[Libguestfs] [PATCH] Allow selinux=? and enforcing=? kernel flags to be controlled

Richard W.M. Jones rjones at redhat.com
Wed Aug 12 15:22:37 UTC 2009 

This is a pretty uncontroversial patch which just allows the
selinux=? and enforcing=? flags on the kernel command line
to be controlled.

Currently libguestfs unconditionally passes selinux=0.  By default
this patch does the same thing, but allows programs to enable SELinux
in the kernel and/or set it to enforcing mode.

Rich.

-- 
Richard Jones, Emerging Technologies, Red Hat  http://et.redhat.com/~rjones
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://et.redhat.com/~rjones/virt-top
-------------- next part --------------
>From d747b641cc683ce05dc83a9d3c94d3d482e97318 Mon Sep 17 00:00:00 2001
From: Richard Jones <rjones at trick.home.annexia.org>
Date: Wed, 12 Aug 2009 16:10:35 +0100
Subject: [PATCH] =?utf-8?q?Allow=20selinux=3D=3F=20and=20enforcing=3D=3F=20kernel=20flags=20to=20be=20controlled.?=

Adds new API calls to set and get these flags.
---
 src/generator.ml |   45 +++++++++++++++++++++++++++++++++++++++++++++
 src/guestfs.c    |   45 ++++++++++++++++++++++++++++++++++++++++-----
 2 files changed, 85 insertions(+), 5 deletions(-)

diff --git a/src/generator.ml b/src/generator.ml
index 8d16945..d44f2a6 100755
--- a/src/generator.ml
+++ b/src/generator.ml
@@ -761,6 +761,51 @@ C<$major.$minor.$release$extra>
 I<Note:> Don't use this call to test for availability
 of features.  Distro backports makes this unreliable.");
 
+  ("set_selinux", (RErr, [Bool "selinux"]), -1, [FishAlias "selinux"],
+   [InitNone, Always, TestOutputTrue (
+      [["set_selinux"; "true"];
+       ["get_selinux"]])],
+   "set SELinux enabled or disabled at appliance boot",
+   "\
+This sets the selinux flag that is passed to the appliance
+at boot time.  The default is C<selinux=0> (disabled).
+
+For more information on the architecture of libguestfs,
+see L<guestfs(3)>.");
+
+  ("get_selinux", (RBool "selinux", []), -1, [],
+   [],
+   "get SELinux enabled flag",
+   "\
+This returns the current setting of the selinux flag which
+is passed to the appliance at boot time.  See C<guestfs_set_selinux>.
+
+For more information on the architecture of libguestfs,
+see L<guestfs(3)>.");
+
+  ("set_selinux_enforcing", (RErr, [Bool "enforcing"]), -1, [FishAlias "selinux_enforcing"],
+   [InitNone, Always, TestOutputTrue (
+      [["set_selinux_enforcing"; "true"];
+       ["get_selinux_enforcing"]])],
+   "set SELinux enforcing or permissive at appliance boot",
+   "\
+This sets the enforcing flag that is passed to the appliance
+at boot time.  The default is C<enforcing=0> (permissive).
+
+For more information on the architecture of libguestfs,
+see L<guestfs(3)>.");
+
+  ("get_selinux_enforcing", (RBool "enforcing", []), -1, [],
+   [],
+   "get SELinux enforcing flag",
+   "\
+This returns the current setting of the enforcing flag which
+is passed to the appliance at boot time.
+See C<guestfs_set_selinux_enforcing> and C<guestfs_set_selinux>.
+
+For more information on the architecture of libguestfs,
+see L<guestfs(3)>.");
+
 ]
 
 (* daemon_functions are any functions which cause some action
diff --git a/src/guestfs.c b/src/guestfs.c
index 9560aec..c7943a5 100644
--- a/src/guestfs.c
+++ b/src/guestfs.c
@@ -177,6 +177,9 @@ struct guestfs_h
 
   int memsize;			/* Size of RAM (megabytes). */
 
+  int selinux;                  /* selinux enabled? */
+  int selinux_enforcing;        /* selinux enforcing? */
+
   char *last_error;
 
   /* Callbacks. */
@@ -689,6 +692,32 @@ guestfs_get_memsize (guestfs_h *g)
 }
 
 int
+guestfs_set_selinux (guestfs_h *g, int selinux)
+{
+  g->selinux = selinux;
+  return 0;
+}
+
+int
+guestfs_get_selinux (guestfs_h *g)
+{
+  return g->selinux;
+}
+
+int
+guestfs_set_selinux_enforcing (guestfs_h *g, int selinux_enforcing)
+{
+  g->selinux_enforcing = selinux_enforcing;
+  return 0;
+}
+
+int
+guestfs_get_selinux_enforcing (guestfs_h *g)
+{
+  return g->selinux_enforcing;
+}
+
+int
 guestfs_get_pid (guestfs_h *g)
 {
   if (g->pid > 0)
@@ -1047,15 +1076,21 @@ guestfs_launch (guestfs_h *g)
     "udevtimeout=300 " /* good for very slow systems (RHBZ#480319) */	\
     "noapic "          /* workaround for RHBZ#502058 - ok if not SMP */ \
     "acpi=off "        /* we don't need ACPI, turn it off */		\
-    "cgroup_disable=memory " /* saves us about 5 MB of RAM */           \
-    "selinux=0 "       /* SELinux is messed up if there's no policy */
+    "cgroup_disable=memory " /* saves us about 5 MB of RAM */
 
     /* Linux kernel command line. */
     snprintf (append, sizeof append,
-              LINUX_CMDLINE "guestfs=%s:%d%s%s%s",
+              LINUX_CMDLINE
+              "guestfs=%s:%d "
+              "%s"              /* (selinux) */
+              "%s"              /* (enforcing) */
+              "%s"              /* (verbose) */
+              "%s",             /* (append) */
               VMCHANNEL_ADDR, VMCHANNEL_PORT,
-              g->verbose ? " guestfs_verbose=1" : "",
-              g->append ? " " : "", g->append ? g->append : "");
+              g->selinux ? "selinux=1 " : "selinux=0 ",
+              g->selinux_enforcing ? "enforcing=1 " : "enforcing=0 ",
+              g->verbose ? "guestfs_verbose=1 " : " ",
+              g->append ? g->append : "");
 
     snprintf (memsize_str, sizeof memsize_str, "%d", g->memsize);
 
-- 
1.6.2.5

More information about the Libguestfs mailing list