[Libguestfs] Labelling /etc/resolv.conf (rh#1089100)
Pino Toscano
ptoscano at redhat.com
Fri Apr 25 09:40:35 UTC 2014
Hi,
I was investigating rh#1089100, which is about /etc/resolv.conf not
being properly SELinux-labelled.
Basically the problem is due to /etc/resolv.conf in the guest (so
available as /sysroot/etc/resolv.conf in the appliance) being moved when
executing shell commands (eg guestfs_sh) by the daemon.
This operation involves:
a) moving away guest's /etc/resolv.conf
b) replacing it with the /etc/resolv.conf in the appliance
c) executing the actual shell command
d) moving the guest's /etc/resolv.conf back
... but only if the network is enabled (which is by default).
So far all the ideas I found (to fix the label of /etc/resolv.conf when
--selinux-relabel is asked) were:
1) get the security.selinux xattr before (a), and restore it after (d).
This seems to not have worked at all, at least for me: the read xattr
is "unlabeled", which SELinux obviously refuses later; hence I
discarded it
2) closing the guestfs handle, open a new one with the network disabled
and do the relabel.
This works for me, but has the drawback to slow the process if the
relabel is asked and the network is enabled, as closing+opening an
appliance could not be that fast
3) allow to switch the network on/off also when the appliance is up.
This would require to actually turn on/off the networking at
runtime, which surely cannot be done with the direct backend and most
probably neither with libvirt (but I didn't research hard on this).
Is anything obvious I'm missing? Can I go with solution #2?
--
Pino Toscano
More information about the Libguestfs
mailing list