mirrors/libguestfs
1
0
Fork 0
mirror of https://github.com/libguestfs/libguestfs.git synced 2026-03-21 22:53:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

daemon: Deprecate guestfs_selinux_relabel, replace with guestfs_setfiles

Browse Source 
The guestfs_selinux_relabel function was very hard to use.  In
particular it didn't just do an SELinux relabel as you might expect.
Instead you have to write a whole bunch of code around it (example[1])
to make it useful.

Another problem is that it doesn't let you pass multiple paths to the
setfiles command, but the command itself does permit that (and, as it
turns out, will require it).  There is no backwards compatible way to
extend the existing definition to allow a list parameter without
breaking API.

So deprecate guestfs_selinux_relabel.  Reimplement it as
guestfs_setfiles.  The new function is basically the same as the old
one, but allows you to pass a list of paths.  The old function calls
the new function with a single path parameter.

[1] https://github.com/libguestfs/libguestfs-common/blob/master/mlcustomize/SELinux_relabel.ml
This commit is contained in:
Richard W.M. Jones
2025-08-12 13:27:32 +01:00
committed by rwmjones
parent e4d9ee3fbc
commit 1c0b56158a
7 changed files with 108 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
generator/actions_core.ml
View File

@@ -9356,29 +9356,6 @@ Show all the devices where the filesystems in C<device> is spanned over.
If not all the devices for the filesystems are present, then this function
fails and the C<errno> is set to C<ENODEV>." };
{ defaults with
name = "selinux_relabel"; added = (1, 33, 43);
style = RErr, [String (PlainString, "specfile"); String (Pathname, "path")], [OBool "force"];
impl = OCaml "Selinux.selinux_relabel";
optional = Some "selinuxrelabel";
test_excuse = "tests are in the tests/relabel directory";
shortdesc = "relabel parts of the filesystem";
longdesc = "\
SELinux relabel parts of the filesystem.
The C<specfile> parameter controls the policy spec file used.
You have to parse C</etc/selinux/config> to find the correct
SELinux policy and then pass the spec file, usually:
C</etc/selinux/> + I<selinuxtype> + C</contexts/files/file_contexts>.
The required C<path> parameter is the top level directory where
relabelling starts. Normally you should pass C<path> as C</>
to relabel the whole guest filesystem.
The optional C<force> boolean controls whether the context
is reset for customizable files, and also whether the
user, role and range parts of the file context is changed." };
{ defaults with
name = "mksquashfs"; added = (1, 35, 25);
style = RErr, [String (Pathname, "path"); String (FileOut, "filename")], [OString "compress"; OStringList "excludes"];
@@ -9820,4 +9797,30 @@ them visible.
Use C<guestfs_list_dm_devices> to list all device mapper devices." };
{ defaults with
name = "setfiles"; added = (1, 57, 1);
style = RErr, [String (PlainString, "specfile"); StringList (Pathname, "paths")], [OBool "force"];
impl = OCaml "Selinux.setfiles";
optional = Some "selinuxrelabel";
test_excuse = "tests are in the tests/relabel directory";
shortdesc = "low level relabel parts of the filesystem";
longdesc = "\
This invokes the SELinux C<setfiles> command which is a low
level tool used to relabel parts of the filesystem.
The C<specfile> parameter controls the policy spec file used.
You have to parse C</etc/selinux/config> to find the correct
SELinux policy and then pass the spec file, usually:
C</etc/selinux/> + I<selinuxtype> + C</contexts/files/file_contexts>.
The required C<paths> parameter is the list of top level directories
where relabelling starts. C<setfiles> will only relabel up to
filesystem boundaries so, for example, passing just C<\"/\"> will
relabel the whole root filesystem, but no other mounted filesystems.
If the list is empty, setfiles is not called.
The optional C<force> boolean controls whether the context
is reset for customizable files, and also whether the
user, role and range parts of the file context is changed." };
]

24
generator/actions_core_deprecated.ml
View File

@@ -942,4 +942,28 @@ This call does nothing and returns an error." };
Used to check a btrfs filesystem, C<device> is the device file where the
filesystem is stored." };
{ defaults with
name = "selinux_relabel"; added = (1, 33, 43);
style = RErr, [String (PlainString, "specfile"); String (Pathname, "path")], [OBool "force"];
impl = OCaml "Selinux.selinux_relabel";
optional = Some "selinuxrelabel";
deprecated_by = Replaced_by "setfiles";
test_excuse = "tests are in the tests/relabel directory";
shortdesc = "relabel parts of the filesystem";
longdesc = "\
SELinux relabel parts of the filesystem.
The C<specfile> parameter controls the policy spec file used.
You have to parse C</etc/selinux/config> to find the correct
SELinux policy and then pass the spec file, usually:
C</etc/selinux/> + I<selinuxtype> + C</contexts/files/file_contexts>.
The required C<path> parameter is the top level directory where
relabelling starts. Normally you should pass C<path> as C</>
to relabel the whole guest filesystem.
The optional C<force> boolean controls whether the context
is reset for customizable files, and also whether the
user, role and range parts of the file context is changed." };
]

1
generator/proc_nr.ml
View File

@@ -521,6 +521,7 @@ let proc_nr = [
516, "command_out";
517, "sh_out";
518, "btrfs_scrub_full";
519, "setfiles";
]
(* End of list. If adding a new entry, add it at the end of the list