[Libguestfs] selinux question and answer
Eric Paris
eparis at redhat.com
Wed Aug 12 14:13:25 UTC 2009
On Wed, 2009-08-12 at 15:07 +0100, Richard W.M. Jones wrote:
> On Wed, Aug 12, 2009 at 10:01:39AM -0400, Eric Paris wrote:
> > On Wed, 2009-08-12 at 14:40 +0100, Richard W.M. Jones wrote:
> > > After a bit of an epic struggle with a RHEL 5 guest, and thanks to
> > > (3) We must run every external command (eg. "rpm") via the shell, so
> > > in libguestfs using "sh", never "command".
> >
> > Correct. There is another (maybe harder?) option. If you want to still
> > be able to run things directly from your daemon you'll need to get the
> > daemon labeled unconfined_t. This would mean calling setexecon() and
> > then re-execing the daemon.
>
> We were just talking about this, and in fact this may be possible
> for us to do relatively easily.
>
> Question: can we use setexeccon before any policy has been
> loaded? Does it need /selinux? (I'm guessing no, yes).
Policy must be loaded. /selinux must be mounted somewhere. (libselinux
is smart enough to find it even if it isn't mounted at /selinux)
More information about the Libguestfs
mailing list