[Libguestfs] selinux question and answer
Daniel J Walsh
dwalsh at redhat.com
Wed Aug 12 18:30:23 UTC 2009
On 08/12/2009 10:30 AM, Matthew Booth wrote:
> On 12/08/09 15:01, Eric Paris wrote:
>> setexecon() takes an selinux context and then anything you exec after
>> the call will be run in the given domain. So we suggest calling (pseudo
>> code).
>>
>> mount /selinux
>> call load_policy
>> call setexeccon(unconfined_t)
>> do everything in a shell from here on out.
>
> I've just been running some tests, and on the face of it we don't need
> to worry about process contexts.
>
>><fs> sh "mount -t selinuxfs none /selinux"
>><fs> sh "/usr/sbin/load_policy"
>><fs> sh "id -Z"
> system_u:system_r:kernel_t:s0
>
>><fs> sh "rpm -ivh /mnt/xorg_x11.rpm"
> Preparing... ##################################################
> xorg-x11-xauth ##################################################
>
>><fs> sh "ls -Z /usr/bin/xauth"
> -rwxr-xr-x root root system_u:object_r:xauth_exec_t:s0 /usr/bin/xauth
>
> So here rpm has installed xorg-x11-xauth, and /usr/bin/xauth has
> correctly obtained its custom label.
>
> Also:
> * creating a file in a random directory seems to pick up the label of
> the parent directory.
> * usermod can change a password without breaking /etc/shadow
>
> This covers everything we want to do so far. The guest in this case is
> RHEL 5. What are we risking if we don't try to be clever with process
> contexts?
>
> Thanks,
>
> Matt
Probably very little, since kernel_t is an unconfined domain. (unconfined_t) is also an unconfined domain.
You will loose transitions, But usually this is not a big deal. One example would be the mount command,
unconfined_t -> mount_exec_t -> unconfined_mount_t which will end up labeling /etc/mtab correctly.
If you are running as kernel_t you will probably end up with /etc/mtab labeled etc_t. Versus etc_runtime_t.
But there are very few examples where this is the case.
More information about the Libguestfs
mailing list