Created attachment 1264349 [details] test-suite.log Description of problem: Literally, it doesn't relabel anything. # setfiles -F -e /sysroot/dev -e /sysroot/proc -e /sysroot/selinux -e /sysroot/sys -r /sysroot -q /sysroot/etc/file_contexts /sysroot/ Can't stat exclude path "/sysroot/dev", No such file or directory - ignoring. Can't stat exclude path "/sysroot/proc", No such file or directory - ignoring. Can't stat exclude path "/sysroot/selinux", No such file or directory - ignoring. Can't stat exclude path "/sysroot/sys", No such file or directory - ignoring. # echo $? 0 But no files actually get relabelled. libguestfs: trace: lgetxattr "/bin" "security.selinux" guestfsd: error: getxattr: No data available Version-Release number of selected component (if applicable): Failing in: policycoreutils-2.6-3.fc26.x86_64 Working in: policycoreutils-2.5-19.fc25.x86_64 How reproducible: 100% Steps to Reproduce: 1. Run this test from the libguestfs test suite: https://github.com/libguestfs/libguestfs/blob/master/tests/relabel/test-relabel.pl The full output from the test is attached.
This also affects real guests. It appears to be the root cause behind virt-customize firstboot functionality not working for Fedora 25 guests.
The command itself seems to work as expected on a regular system, see bellow. I guess the problem is in the fact that there's no "security.selinux" attribute in the filesystem: libguestfs: trace: lgetxattr "/bin" "security.selinux" guestfsd: error: getxattr: No data available $ rpm -qf /usr/sbin/setfiles policycoreutils-2.6-3.fc26.x86_64 $ mkdir -p sysroot/bin sysroot/etc/ sysroot/tmp sysroot/var/log $ touch sysroot/bin/ls sysroot/tmp/test sysroot/var/log/messages $ cat > sysroot/etc/file_contexts <<EOF /.* system_u:object_r:default_t:s0 /bin/.* system_u:object_r:bin_t:s0 /etc/.* system_u:object_r:etc_t:s0 /etc/file_contexts <<none>> /tmp/.* <<none>> /var/.* system_u:object_r:var_t:s0 /var/log/.* system_u:object_r:var_log_t:s0 EOF $ ls -lZ sysroot/var/log/messages -rw-rw-r--. 1 plautrba plautrba unconfined_u:object_r:user_tmp_t:s0 0 Mar 20 09:16 sysroot/var/log/messages $ setfiles -F -e `pwd`/sysroot/dev -e `pwd`/sysroot/proc -e `pwd`/sysroot/selinux -e `pwd`/sysroot/sys -r `pwd`/sysroot -q `pwd`/sysroot/etc/file_contexts `pwd`/sysroot Can't stat exclude path "/home/plautrba/tmp/sysroot/dev", No such file or directory - ignoring. Can't stat exclude path "/home/plautrba/tmp/sysroot/proc", No such file or directory - ignoring. Can't stat exclude path "/home/plautrba/tmp/sysroot/selinux", No such file or directory - ignoring. Can't stat exclude path "/home/plautrba/tmp/sysroot/sys", No such file or directory - ignoring. $ ls -lZ sysroot/var/log/messages -rw-rw-r--. 1 plautrba plautrba system_u:object_r:var_log_t:s0 0 Mar 20 09:16 sysroot/var/log/messages or with -vv $ setfiles -vv -F -e `pwd`/sysroot/dev -e `pwd`/sysroot/proc -e `pwd`/sysroot/selinux -e `pwd`/sysroot/sys -r `pwd`/sysroot `pwd`/sysroot/etc/file_contexts `pwd`/sysroot Can't stat exclude path "/home/plautrba/tmp/sysroot/dev", No such file or directory - ignoring. Can't stat exclude path "/home/plautrba/tmp/sysroot/proc", No such file or directory - ignoring. Can't stat exclude path "/home/plautrba/tmp/sysroot/selinux", No such file or directory - ignoring. Can't stat exclude path "/home/plautrba/tmp/sysroot/sys", No such file or directory - ignoring. Relabeled /home/plautrba/tmp/sysroot from unconfined_u:object_r:user_tmp_t:s0 to system_u:object_r:default_t:s0 Relabeled /home/plautrba/tmp/sysroot/bin from unconfined_u:object_r:user_tmp_t:s0 to system_u:object_r:default_t:s0 Relabeled /home/plautrba/tmp/sysroot/bin/ls from unconfined_u:object_r:user_tmp_t:s0 to system_u:object_r:bin_t:s0 Relabeled /home/plautrba/tmp/sysroot/etc from unconfined_u:object_r:user_tmp_t:s0 to system_u:object_r:default_t:s0 Warning no default label for /etc/file_contexts Relabeled /home/plautrba/tmp/sysroot/tmp from unconfined_u:object_r:user_tmp_t:s0 to system_u:object_r:default_t:s0 Warning no default label for /tmp/test Relabeled /home/plautrba/tmp/sysroot/var from unconfined_u:object_r:user_tmp_t:s0 to system_u:object_r:default_t:s0 Relabeled /home/plautrba/tmp/sysroot/var/log from unconfined_u:object_r:user_tmp_t:s0 to system_u:object_r:var_t:s0 Relabeled /home/plautrba/tmp/sysroot/var/log/messages from unconfined_u:object_r:user_tmp_t:s0 to system_u:object_r:var_log_t:s0 filespec hash table stats: 8 elements, 8/65536 buckets used, longest chain length 1
(In reply to Petr Lautrbach from comment #2) > The command itself seems to work as expected on a regular system, see > bellow. I guess the problem is in the fact that there's no > "security.selinux" attribute in the filesystem: > > libguestfs: trace: lgetxattr "/bin" "security.selinux" > guestfsd: error: getxattr: No data available I'm not really clear what the means. Does it mean we have to create the security.selinux attribute beforehand? Or has the name of the extended attribute changed? Or are xattrs no longer used to store selinux labels? Or do we need to use some mount options?
I should also note the exact same set of tests work fine with the older setfiles version.
I'm investigating it. The name of attribute hasn't changed, it shouldn't be needed to create it beforehand since libselinux should be able to set it even when it's not set yet.
It's a bug in libselinux. It can be reproduced in a system with SELinux disabled: # sestatus SELinux status: disabled # setfiles -F -e `pwd`/sysroot/dev -e `pwd`/sysroot/proc -e `pwd`/sysroot/selinux -e `pwd`/sysroot/sys -r `pwd`/sysroot -q `pwd`/sysroot/etc/file_contexts `pwd`/sysroot 13:36:48 Can't stat exclude path "/root/sysroot/dev", No such file or directory - ignoring. Can't stat exclude path "/root/sysroot/proc", No such file or directory - ignoring. Can't stat exclude path "/root/sysroot/selinux", No such file or directory - ignoring. Can't stat exclude path "/root/sysroot/sys", No such file or directory - ignoring. [1] 18233 segmentation fault (core dumped) setfiles -F -e `pwd`/sysroot/dev -e `pwd`/sysroot/proc -e -e -r -q The following patch should fix it: --- a/libselinux/src/selinux_restorecon.c +++ b/libselinux/src/selinux_restorecon.c @@ -663,7 +663,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, curcon = NULL; } - if (strcmp(curcon, newcon) != 0) { + if (curcon == NULL || strcmp(curcon, newcon) != 0) { if (!flags->set_specctx && curcon && (is_context_customizable(curcon) > 0)) { if (flags->verbose) { A scratch build is available at https://koji.fedoraproject.org/koji/taskinfo?taskID=18488622
(In reply to Petr Lautrbach from comment #6) > It's a bug in libselinux. It can be reproduced in a system with SELinux > disabled: Yes, I forgot to mention that the libguestfs appliance runs with SELinux disabled (internally to the appliance, still enabled on the host of course). > A scratch build is available at > https://koji.fedoraproject.org/koji/taskinfo?taskID=18488622 I'm afraid that I don't think this fixes the problem. It seems to fail in the same way as before. I don't think that setfiles was dumping core before.
What with everything being in a VM and needing a new RPM built every time, the compile-debug cycle is about 10 minutes. The patch in comment 6 is needed, but it's not the whole story. I finally found out what's going wrong. Any path under /sysroot is rejected by the function selinux_restorecon.c:check_excludes. I added some debugging to this function, and the list of excludes is peculiar: static int check_excluded(const char *file) { int i; fprintf (stderr, "check_excluded file=%s\n", file); for (i = 0; i < exclude_count; i++) { fprintf (stderr, "compare %s to %s\n", file, exclude_lst[i].directory); ... check_excluded file=/sysroot/ compare /sysroot/ to / compare /sysroot/ to /proc compare /sysroot/ to /sys compare /sysroot/ to /run compare /sysroot/ to /dev compare /sysroot/ to /dev/pts compare /sysroot/ to /sysroot # this leads to the whole subdir being excluded On the setfiles command line I specified: -e /sysroot/dev -e /sysroot/proc -e /sysroot/selinux -e /sysroot/sys which doesn't include any of the paths above. It seems to have excluded all mounted directories in the appliance. It seems this is a new "feature" of setfiles, which you have to turn off using the "-m" flag on the command line. This was added by upstream commit: commit f2e77865e144ab2e1313aa78d99b969f8f48695e Author: Richard Haines <richard_c_haines> Date: Tue Jul 26 09:44:17 2016 +0100
https://koji.fedoraproject.org/koji/taskinfo?taskID=18517231 libselinux-2.6-4.fc26 https://koji.fedoraproject.org/koji/taskinfo?taskID=18517229 libselinux-2.6-4.fc27
policycoreutils-2.6-5.fc26 libselinux-2.6-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f21a1bffda
libselinux-2.6-5.fc26, policycoreutils-2.6-5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f21a1bffda
libselinux-2.6-5.fc26, policycoreutils-2.6-5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.