[Libguestfs] selinux question and answer
Eric Paris
eparis at redhat.com
Wed Aug 12 14:36:13 UTC 2009
On Wed, 2009-08-12 at 15:24 +0100, Richard W.M. Jones wrote:
> On Wed, Aug 12, 2009 at 10:13:25AM -0400, Eric Paris wrote:
> > On Wed, 2009-08-12 at 15:07 +0100, Richard W.M. Jones wrote:
> > > On Wed, Aug 12, 2009 at 10:01:39AM -0400, Eric Paris wrote:
> > > > On Wed, 2009-08-12 at 14:40 +0100, Richard W.M. Jones wrote:
> > > > > After a bit of an epic struggle with a RHEL 5 guest, and thanks to
> > > > > (3) We must run every external command (eg. "rpm") via the shell, so
> > > > > in libguestfs using "sh", never "command".
> > > >
> > > > Correct. There is another (maybe harder?) option. If you want to still
> > > > be able to run things directly from your daemon you'll need to get the
> > > > daemon labeled unconfined_t. This would mean calling setexecon() and
> > > > then re-execing the daemon.
> > >
> > > We were just talking about this, and in fact this may be possible
> > > for us to do relatively easily.
> > >
> > > Question: can we use setexeccon before any policy has been
> > > loaded? Does it need /selinux? (I'm guessing no, yes).
> >
> > Policy must be loaded. /selinux must be mounted somewhere. (libselinux
> > is smart enough to find it even if it isn't mounted at /selinux)
>
> Matt, I think what we need to do here to make this work:
Sorry, you need to have called load_policy before you can call
setexeccon.
(1) mount guest chroot
(2) mount /selinux inside guest chroot
(3) load_policy inside chroot
(4) setexeccon()
(5) *possible relaunch your init daemon*
(6) users can run/do anything they want.
> (1) Mount /selinux during *appliance* boot, so it's mounted in
> the appliance.
>
> (2) In the /init script, we can exec the daemon with correct label.
>
> It'll have to be "unconfined_t" however, since at this point we won't
> be able to work out the correct label to use. Hopefully this doesn't
> matter in any practical situation.
>
> (3) Bind-mount /selinux into the guest chroot as we currently do for
> /proc, /sys etc.
>
> (4) Have an API call to load policy once the guest is mounted.
>
> The above should mean the daemon is labelled correctly, so most of the
> API is covered by SELinux.
>
> Rich.
>
More information about the Libguestfs
mailing list