[Libguestfs] selinux question and answer
Richard W.M. Jones
rjones at redhat.com
Thu Aug 13 09:31:25 UTC 2009
On Thu, Aug 13, 2009 at 10:22:03AM +0100, Matthew Booth wrote:
> On 12/08/09 20:04, Richard W.M. Jones wrote:
>> On Wed, Aug 12, 2009 at 02:41:16PM -0400, Daniel J Walsh wrote:
>>> F11, F12, F..., RHEL6 ...
>>> setcon("unconfined_u:unconfined_r:unconfined_t:s0")
>>>
>>> RHEL5
>>> setcon("user_u:system_r:unconfined_t:s0")
>>>
>>> Would be valid, then you do not need to worry about executing a shell.
>>
>> Matt maybe we want this patch after all?
>>
>
> Ok. We have a use case (/etc/mtab) which would be broken without this.
> I'd go ahead and add it.
>
> I'm inclined to try setcon to an ordered list of targets, stopping when
> one works. So far, I think we've got:
>
> 1. unconfined_u:unconfined_r:unconfined_t:s0
> 2. user_u:system_r:unconfined_t:s0
> 3. system_u:object_r:unconfined_t:s0
>
> sysadm_t was mentioned on our call yesterday as being the root login
> domain for an MLS policy. What's a good set for MLS?
I'm not even sure what "MLS" is.
Anyway, isn't there a way to get this from the /etc/selinux
configuration of the guest? For example on a Fedora 10 machine I see:
$ cat /etc/selinux/targeted/contexts/default_type
auditadm_r:auditadm_t
secadm_r:secadm_t
sysadm_r:sysadm_t
staff_r:staff_t
unconfined_r:unconfined_t
user_r:user_t
$ cat /etc/selinux/targeted/contexts/default_contexts
system_r:crond_t:s0 system_r:system_crond_t:s0
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0 user_r:user_t:s0
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
system_r:xdm_t:s0 user_r:user_t:s0
Rich.
--
Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw
More information about the Libguestfs
mailing list