From 5792f2e95bcddf476f2fe37e0bc4d97bd881d8fa Mon Sep 17 00:00:00 2001

From: Laszlo Ersek <lersek@redhat.com>

Date: Tue, 10 May 2022 12:50:46 +0200

Subject: [PATCH] adopt inversion of SELinux relabeling in virt-customize

Remove "--selinux-relabel" options.

Do not add any "--no-selinux-relabel" options; rely on the internal check

for SELinux support instead ("is_selinux_guest" in

"common/mlcustomize/SELinux_relabel.ml").

"--no-selinux-relabel" becomes a real option for virt-sysprep now.

(Again?)

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1554735

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075718

Signed-off-by: Laszlo Ersek <lersek@redhat.com>

Message-Id: <20220510105046.15167-1-lersek@redhat.com>

Acked-by: Richard W.M. Jones <rjones@redhat.com>

[lersek@redhat.com: incorporate common submodule update]

(cherry picked from commit 19de3d1c8d4efb53565dbffe532d41ee9d25a832)

---

 builder/templates/make-template.ml |  8 +-------

 builder/virt-builder.pod           | 20 ++++----------------

 common                             |  2 +-

 customize/customize_run.ml         |  2 +-

 customize/test-settings.sh         |  3 ---

 sysprep/main.ml                    |  2 --

 sysprep/test-virt-sysprep-docs.sh  |  2 +-

 7 files changed, 8 insertions(+), 31 deletions(-)

diff --git a/builder/templates/make-template.ml b/builder/templates/make-template.ml

index 6786fec19..b40789284 100755

--- a/builder/templates/make-template.ml

+++ b/builder/templates/make-template.ml

@@ -256,8 +256,7 @@ let rec main () =

     printf "Sysprepping ...\n%!";

     let cmd =

       sprintf "virt-sysprep --quiet -a %s%s"

-              (quote tmpout)

-              (if is_selinux_os os then " --selinux-relabel" else "") in

+              (quote tmpout) in

     if Sys.command cmd <> 0 then exit 1

   );

@@ -480,11 +479,6 @@ and can_sysprep_os = function

   | Debian _ | Ubuntu _ -> true

   | FreeBSD _ | Windows _ -> false

-and is_selinux_os = function

-  | RHEL _ | Alma _ | CentOS _ | CentOSStream _ | Fedora _ -> true

-  | Debian _ | Ubuntu _

-  | FreeBSD _ | Windows _ -> false

-

 and needs_uefi os arch =

   match os, arch with

   | Fedora _, Armv7

diff --git a/builder/virt-builder.pod b/builder/virt-builder.pod

index f7dd6cdad..aeb505296 100644

--- a/builder/virt-builder.pod

+++ b/builder/virt-builder.pod

@@ -131,12 +131,6 @@ To update the installed packages to the latest version:

  virt-builder debian-7 --update

-For guests which use SELinux, like Fedora and Red Hat Enterprise

-Linux, you may need to do SELinux relabelling after installing or

-updating packages (see L</SELINUX> below):

-

- virt-builder fedora-27 --update --selinux-relabel

-

 =head2 Customizing the installation

 There are many options that let you customize the installation.  These

@@ -972,7 +966,7 @@ command line.

 =item *

-SELinux relabelling is done (I<--selinux-relabel>).

+SELinux relabelling is done unless disabled with I<--no-selinux-relabel>.

 =back

@@ -1072,8 +1066,7 @@ A typical virt-builder command would be:

    --install puppet \

    --append-line '/etc/puppet/puppet.conf:[agent]' \

    --append-line '/etc/puppet/puppet.conf:server = puppetmaster.example.com/' \

-   --run-command 'systemctl enable puppet' \

-   --selinux-relabel

+   --run-command 'systemctl enable puppet'

 The precise instructions vary according to the Linux distro.  For

 further information see:

@@ -1753,14 +1746,14 @@ two possible strategies it can use to ensure correct labelling:

 =over 4

-=item Using I<--selinux-relabel>

+=item Automatic relabeling

 This runs L<setfiles(8)> just before finalizing the guest, which sets

 SELinux labels correctly in the disk image.

 This is the recommended method.

-=item I<--touch> F</.autorelabel>

+=item Using I<--no-selinux-relabel> I<--touch> F</.autorelabel>

 Guest templates may already contain a file called F</.autorelabel> or

 you may touch it.

@@ -1771,11 +1764,6 @@ them, which is normal and harmless.

 =back

-Please note that if your guest uses SELinux, and you are doing operations

-on it which might create new files or change existing ones, you are

-recommended to use I<--selinux-relabel>.  This will help in making sure

-that files have the right SELinux labels.

-

 =head1 MACHINE READABLE OUTPUT

 The I<--machine-readable> option can be used to make the output more

Submodule common 0a231b3e6..48527b876:

diff --git a/common/mlcustomize/customize-options.pod b/common/mlcustomize/customize-options.pod

index 71b545d..a83c80a 100644

--- a/common/mlcustomize/customize-options.pod

+++ b/common/mlcustomize/customize-options.pod

@@ -206,6 +206,19 @@ the image was built, use this option.

 See also: L</LOG FILE>.

+=item B<--no-selinux-relabel>

+

+Do not attempt to correct the SELinux labels of files in the guest.

+

+In such guests that support SELinux, customization automatically

+relabels files so that they have the correct SELinux label.  (The

+relabeling is performed immediately, but if the operation fails,

+customization will instead touch F</.autorelabel> on the image to

+schedule a relabel operation for the next time the image boots.)  This

+option disables the automatic relabeling.

+

+The option is a no-op for guests that do not support SELinux.

+

 =item B<--password> USER:SELECTOR

 Set the password for C<USER>.  (Note this option does I<not>

@@ -297,16 +310,6 @@ It cannot delete directories, only regular files.

 =back

-=item B<--selinux-relabel>

-

-Relabel files in the guest so that they have the correct SELinux label.

-

-This will attempt to relabel files immediately, but if the operation fails

-this will instead touch F</.autorelabel> on the image to schedule a

-relabel operation for the next time the image boots.

-

-You should only use this option for guests which support SELinux.

-

 =item B<--sm-attach> SELECTOR

 Attach to a pool using C<subscription-manager>.

diff --git a/common/mlcustomize/customize-synopsis.pod b/common/mlcustomize/customize-synopsis.pod

index 5f18540..2520853 100644

--- a/common/mlcustomize/customize-synopsis.pod

+++ b/common/mlcustomize/customize-synopsis.pod

@@ -12,5 +12,5 @@

     [--truncate-recursive PATH] [--timezone TIMEZONE] [--touch FILE]

     [--uninstall PKG,PKG..] [--update] [--upload FILE:DEST]

     [--write FILE:CONTENT] [--no-logfile]

-    [--password-crypto md5|sha256|sha512] [--selinux-relabel]

+    [--password-crypto md5|sha256|sha512] [--no-selinux-relabel]

     [--sm-credentials SELECTOR]

diff --git a/common/mlcustomize/customize_cmdline.ml b/common/mlcustomize/customize_cmdline.ml

index 9326baa..5d404e8 100644

--- a/common/mlcustomize/customize_cmdline.ml

+++ b/common/mlcustomize/customize_cmdline.ml

@@ -109,8 +109,8 @@ and flags = {

       (* --no-logfile *)

   password_crypto : Password.password_crypto option;

       (* --password-crypto md5|sha256|sha512 *)

-  selinux_relabel : bool;

-      (* --selinux-relabel *)

+  no_selinux_relabel : bool;

+      (* --no-selinux-relabel *)

   sm_credentials : Subscription_manager.sm_credentials option;

       (* --sm-credentials SELECTOR *)

 }

@@ -121,7 +121,7 @@ let rec argspec () =

   let ops = ref [] in

   let scrub_logfile = ref false in

   let password_crypto = ref None in

-  let selinux_relabel = ref false in

+  let no_selinux_relabel = ref false in

   let sm_credentials = ref None in

   let rec get_ops () = {

@@ -131,7 +131,7 @@ let rec argspec () =

   and get_flags () = {

     scrub_logfile = !scrub_logfile;

     password_crypto = !password_crypto;

-    selinux_relabel = !selinux_relabel;

+    no_selinux_relabel = !no_selinux_relabel;

     sm_credentials = !sm_credentials;

   }

   in

@@ -459,11 +459,11 @@ let rec argspec () =

     ),

     Some "md5|sha256|sha512", "When the virt tools change or set a password in the guest, this\noption sets the password encryption of that password to\nC<md5>, C<sha256> or C<sha512>.\n\nC<sha256> and C<sha512> require glibc E<ge> 2.7 (check crypt(3) inside\nthe guest).\n\nC<md5> will work with relatively old Linux guests (eg. RHEL 3), but\nis not secure against modern attacks.\n\nThe default is C<sha512> unless libguestfs detects an old guest that\ndidn't have support for SHA-512, in which case it will use C<md5>.\nYou can override libguestfs by specifying this option.\n\nNote this does not change the default password encryption used\nby the guest when you create new user accounts inside the guest.\nIf you want to do that, then you should use the I<--edit> option\nto modify C</etc/sysconfig/authconfig> (Fedora, RHEL) or\nC</etc/pam.d/common-password> (Debian, Ubuntu).";

     (

-      [ L"selinux-relabel" ],

-      Getopt.Set selinux_relabel,

-      s_"Relabel files with correct SELinux labels"

+      [ L"no-selinux-relabel" ],

+      Getopt.Set no_selinux_relabel,

+      s_"Do not relabel files with correct SELinux labels"

     ),

-    None, "Relabel files in the guest so that they have the correct SELinux label.\n\nThis will attempt to relabel files immediately, but if the operation fails\nthis will instead touch F</.autorelabel> on the image to schedule a\nrelabel operation for the next time the image boots.\n\nYou should only use this option for guests which support SELinux.";

+    None, "Do not attempt to correct the SELinux labels of files in the guest.\n\nIn such guests that support SELinux, customization automatically\nrelabels files so that they have the correct SELinux label.  (The\nrelabeling is performed immediately, but if the operation fails,\ncustomization will instead touch F</.autorelabel> on the image to\nschedule a relabel operation for the next time the image boots.)  This\noption disables the automatic relabeling.\n\nThe option is a no-op for guests that do not support SELinux.";

     (

       [ L"sm-credentials" ],

       Getopt.String (

diff --git a/common/mlcustomize/customize_cmdline.mli b/common/mlcustomize/customize_cmdline.mli

index 14eda49..7ee882a 100644

--- a/common/mlcustomize/customize_cmdline.mli

+++ b/common/mlcustomize/customize_cmdline.mli

@@ -101,8 +101,8 @@ and flags = {

       (* --no-logfile *)

   password_crypto : Password.password_crypto option;

       (* --password-crypto md5|sha256|sha512 *)

-  selinux_relabel : bool;

-      (* --selinux-relabel *)

+  no_selinux_relabel : bool;

+      (* --no-selinux-relabel *)

   sm_credentials : Subscription_manager.sm_credentials option;

       (* --sm-credentials SELECTOR *)

 }

diff --git a/common/mlcustomize/test-firstboot.sh b/common/mlcustomize/test-firstboot.sh

index b906997..24c67f3 100755

--- a/common/mlcustomize/test-firstboot.sh

+++ b/common/mlcustomize/test-firstboot.sh

@@ -61,9 +61,6 @@ case "$guestname" in

         extra[${#extra[*]}]='/etc/inittab:

                                 s,^#([1-9].*respawn.*/sbin/getty.*),$1,'

         ;;

-    fedora*|rhel*|centos*)

-        extra[${#extra[*]}]='--selinux-relabel'

-        ;;

     *)

         ;;

 esac

diff --git a/common/mlcustomize/test-selinuxrelabel.sh b/common/mlcustomize/test-selinuxrelabel.sh

index 86278c6..caf7521 100755

--- a/common/mlcustomize/test-selinuxrelabel.sh

+++ b/common/mlcustomize/test-selinuxrelabel.sh

@@ -41,13 +41,12 @@ virt-builder "$guestname" --quiet -o "$disk"

 # Test #1: relabel with the default configuration works.

 rm -f  "$disk_overlay"

 guestfish -- disk-create "$disk_overlay" qcow2 -1 backingfile:"$disk"

-virt-customize -a "$disk" --selinux-relabel

+virt-customize -a "$disk"

 # Test #2: relabel with no SELINUXTYPE in the configuration.

 rm -f  "$disk_overlay"

 guestfish -- disk-create "$disk_overlay" qcow2 -1 backingfile:"$disk"

 virt-customize -a "$disk" \

-  --edit /etc/selinux/config:"s,^SELINUXTYPE=,#&,g" \

-  --selinux-relabel

+  --edit /etc/selinux/config:"s,^SELINUXTYPE=,#&,g"

 rm "$disk" "$disk_overlay"

diff --git a/common/options/uri.c b/common/options/uri.c

index 6b696fc..84d393c 100644

--- a/common/options/uri.c

+++ b/common/options/uri.c

@@ -135,7 +135,7 @@ parse (const char *arg, char **path_ret, char **protocol_ret,

   socket = query_get (uri, "socket");

   if (uri->server && STRNEQ (uri->server, "") && socket) {

-    fprintf (stderr, _("%s: %s: cannot both a server name and a socket query parameter\n"),

+    fprintf (stderr, _("%s: %s: cannot have both a server name and a socket query parameter\n"),

              getprogname (), arg);

     return -1;

   }

@@ -347,6 +347,7 @@ make_server (xmlURIPtr uri, const char *socket, char ***ret)

   *ret = malloc (sizeof (char *) * 2);

   if (*ret == NULL) {

     perror ("malloc");

+    free (server);

     return -1;

   }

   (*ret)[0] = server;

diff --git a/customize/customize_run.ml b/customize/customize_run.ml

index f2ee20413..99b5fe14d 100644

--- a/customize/customize_run.ml

+++ b/customize/customize_run.ml

@@ -415,7 +415,7 @@ let run (g : G.guestfs) root (ops : ops) =

       warning (f_"passwords could not be set for this type of guest")

   );

-  if ops.flags.selinux_relabel then (

+  if not ops.flags.no_selinux_relabel then (

     message (f_"SELinux relabelling");

     SELinux_relabel.relabel g

   );

diff --git a/customize/test-settings.sh b/customize/test-settings.sh

index ed4c90f2e..e8b492dd1 100755

--- a/customize/test-settings.sh

+++ b/customize/test-settings.sh

@@ -61,9 +61,6 @@ case "$guestname" in

         extra[${#extra[*]}]='/etc/inittab:

                                 s,^#([1-9].*respawn.*/sbin/getty.*),$1,'

         ;;

-    fedora*|rhel*|centos*)

-        extra[${#extra[*]}]='--selinux-relabel'

-        ;;

     *)

         ;;

 esac

diff --git a/sysprep/main.ml b/sysprep/main.ml

index 087d1a17f..b760618ad 100644

--- a/sysprep/main.ml

+++ b/sysprep/main.ml

@@ -132,8 +132,6 @@ let main () =

       [ L"mount-options" ], Getopt.Set_string (s_"opts", mount_opts),  s_"Set mount options (eg /:noatime;/var:rw,noatime)";

       [ L"network" ], Getopt.Set network,           s_"Enable appliance network";

       [ L"no-network" ], Getopt.Clear network,      s_"Disable appliance network (default)";

-      [ L"no-selinux-relabel" ], Getopt.Unit (fun () -> ()),

-                                              s_"Compatibility option, does nothing";

       [ L"operation"; L"operations" ],  Getopt.String (s_"operations", set_operations), s_"Enable/disable specific operations";

     ] in

     let args = basic_args @ Sysprep_operation.extra_args () in

diff --git a/sysprep/test-virt-sysprep-docs.sh b/sysprep/test-virt-sysprep-docs.sh

index 51500b5e9..9d0298d68 100755

--- a/sysprep/test-virt-sysprep-docs.sh

+++ b/sysprep/test-virt-sysprep-docs.sh

@@ -25,4 +25,4 @@ $top_srcdir/podcheck.pl "$srcdir/virt-sysprep.pod" virt-sysprep \

     --path $top_srcdir/common/options \

     --insert sysprep-extra-options.pod:__EXTRA_OPTIONS__ \

     --insert sysprep-operations.pod:__OPERATIONS__ \

-    --ignore=--dryrun,--dump-pod,--dump-pod-options,--no-selinux-relabel

+    --ignore=--dryrun,--dump-pod,--dump-pod-options

-- 

2.31.1