing the target -o libvirt -os default
[   0.9] Opening the overlay
[   3.6] Inspecting the overlay
[  16.7] Checking for sufficient free disk space in the guest
[  16.7] Estimating space required on target for each disk
[  16.7] Converting Red Hat Enterprise Linux Server release 6.2 Beta (Santiago) to run on KVM
virt-v2v: This guest has virtio drivers installed.
[  70.6] Mapping filesystem data to avoid copying unused and blank areas
[  70.8] Closing the overlay
[  70.8] Checking if the guest needs BIOS or UEFI to boot
[  70.8] Assigning disks to buses
[  70.8] Copying disk 1/1 to /var/lib/libvirt/images/xen-hvm-rhel6.2-i386-sda (qcow2)
    (100.00/100%)
[ 444.7] Creating output metadata
Pool default refreshed

Domain xen-hvm-rhel6.2-i386 defined from /tmp/v2vlibvirt674d71.xml

[ 444.8] Finishing off

2.Power on the guest"xen-hvm-rhel6.2-i386 " and checkpoints of guest are passed

3.Convert a rhel6.5 guest from ova file by virt-v2v
# virt-v2v -i ova esx-rhel6-ova.tar -of raw
[   0.0] Opening the source -i ova esx-rhel6-ova.tar
[   2.0] Creating an overlay to protect the source from being modified
[   2.2] Initializing the target -o libvirt -os default
[   2.2] Opening the overlay
[   3.2] Inspecting the overlay
[  10.5] Checking for sufficient free disk space in the guest
[  10.5] Estimating space required on target for each disk
[  10.5] Converting Red Hat Enterprise Linux Server release 6.5 (Santiago) to run on KVM
virt-v2v: This guest has virtio drivers installed.
[  46.1] Mapping filesystem data to avoid copying unused and blank areas
[  46.2] Closing the overlay
[  46.2] Checking if the guest needs BIOS or UEFI to boot
[  46.2] Assigning disks to buses
[  46.2] Copying disk 1/1 to /var/lib/libvirt/images/esx-rhel6-sda (raw)
    (100.00/100%)
[  72.1] Creating output metadata
Pool default refreshed

Domain esx-rhel6 defined from /tmp/v2vlibvirt0d2f93.xml

[  75.2] Finishing off

4.Power on the guest and checkpoints of guest are passed


According to above result,the bug has been fixed

So move the bug from ON_QA to VERIFIED

Comment 20 Christopher Brown 2017-03-29 08:20:27 UTC

Hello, I can customize the disk image but would it be possible to release a new iso based on this?

Comment 21 Richard W.M. Jones 2017-03-29 09:20:51 UTC

Note that this bug is fixed in *virt-v2v* not in the ISO.  The
version of virt-v2v which should fix this is available here:

https://people.redhat.com/~rjones/libguestfs-RHEL-7.4-preview/

Incidentally there are also new virt-p2v preview images (although
it is not necessary to use them unless you want to):

http://oirase.annexia.org/virt-p2v/RHEL-7.4-preview/

Comment 23 errata-xmlrpc 2017-08-01 22:08:55 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2023

Note You need to log in before you can comment on or make changes to this bug.