Bug 1828952 - virt-customize --selinux-relabel (and other tools) do not work if SELINUXTYPE != targeted
Summary: virt-customize --selinux-relabel (and other tools) do not work if SELINUXTYPE...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libguestfs
Version: 8.1
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: rc
: ---
Assignee: Richard W.M. Jones
QA Contact: YongkuiGuo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-28 16:17 UTC by John Hobach
Modified: 2021-05-18 15:22 UTC (History)
7 users (show)

Fixed In Version: libguestfs-1.40.2-27.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 15:21:14 UTC
Type: ---
Target Upstream Version:


Attachments (Terms of Use)

Description John Hobach 2020-04-28 16:17:43 UTC
User-Agent:       Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36
Build Identifier: 

Conversion fails if SELINUX=disabled.  When disabled, virt-v2v still tries to find the directory related to the value in SELINUXTYPE.
Example: SELINUX=disabled, SELINUXTYPE=permissive.  Virt-v2v then looks for "/etc/selinux/permissive/contexts/files/file_contexts" and it does not exist.

Reproducible: Always

Steps to Reproduce:
1.create an OVA from Linux with selinux disabled (OVA from CentOS 8.1)
2.Run virt-v2v to convert the OVA to KVM
3.
Actual Results:  
libguestfs: trace: v2v: aug_ls "/files/etc/selinux/config"
guestfsd: => aug_get (0x13) took 0.00 secs
guestfsd: <= aug_ls (0x1c) request length 72 bytes
libguestfs: trace: v2v: aug_ls = ["/files/etc/selinux/config/#comment[10]", "/files/etc/selinux/config/#comment[1]", "/files/etc/selinux/config/#comment[2]", "/files/etc/selinux/config/#comment[3]", "/files/etc/selinux/config/#comment[4]", "/files/etc/selinux/config/#comment[5]", "/files/etc/selinux/config/#comment[6]", "/files/etc/selinux/config/#comment[7]", "/files/etc/selinux/config/#comment[8]", "/files/etc/selinux/config/#comment[9]", "/files/etc/selinux/config/SELINUX", "/files/etc/selinux/config/SELINUXTYPE"]
libguestfs: trace: v2v: aug_get "/files/etc/selinux/config/SELINUXTYPE"
guestfsd: => aug_ls (0x1c) took 0.00 secs
guestfsd: <= aug_get (0x13) request length 84 bytes
libguestfs: trace: v2v: aug_get = "permissive"
libguestfs: trace: v2v: aug_close
guestfsd: => aug_get (0x13) took 0.00 secs
guestfsd: <= aug_close (0x1a) request length 40 bytes
libguestfs: trace: v2v: aug_close = 0
libguestfs: trace: v2v: grep "vdagentd.\pid" "/etc/selinux/permissive/contexts/files/file_contexts" "fixed:true"
guestfsd: => aug_close (0x1a) took 0.01 secs
guestfsd: <= grep (0x97) request length 132 bytes
guestfsd: error: /etc/selinux/permissive/contexts/files/file_contexts: No such file or directory
guestfsd: => grep (0x97) took 0.00 secs
libguestfs: trace: v2v: grep = NULL (error)
virt-v2v: error: libguestfs error: grep:
/etc/selinux/permissive/contexts/files/file_contexts: No such file or
directory
rm -rf '/var/tmp/ova.msyiKT'

Expected Results:  
Should detect "disabled" and not check for information related to SELINUXTYPE.

In the log there are many "syntax error" above this problem.  It's not clear if this is another bug, normal, related.

[root@cl04srv01 backups]# virt-v2v -V
virt-v2v 1.38.4rhel=8,release=14.module_el8.1.0+248+298dec18,libvirt

I didn't know if libvirt was the component since virt-v2v was not listed.

All of our esxi VMs we are migrating are SELINUX=disabled so this has a major impact.

Comment 1 Jaroslav Suchanek 2020-05-05 14:35:28 UTC
Rich, can you please have a look. Thanks.

Comment 2 Richard W.M. Jones 2020-05-05 15:41:14 UTC
The actual problem is when SELINUXTYPE != targeted.  We're looking for
a directory /etc/selinux/<SELINUXTYPE>/... which does not exist.

An easy way to reproduce this is to take a guest and edit /etc/selinux/config,
setting SELINUXTYPE to anything except targeted, eg:

SELINUX=enforcing
SELINUXTYPE=foobar

Then run virt-customize --selinux-relabel:

$ virt-customize --selinux-relabel -a fedora-30.img 
[   0.0] Examining the guest ...
[   6.0] Setting a random seed
[   6.1] SELinux relabelling
virt-customize: error: libguestfs error: grep: 
/etc/selinux/foobar/contexts/files/file_contexts: No such file or directory

Simple patch coming shortly.

Comment 4 Pino Toscano 2020-05-18 09:39:58 UTC
(In reply to Richard W.M. Jones from comment #2)
> The actual problem is when SELINUXTYPE != targeted.  We're looking for
> a directory /etc/selinux/<SELINUXTYPE>/... which does not exist.
> 
> An easy way to reproduce this is to take a guest and edit
> /etc/selinux/config,
> setting SELINUXTYPE to anything except targeted, eg:
> 
> SELINUX=enforcing
> SELINUXTYPE=foobar

Most probably this setup will create issues in the guest, as SELinux is configured to enforce a policy that does not exist.

As I wrote in a reply to the patch sent for this issue [1], we rather need to look at SELINUX first, and peform a relabel only when enforcing.
Therefore I think the initial subject (mentioning "SELINUX=disabled" instead of "SELINUXTYPE != targeted") was correct.

[1] https://www.redhat.com/archives/libguestfs/2020-May/msg00035.html

Comment 9 Pino Toscano 2020-09-23 15:58:19 UTC
My take on this:
https://www.redhat.com/archives/libguestfs/2020-September/msg00180.html

Comment 11 Ben Carbery 2020-11-04 06:45:23 UTC
Is there any available workaround for this problem?

Comment 12 Ben Carbery 2020-11-04 08:12:48 UTC
Simpler than I thought. In my case the error was the 'targeted' policy files not being found. Since selinux was disabled, the package was not needed and not installed.

The /etc/selinux/config was simply:

    SELINUX=disabled

Restarting the guest and installing the targeted policy before converting was a valid workaround, e.g.:

    yum install selinux-policy-targeted-3.13.1-266.el7


In response to Pino's proposed fix..

> we rather need to look at SELINUX first, and peform a relabel only when enforcing.

.. it seems to me that this package shouldn't be be expected if selinux is disabled, since in this case selinux is unlikely to be used. But I would think it is required for either the enforcing OR permissive case since this is more of a runtime state that requires the policy package.

Comment 18 YongkuiGuo 2021-01-06 07:00:55 UTC
Verified with package:
libguestfs-1.40.2-27.module+el8.4.0+9282+0bdec052.x86_64

Steps:

1.Prepare a rhel8.3 guest image and modify /etc/selinux/config file as follows:
SELINUX=enforcing
SELINUXTYPE=foobar

2.
$ virt-customize -v -x --selinux-relabel -a RHEL-Server-8.3.0-64-hvm.raw
[   0.0] Examining the guest ...
[   5.6] Setting a random seed
[   5.6] SELinux relabelling
...
libguestfs: trace: aug_get = "foobar"
libguestfs: trace: aug_close
guestfsd: <= aug_close (0x1a) request length 40 bytes
libguestfs: trace: aug_close = 0ok 0.01 secs
libguestfs: trace: is_file "/etc/selinux/foobar/contexts/files/file_contexts" "followsymlinks:true"
guestfsd: <= is_file (0x25) request length 96 bytes
chroot: /sysroot: running 'is_file: /etc/selinux/foobar/contexts/files/file_contexts'
guestfsd: => is_file (0x25) took 0.00 secs
libguestfs: trace: is_file = 0
libguestfs: trace: touch "/.autorelabel"
...
[   6.2] Finishing off

No error like this '/etc/selinux/foobar/contexts/files/file_contexts: No such file or directory'.

Comment 20 errata-xmlrpc 2021-05-18 15:21:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1762


Note You need to log in before you can comment on or make changes to this bug.