On Tue, Jun 07, 2022 at 01:59:30PM +0100, Richard W.M. Jones wrote: > On Mon, Jun 06, 2022 at 04:19:41PM +0200, Laszlo Ersek wrote: > > + (* Disable SELinux temporarily around package installation. > > Refer to > > + * <https://bugzilla.redhat.com/show_bug.cgi?id=2028764#c7> and > > + * <https://bugzilla.redhat.com/show_bug.cgi?id=2028764#c8>. > > + *) > > + fbs "setenforce 0" > > + (sprintf "#!/bin/sh\n\ > > + rm -f %s\n\ > > + if command -v getenforce >/dev/null &&\n\ > > + \ \ test Enforcing = \"$(getenforce)\"\n\ > > + then\n\ > > + \ \ touch %s\n\ > > + \ \ setenforce 0\n\ > > + fi\n" selinux_enforcing selinux_enforcing); > > + fbs "install qga" inst_cmd; > > + fbs "setenforce restore" > > + (sprintf "#!/bin/sh\n\ > > + if test -f %s; then\n\ > > + \ \ setenforce 1\n\ > > + \ \ rm -f %s\n\ > > + fi\n" selinux_enforcing selinux_enforcing); > > Sounds horrible! But if that's what is needed ...
OK, now I caught up with the BZ comments, it really seems odd to me that a service or script can run dnf, but that dnf doesn't transition to the right SELinux context in order to do its work, but also dnf doesn't fail immediately ("error: wrong context!") either. However I don't know enough about SELinux to really understand whether this is how it's supposed to work or not. In reply to your other comment about --firstboot-install, it is possible that this did work but has seen been broken by some change. I don't believe we test it thoroughly anywhere. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top _______________________________________________ Libguestfs mailing list Libguestfs@redhat.com https://listman.redhat.com/mailman/listinfo/libguestfs