Bug 1554735 - RFE: customize --selinux-relabel should be the default, with --no-selinux-relabel used to opt out
Summary: RFE: customize --selinux-relabel should be the default, with --no-selinux-rel...
Keywords:
Status: NEW
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libguestfs
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Richard W.M. Jones
QA Contact: Fedora Extras Quality Assurance
Jiri Herrmann
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-13 09:11 UTC by Lee Yarwood
Modified: 2021-09-17 13:52 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.Using `virt-customize` sometimes causes `guestfs-firstboot` to fail After modifying a virtual machine (VM) disk image using the `virt-customize` utility, the `guestfs-firstboot` service in some cases fails due to incorrect SELinux permissions. This causes a variety of problems during VM startup, such as failing user creation or system registration. To avoid this issue, add `--selinux-relabel` to the kernel command line of the VM after modifying its disk image with `virt-customize`.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Lee Yarwood 2018-03-13 09:11:29 UTC
Description of problem:
Using the --update switch results in the root account being inaccessible.

Version-Release number of selected component (if applicable):
libguestfs-tools-c-1.37.35-1.fc27.x86_64

How reproducible:
Always

Steps to Reproduce:
1. virt-builder -o /var/lib/libvirt/images/test.img --update --root-password password:redhat --size 10G fedora-26
2. virt-install --import --vcpus 6 --ram 1024 --disk format=raw,path=/var/lib/libvirt/images/test.img  --network network=default,model=virtio -noautoconsole --nographics --name test
3. ssh -lroot $(virsh domifaddr test | grep ipv4 | awk '{ print $4 }' | sed -e 's/\/.*//g')

Actual results:
-- root: no shell: Permission denied

Expected results:
Able to log into root account.

Additional info:
Also reproducible when using SSH keys.

Comment 1 Richard W.M. Jones 2018-03-13 10:50:53 UTC
Does adding --selinux-relabel fix things?

Comment 2 Richard W.M. Jones 2018-03-13 10:54:19 UTC
There's also discussion of making that flag default to true unless
the user selects ‘--no-selinux-relabel’, which would make it less of
a common trap:
https://gb.redhat.com/archives/libguestfs/2018-February/msg00039.html

Comment 3 Lee Yarwood 2018-03-15 13:44:34 UTC
(In reply to Richard W.M. Jones from comment #1)
> Does adding --selinux-relabel fix things?

Yes, thanks!

(In reply to Richard W.M. Jones from comment #2)
> There's also discussion of making that flag default to true unless
> the user selects ‘--no-selinux-relabel’, which would make it less of
> a common trap:
> https://gb.redhat.com/archives/libguestfs/2018-February/msg00039.html

Cool, yes that would be useful. Feel free to close this bug out if you don't want to track that here.

Comment 4 Richard W.M. Jones 2018-03-15 14:52:24 UTC
Let's recycle this bug for this purpose.


Note You need to log in before you can comment on or make changes to this bug.