customize: Add module for doing SELinux relabel of filesystem (RHBZ#554829, RHBZ#983969, RHBZ#1089100).

rwmjones · rwmjones · commit 8184857b6dbd · 2016-07-14T15:28:10.000+01:00
This implements the --selinux-relabel option for virt-customize,
virt-builder and virt-sysprep.  There is no need to autorelabel
functionality now.

Thanks: Stephen Smalley
diff --git a/builder/Makefile.am b/builder/Makefile.am
@@ -157,6 +157,7 @@ BOBJECTS = \
 	$(top_builddir)/customize/perl_edit.cmo \
 	$(top_builddir)/customize/crypt.cmo \
 	$(top_builddir)/customize/password.cmo \
+	$(top_builddir)/customize/SELinux_relabel.cmo \
 	$(top_builddir)/customize/ssh_key.cmo \
 	$(top_builddir)/customize/subscription_manager.cmo \
 	$(top_builddir)/customize/customize_cmdline.cmo \
diff --git a/builder/virt-builder.pod b/builder/virt-builder.pod
@@ -1756,20 +1756,19 @@ two possible strategies it can use to ensure correct labelling:
 
 =item Using I<--selinux-relabel>
 
-This runs L<fixfiles(8)> just before finalizing the guest, which sets
+This runs L<setfiles(8)> just before finalizing the guest, which sets
 SELinux labels correctly in the disk image.
 
-Sometimes fixfiles is not possible during installation, in which case
-this option falls back on:
+This is the recommended method.
 
-=item Touching F</.autorelabel>
+=item I<--touch> F</.autorelabel>
 
-Guest templates may already contain a file called F</.autorelabel>, or
-it is touched if I<--selinux-relabel> cannot run fixfiles.
+Guest templates may already contain a file called F</.autorelabel> or
+you may touch it.
 
-For guests that use SELinux, this causes fixfiles to run at first
-boot.  Guests will reboot themselves once the first time you use them,
-which is normal and harmless.
+For guests that use SELinux, this causes L<restorecon(8)> to run at
+first boot.  Guests will reboot themselves once the first time you use
+them, which is normal and harmless.
 
 =back
 
@@ -1884,7 +1883,6 @@ L<gpg(1)>,
 L<curl(1)>,
 L<virt-make-fs(1)>,
 L<genisoimage(1)>,
-L<fixfiles(8)>,
 L<http://libguestfs.org/>.
 
 =head1 AUTHOR
diff --git a/customize/Makefile.am b/customize/Makefile.am
@@ -43,6 +43,7 @@ SOURCES_MLI = \
 	password.mli \
 	perl_edit.mli \
 	random_seed.mli \
+	SELinux_relabel.mli \
 	ssh_key.mli \
 	subscription_manager.mli \
 	timezone.mli \
@@ -58,6 +59,7 @@ SOURCES_ML = \
 	password.ml \
 	perl_edit.ml \
 	random_seed.ml \
+	SELinux_relabel.ml \
 	ssh_key.ml \
 	subscription_manager.ml \
 	timezone.ml \
diff --git a/customize/SELinux_relabel.ml b/customize/SELinux_relabel.ml
@@ -0,0 +1,57 @@
+(* virt-customize
+ * Copyright (C) 2016 Red Hat Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *)
+
+open Common_gettext.Gettext
+open Common_utils
+
+open Printf
+
+module G = Guestfs
+
+let relabel (g : G.guestfs) =
+  (* Is the guest using SELinux? *)
+  if g#is_file ~followsymlinks:true "/usr/sbin/load_policy" &&
+     g#is_file ~followsymlinks:true "/etc/selinux/config" then (
+    (* Is setfiles / SELinux relabelling functionality available? *)
+    if g#feature_available [| "selinuxrelabel" |] then (
+      (* Use Augeas to parse /etc/selinux/config. *)
+      g#aug_init "/" (16+32) (* AUG_SAVE_NOOP | AUG_NO_LOAD *);
+      (* See: https://bugzilla.redhat.com/show_bug.cgi?id=975412#c0 *)
+      ignore (g#aug_rm "/augeas/load/*[\"/etc/selinux/config/\" !~ regexp('^') + glob(incl) + regexp('/.*')]");
+      g#aug_load ();
+      debug_augeas_errors g;
+
+      (* Get the SELinux policy name, eg. "targeted", "minimum". *)
+      let policy = g#aug_get "/files/etc/selinux/config/SELINUXTYPE" in
+      g#aug_close ();
+
+      (* Get the spec file name. *)
+      let specfile =
+        sprintf "/etc/selinux/%s/contexts/files/file_contexts" policy in
+
+      (* Relabel everything. *)
+      g#selinux_relabel ~force:true specfile "/";
+
+      (* If that worked, we don't need to autorelabel. *)
+      g#rm_f "/.autorelabel"
+    )
+    else (
+      (* SELinux guest, but not SELinux host.  Fallback to this. *)
+      g#touch "/.autorelabel"
+    )
+  )
diff --git a/customize/SELinux_relabel.mli b/customize/SELinux_relabel.mli
@@ -0,0 +1,29 @@
+(* virt-customize
+ * Copyright (C) 2016 Red Hat Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *)
+
+(** SELinux-relabel the filesystem. *)
+
+val relabel : Guestfs.guestfs -> unit
+(** Relabel the mounted guestfs filesystem using the current SELinux
+    policy that applies to the guest.
+
+    If the guest does not look like it uses SELinux, this does nothing.
+
+    In case relabelling is not possible (since it is an optional
+    feature which requires the setfiles(8) program), instead we
+    fall back to touching [/.autorelabel]. *)
diff --git a/customize/customize_run.ml b/customize/customize_run.ml
@@ -414,19 +414,7 @@ exec >>%s 2>&1
 
   if ops.flags.selinux_relabel then (
     message (f_"SELinux relabelling");
-    if guest_arch_compatible then (
-      let cmd = sprintf "
-        if load_policy && fixfiles restore; then
-          rm -f /.autorelabel
-        else
-          touch /.autorelabel
-          echo '%s: SELinux relabelling failed, will relabel at boot instead.'
-        fi
-      " prog in
-      do_run ~display:"load_policy && fixfiles restore" cmd
-    ) else (
-      g#touch "/.autorelabel"
-    )
+    SELinux_relabel.relabel g
   );
 
   (* Clean up the log file:
diff --git a/sysprep/Makefile.am b/sysprep/Makefile.am
@@ -125,6 +125,7 @@ BOBJECTS = \
 	$(top_builddir)/customize/timezone.cmo \
 	$(top_builddir)/customize/firstboot.cmo \
 	$(top_builddir)/customize/perl_edit.cmo \
+	$(top_builddir)/customize/SELinux_relabel.cmo \
 	$(top_builddir)/customize/ssh_key.cmo \
 	$(top_builddir)/customize/subscription_manager.cmo \
 	$(top_builddir)/customize/customize_cmdline.cmo \
