On Tuesday, 5 May 2020 17:44:15 CEST Richard W.M. Jones wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c2
I think we need to do a different approach than this patch. The biggest thing is that currently we check only SELINUXTYPE for the actual policy, however we do not check SELINUX in case SELinux is in enforcing mode at all. IMHO we rather need to read /etc/selinux/<SELINUX> first: - if enforcing, go ahead with the current relabeling: check SELINUXTYPE, get the policy path, etc; if set like this, then most probably the SELINUXTYPE points to a valid policy, otherwise the guest would not even boot - if permissive or disabled, do not perform any relabeling, including touching /.autorelabel; this is because SELinux was disabled, so attempting any relabeling might result in failures -- Pino Toscano
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Libguestfs mailing list [email protected] https://www.redhat.com/mailman/listinfo/libguestfs
