RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1828952 - virt-customize --selinux-relabel (and other tools) do not work if SELINUXTYPE != targeted
Summary: virt-customize --selinux-relabel (and other tools) do not work if SELINUXTYPE...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libguestfs
Version: 8.1
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: rc
: ---
Assignee: Richard W.M. Jones
QA Contact: YongkuiGuo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-28 16:17 UTC by John Hobach
Modified: 2021-05-18 15:22 UTC (History)
7 users (show)

Fixed In Version: libguestfs-1.40.2-27.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 15:21:14 UTC
Type: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description John Hobach 2020-04-28 16:17:43 UTC 
User-Agent:       Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36
Build Identifier: 

Conversion fails if SELINUX=disabled.  When disabled, virt-v2v still tries to find the directory related to the value in SELINUXTYPE.
Example: SELINUX=disabled, SELINUXTYPE=permissive.  Virt-v2v then looks for "/etc/selinux/permissive/contexts/files/file_contexts" and it does not exist.

Reproducible: Always

Steps to Reproduce:
1.create an OVA from Linux with selinux disabled (OVA from CentOS 8.1)
2.Run virt-v2v to convert the OVA to KVM
3.
Actual Results:  
libguestfs: trace: v2v: aug_ls "/files/etc/selinux/config"
guestfsd: => aug_get (0x13) took 0.00 secs
guestfsd: <= aug_ls (0x1c) request length 72 bytes
libguestfs: trace: v2v: aug_ls = ["/files/etc/selinux/config/#comment[10]", "/files/etc/selinux/config/#comment[1]", "/files/etc/selinux/config/#comment[2]", "/files/etc/selinux/config/#comment[3]", "/files/etc/selinux/config/#comment[4]", "/files/etc/selinux/config/#comment[5]", "/files/etc/selinux/config/#comment[6]", "/files/etc/selinux/config/#comment[7]", "/files/etc/selinux/config/#comment[8]", "/files/etc/selinux/config/#comment[9]", "/files/etc/selinux/config/SELINUX", "/files/etc/selinux/config/SELINUXTYPE"]
libguestfs: trace: v2v: aug_get "/files/etc/selinux/config/SELINUXTYPE"
guestfsd: => aug_ls (0x1c) took 0.00 secs
guestfsd: <= aug_get (0x13) request length 84 bytes
libguestfs: trace: v2v: aug_get = "permissive"
libguestfs: trace: v2v: aug_close
guestfsd: => aug_get (0x13) took 0.00 secs
guestfsd: <= aug_close (0x1a) request length 40 bytes
libguestfs: trace: v2v: aug_close = 0
libguestfs: trace: v2v: grep "vdagentd.\pid" "/etc/selinux/permissive/contexts/files/file_contexts" "fixed:true"
guestfsd: => aug_close (0x1a) took 0.01 secs
guestfsd: <= grep (0x97) request length 132 bytes
guestfsd: error: /etc/selinux/permissive/contexts/files/file_contexts: No such file or directory
guestfsd: => grep (0x97) took 0.00 secs
libguestfs: trace: v2v: grep = NULL (error)
virt-v2v: error: libguestfs error: grep:
/etc/selinux/permissive/contexts/files/file_contexts: No such file or
directory
rm -rf '/var/tmp/ova.msyiKT'

Expected Results:  
Should detect "disabled" and not check for information related to SELINUXTYPE.

In the log there are many "syntax error" above this problem.  It's not clear if this is another bug, normal, related.

[root@cl04srv01 backups]# virt-v2v -V
virt-v2v 1.38.4rhel=8,release=14.module_el8.1.0+248+298dec18,libvirt

I didn't know if libvirt was the component since virt-v2v was not listed.

All of our esxi VMs we are migrating are SELINUX=disabled so this has a major impact.
Comment 1 Jaroslav Suchanek 2020-05-05 14:35:28 UTC 
Rich, can you please have a look. Thanks.
Comment 2 Richard W.M. Jones 2020-05-05 15:41:14 UTC 
The actual problem is when SELINUXTYPE != targeted.  We're looking for
a directory /etc/selinux/<SELINUXTYPE>/... which does not exist.

An easy way to reproduce this is to take a guest and edit /etc/selinux/config,
setting SELINUXTYPE to anything except targeted, eg:

SELINUX=enforcing
SELINUXTYPE=foobar

Then run virt-customize --selinux-relabel:

$ virt-customize --selinux-relabel -a fedora-30.img 
[   0.0] Examining the guest ...
[   6.0] Setting a random seed
[   6.1] SELinux relabelling
virt-customize: error: libguestfs error: grep: 
/etc/selinux/foobar/contexts/files/file_contexts: No such file or directory

Simple patch coming shortly.
Comment 3 Richard W.M. Jones 2020-05-05 15:44:51 UTC 
https://www.redhat.com/archives/libguestfs/2020-May/msg00020.html
https://www.redhat.com/archives/libguestfs/2020-May/msg00021.html
Comment 4 Pino Toscano 2020-05-18 09:39:58 UTC 
(In reply to Richard W.M. Jones from comment #2)
> The actual problem is when SELINUXTYPE != targeted.  We're looking for
> a directory /etc/selinux/<SELINUXTYPE>/... which does not exist.
> 
> An easy way to reproduce this is to take a guest and edit
> /etc/selinux/config,
> setting SELINUXTYPE to anything except targeted, eg:
> 
> SELINUX=enforcing
> SELINUXTYPE=foobar

Most probably this setup will create issues in the guest, as SELinux is configured to enforce a policy that does not exist.

As I wrote in a reply to the patch sent for this issue [1], we rather need to look at SELINUX first, and peform a relabel only when enforcing.
Therefore I think the initial subject (mentioning "SELINUX=disabled" instead of "SELINUXTYPE != targeted") was correct.

[1] https://www.redhat.com/archives/libguestfs/2020-May/msg00035.html
Comment 9 Pino Toscano 2020-09-23 15:58:19 UTC 
My take on this:
https://www.redhat.com/archives/libguestfs/2020-September/msg00180.html
Comment 11 Ben Carbery 2020-11-04 06:45:23 UTC 
Is there any available workaround for this problem?
Comment 12 Ben Carbery 2020-11-04 08:12:48 UTC 
Simpler than I thought. In my case the error was the 'targeted' policy files not being found. Since selinux was disabled, the package was not needed and not installed.

The /etc/selinux/config was simply:

    SELINUX=disabled

Restarting the guest and installing the targeted policy before converting was a valid workaround, e.g.:

    yum install selinux-policy-targeted-3.13.1-266.el7


In response to Pino's proposed fix..

> we rather need to look at SELINUX first, and peform a relabel only when enforcing.

.. it seems to me that this package shouldn't be be expected if selinux is disabled, since in this case selinux is unlikely to be used. But I would think it is required for either the enforcing OR permissive case since this is more of a runtime state that requires the policy package.
Comment 15 Richard W.M. Jones 2020-12-01 12:32:23 UTC 
Fixed upstream in:
https://github.com/libguestfs/libguestfs-common/commit/3493d9fcaab6de1c09528e55a01bc24f0fb6c03c
https://github.com/libguestfs/libguestfs-common/commit/101dac2eac8c61f0081c343b5d69cfa4efbc2a98
Comment 18 YongkuiGuo 2021-01-06 07:00:55 UTC 
Verified with package:
libguestfs-1.40.2-27.module+el8.4.0+9282+0bdec052.x86_64

Steps:

1.Prepare a rhel8.3 guest image and modify /etc/selinux/config file as follows:
SELINUX=enforcing
SELINUXTYPE=foobar

2.
$ virt-customize -v -x --selinux-relabel -a RHEL-Server-8.3.0-64-hvm.raw
[   0.0] Examining the guest ...
[   5.6] Setting a random seed
[   5.6] SELinux relabelling
...
libguestfs: trace: aug_get = "foobar"
libguestfs: trace: aug_close
guestfsd: <= aug_close (0x1a) request length 40 bytes
libguestfs: trace: aug_close = 0ok 0.01 secs
libguestfs: trace: is_file "/etc/selinux/foobar/contexts/files/file_contexts" "followsymlinks:true"
guestfsd: <= is_file (0x25) request length 96 bytes
chroot: /sysroot: running 'is_file: /etc/selinux/foobar/contexts/files/file_contexts'
guestfsd: => is_file (0x25) took 0.00 secs
libguestfs: trace: is_file = 0
libguestfs: trace: touch "/.autorelabel"
...
[   6.2] Finishing off

No error like this '/etc/selinux/foobar/contexts/files/file_contexts: No such file or directory'.
Comment 20 errata-xmlrpc 2021-05-18 15:21:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1762
Note You need to log in before you can comment on or make changes to this bug.