[Libguestfs] selinux question and answer

[Eric Paris]

On Wed, 2009-08-12 at 14:41 -0400, Daniel J Walsh wrote:
> On 08/12/2009 10:30 AM, Matthew Booth wrote:
> > On 12/08/09 15:01, Eric Paris wrote:
> >> setexecon() takes an selinux context and then anything you exec after
> >> the call will be run in the given domain.  So we suggest calling (pseudo
> >> code).
> >>
> >> mount /selinux
> >> call load_policy
> >> call setexeccon(unconfined_t)
> >> do everything in a shell from here on out.
> > 
> > I've just been running some tests, and on the face of it we don't need
> > to worry about process contexts.
> > 
> >><fs> sh "mount -t selinuxfs none /selinux"
> >><fs> sh "/usr/sbin/load_policy"
> >><fs> sh "id -Z"
> > system_u:system_r:kernel_t:s0
> > 
> >><fs> sh "rpm -ivh /mnt/xorg_x11.rpm"
> > Preparing... ##################################################
> > xorg-x11-xauth ##################################################
> > 
> >><fs> sh "ls -Z /usr/bin/xauth"
> > -rwxr-xr-x  root root system_u:object_r:xauth_exec_t:s0 /usr/bin/xauth
> > 
> > So here rpm has installed xorg-x11-xauth, and /usr/bin/xauth has
> > correctly obtained its custom label.
> > 
> > Also:
> > * creating a file in a random directory seems to pick up the label of
> > the parent directory.
> > * usermod can change a password without breaking /etc/shadow
> > 
> > This covers everything we want to do so far. The guest in this case is
> > RHEL 5. What are we risking if we don't try to be clever with process
> > contexts?
> > 
> > Thanks,
> > 
> > Matt
> I think executing 
> 
> F11, F12, F..., RHEL6 ...
> setcon("unconfined_u:unconfined_r:unconfined_t:s0")
> 
> RHEL5
> setcon("user_u:system_r:unconfined_t:s0")

wouldn't "system_u:object_r:unconfined_t:s0" work just as well and it
would work RHEL4-rawhide?  No need to know anything about the guest?

object_r having that black magic noone seems to talk about....

-Eric