diff --git a/builder/builder.ml b/builder/builder.ml index b513ca330..15e1696be 100644 --- a/builder/builder.ml +++ b/builder/builder.ml @@ -642,12 +642,6 @@ let main () = may g#set_smp cmdline.smp; g#set_network cmdline.network; - (* Make sure to turn SELinux off to avoid awkward interactions - * between the appliance kernel and applications/libraries interacting - * with SELinux xattrs. - *) - g#set_selinux false; - (* The output disk is being created, so use cache=unsafe here. *) g#add_drive_opts ~format:output_format ~cachemode:"unsafe" output_filename; diff --git a/customize/customize_main.ml b/customize/customize_main.ml index 2d2c3e9db..9d22cd0c4 100644 --- a/customize/customize_main.ml +++ b/customize/customize_main.ml @@ -162,11 +162,6 @@ read the man page virt-customize(1). may g#set_memsize memsize; may g#set_smp smp; g#set_network network; - (* Make sure to turn SELinux off to avoid awkward interactions - * between the appliance kernel and applications/libraries interacting - * with SELinux xattrs. - *) - g#set_selinux false; (* Add disks. *) add g dryrun; diff --git a/dib/dib.ml b/dib/dib.ml index 382c9d24e..de4f2422e 100644 --- a/dib/dib.ml +++ b/dib/dib.ml @@ -634,12 +634,6 @@ let main () = may g#set_smp cmdline.smp; g#set_network cmdline.network; - (* Make sure to turn SELinux off to avoid awkward interactions - * between the appliance kernel and applications/libraries interacting - * with SELinux xattrs. - *) - g#set_selinux false; - (* Main disk with the built image. *) let fmt = "raw" in let fn = diff --git a/fish/fish.c b/fish/fish.c index f2f288e44..49e1aaada 100644 --- a/fish/fish.c +++ b/fish/fish.c @@ -142,7 +142,7 @@ usage (int status) " --no-progress-bars Disable progress bars\n" " --remote[=pid] Send commands to remote %s\n" " -r|--ro Mount read-only\n" - " --selinux Enable SELinux support\n" + " --selinux For backwards compat only, does nothing\n" " -v|--verbose Verbose messages\n" " -V|--version Display version and exit\n" " -w|--rw Mount read-write\n" @@ -267,8 +267,7 @@ main (int argc, char *argv[]) " to the PID of the remote process")); } } else if (STREQ (long_options[option_index].name, "selinux")) { - if (guestfs_set_selinux (g, 1) == -1) - exit (EXIT_FAILURE); + /* nothing */ } else if (STREQ (long_options[option_index].name, "keys-from-stdin")) { keys_from_stdin = 1; } else if (STREQ (long_options[option_index].name, "progress-bars")) { diff --git a/fish/guestfish.pod b/fish/guestfish.pod index bbeea8212..257c6597c 100644 --- a/fish/guestfish.pod +++ b/fish/guestfish.pod @@ -407,7 +407,7 @@ See also L below. =item B<--selinux> -Enable SELinux support for the guest. See L. +This option is provided for backwards compatibility and does nothing. =item B<-v> diff --git a/fuse/guestmount.c b/fuse/guestmount.c index f72ecb82f..4461c6529 100644 --- a/fuse/guestmount.c +++ b/fuse/guestmount.c @@ -123,7 +123,7 @@ usage (int status) " -o|--option opt Pass extra option to FUSE\n" " --pid-file filename Write PID to filename\n" " -r|--ro Mount read-only\n" - " --selinux Enable SELinux support\n" + " --selinux For backwards compat only, does nothing\n" " -v|--verbose Verbose messages\n" " -V|--version Display version and exit\n" " -w|--rw Mount read-write\n" @@ -225,8 +225,7 @@ main (int argc, char *argv[]) else if (STREQ (long_options[option_index].name, "fuse-help")) fuse_help (); else if (STREQ (long_options[option_index].name, "selinux")) { - if (guestfs_set_selinux (g, 1) == -1) - exit (EXIT_FAILURE); + /* nothing */ } else if (STREQ (long_options[option_index].name, "format")) { OPTION_format; } else if (STREQ (long_options[option_index].name, "keys-from-stdin")) { diff --git a/fuse/guestmount.pod b/fuse/guestmount.pod index e7f37aefb..be075e5c6 100644 --- a/fuse/guestmount.pod +++ b/fuse/guestmount.pod @@ -362,7 +362,7 @@ See also L. =item B<--selinux> -Enable SELinux support for the guest. +This option is provided for backwards compatibility and does nothing. =item B<-v> diff --git a/generator/actions.ml b/generator/actions.ml index 507da9b1b..44233133e 100644 --- a/generator/actions.ml +++ b/generator/actions.ml @@ -645,6 +645,7 @@ Use C or C instead." }; style = RErr, [Bool "selinux"], []; fish_alias = ["selinux"]; config_only = true; blocking = false; + deprecated_by = Some "selinux_relabel"; shortdesc = "set SELinux enabled or disabled at appliance boot"; longdesc = "\ This sets the selinux flag that is passed to the appliance @@ -660,6 +661,7 @@ see L." }; name = "get_selinux"; added = (1, 0, 67); style = RBool "selinux", [], []; blocking = false; + deprecated_by = Some "selinux_relabel"; shortdesc = "get SELinux enabled flag"; longdesc = "\ This returns the current setting of the selinux flag which @@ -7555,6 +7557,7 @@ away any pending events, and deallocates all resources." }; style = RErr, [String "context"], []; proc_nr = Some 185; optional = Some "selinux"; + deprecated_by = Some "selinux_relabel"; shortdesc = "set SELinux security context"; longdesc = "\ This sets the SELinux security context of the daemon @@ -7567,6 +7570,7 @@ See the documentation about SELINUX in L." }; style = RString "context", [], []; proc_nr = Some 186; optional = Some "selinux"; + deprecated_by = Some "selinux_relabel"; shortdesc = "get SELinux security context"; longdesc = "\ This gets the SELinux security context of the daemon. @@ -10126,6 +10130,7 @@ This option may not be specified at the same time as the C option. name = "llz"; added = (1, 17, 6); style = RString "listing", [Pathname "directory"], []; proc_nr = Some 305; + deprecated_by = Some "lgetxattrs"; shortdesc = "list the files in a directory (long format with SELinux contexts)"; longdesc = "\ List the files in F in the format of 'ls -laZ'. diff --git a/rescue/rescue.c b/rescue/rescue.c index 135c9e678..ba123a39e 100644 --- a/rescue/rescue.c +++ b/rescue/rescue.c @@ -73,7 +73,7 @@ usage (int status) " --network Enable network\n" " -r|--ro Access read-only\n" " --scratch[=N] Add scratch disk(s)\n" - " --selinux Enable SELinux\n" + " --selinux For backwards compat only, does nothing\n" " --smp N Enable SMP with N >= 2 virtual CPUs\n" " --suggest Suggest mount commands for this guest\n" " -v|--verbose Verbose messages\n" @@ -147,8 +147,7 @@ main (int argc, char *argv[]) else if (STREQ (long_options[option_index].name, "short-options")) display_short_options (options); else if (STREQ (long_options[option_index].name, "selinux")) { - if (guestfs_set_selinux (g, 1) == -1) - exit (EXIT_FAILURE); + /* nothing */ } else if (STREQ (long_options[option_index].name, "append")) { append = optarg; } else if (STREQ (long_options[option_index].name, "network")) { diff --git a/rescue/virt-rescue.pod b/rescue/virt-rescue.pod index bb563bcc1..00f03aa81 100644 --- a/rescue/virt-rescue.pod +++ b/rescue/virt-rescue.pod @@ -209,8 +209,7 @@ command line. =item B<--selinux> -Enable SELinux in the rescue appliance. You should read -L before using this option. +This option is provided for backwards compatibility and does nothing. =item B<--smp> N diff --git a/src/guestfs.pod b/src/guestfs.pod index 2a199c090..2855d7024 100644 --- a/src/guestfs.pod +++ b/src/guestfs.pod @@ -458,8 +458,8 @@ an X86 host). =item * -For SELinux guests, you may need to enable SELinux and load policy -first. See L in this manpage. +For SELinux guests, you may need to relabel the guest after +creating new files. See L below. =item * @@ -511,44 +511,23 @@ L, L. =head2 SELINUX -We support SELinux guests. To ensure that labeling happens correctly -in SELinux guests, you need to enable SELinux and load the guest's -policy: +We support SELinux guests. However it is not possible to load the +SELinux policy of the guest into the appliance kernel. Therefore the +strategy for dealing with SELinux guests is to relabel them after +making changes. -=over 4 +In libguestfs E 1.34 there is a new API, L, +which can be used for this. To properly use this API you have to +parse the guest SELinux configuration. See the L +module F for how to do this. -=item 1. +A simpler but slower alternative is to touch F in the +guest, which means that the guest will relabel itself at next boot. -Before launching, do: - - guestfs_set_selinux (g, 1); - -=item 2. - -After mounting the guest's filesystem(s), load the policy. This -is best done by running the L command in the -guest itself: - - guestfs_sh (g, "/usr/sbin/load_policy"); - -(Older versions of C require you to specify the -name of the policy file). - -=item 3. - -Optionally, set the security context for the API. The correct -security context to use can only be known by inspecting the -guest. As an example: - - guestfs_setcon (g, "unconfined_u:unconfined_r:unconfined_t:s0"); - -=back - -This will work for running commands and editing existing files. - -When new files are created, you may need to label them explicitly, -for example by running the external command -C. +Libguestfs E 1.32 had APIs C, +C, C and C. +These did not work properly, are deprecated, and should not be used in +new code. =head2 UMASK diff --git a/test-tool/test-tool.c b/test-tool/test-tool.c index c63244003..ad1601ce9 100644 --- a/test-tool/test-tool.c +++ b/test-tool/test-tool.c @@ -234,7 +234,6 @@ main (int argc, char *argv[]) printf ("guestfs_get_pgroup: %d\n", guestfs_get_pgroup (g)); printf ("guestfs_get_program: %s\n", guestfs_get_program (g)); printf ("guestfs_get_recovery_proc: %d\n", guestfs_get_recovery_proc (g)); - printf ("guestfs_get_selinux: %d\n", guestfs_get_selinux (g)); printf ("guestfs_get_smp: %d\n", guestfs_get_smp (g)); p = guestfs_get_sockdir (g); printf ("guestfs_get_sockdir: %s\n", p ? : "(null)"); diff --git a/tests/selinux/run-test.pl b/tests/selinux/run-test.pl index f0f241f66..7e4620fb2 100755 --- a/tests/selinux/run-test.pl +++ b/tests/selinux/run-test.pl @@ -105,8 +105,6 @@ if ($test_type eq "selinux" && $test_via eq "fuse") { # Create a filesystem that could support xattrs and SELinux labels. my $g = Sys::Guestfs->new (); -#$g->set_selinux (1) if $test_type eq "selinux"; - $g->add_drive_scratch (256*1024*1024); $g->launch ();