[solved] SELinux - should I "touch /.autorelabel" when preparing/sealing a virtual machine for use as a template?

Support for security such as Firewalls and securing linux
Post Reply
User avatar
Aqualinx
Posts: 5
Joined: 2017/04/03 17:31:15

[solved] SELinux - should I "touch /.autorelabel" when preparing/sealing a virtual machine for use as a template?

Post by Aqualinx » 2017/06/28 19:10:44

Hello and thank you for taking the time to read my post.

I have created a CentOS 7-1611 virtual machine in oVirt which I would like to turn into a template. I have read the oVirt documentation on doing so (http://www.ovirt.org/documentation/vmm- ... Templates/) and have referenced additional posts on the topic, including: On the latter page TX_SCUBA states that it is "Always good to do an SELinux relabel: touch /.autorelabel", but I see no mention of it in either the oVirt documentation or the first page referenced above. I have Googled and searched these fora and have not found additional recommendations on whether to do this and why.

An answer specifying best practice when creating virtual machine templates, whether this is universal or VMware specific and why would be most appreciated!

Thank you,
Charles
Last edited by Aqualinx on 2017/06/28 21:19:28, edited 1 time in total.
Top
User avatar
TrevorH
Site Admin
Posts: 33218
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux - should I "touch /.autorelabel" when preparing/sealing a virtual machine for use as a template?

Post by TrevorH » 2017/06/28 20:02:44

The VM disk that you create ought to already have the correct selinux contexts and should not need altering. The only time this won't be true is if you use a non-selinux aware operating system to modify the image. The only drawback to using touch /.autorelabel is that it takes extra time to run. Oh, and if you've made any overriding changes to selinux contexts using chcon instead of semanage then they would be reverted to default values.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Top
User avatar
Aqualinx
Posts: 5
Joined: 2017/04/03 17:31:15

Re: SELinux - should I "touch /.autorelabel" when preparing/sealing a virtual machine for use as a template?

Post by Aqualinx » 2017/06/28 20:13:12

Thank you TrevorH for such a quick reply! The only modification I can see doing right now in modifying the image is using cloud-init. I see a post on the RHEL customer portal (https://access.redhat.com/solutions/1381623) with the title "cloud-init partially fails with SELinux in enforced mode" but cannot read it as I/the company I work for is not a subscriber. Would this be an instance of using "a non-selinux aware operating system to modify the image"?

Thanks again!
Charles
Top
User avatar
TrevorH
Site Admin
Posts: 33218
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: [solved] SELinux - should I "touch /.autorelabel" when preparing/sealing a virtual machine for use as a template?

Post by TrevorH » 2017/06/28 22:22:35

If this happened to be for a development project then you could read http://developers.redhat.com/blog/2016/ ... available/
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Top
Post Reply

Return to “CentOS 7 - Security Support”