[Libguestfs] SELinux relabel API

Richard W.M. Jones rjones at redhat.com
Sat May 24 15:25:14 UTC 2014 

  [
    I realized that we were discussing adding this feature, in various
    private email, IRC, and this long bugzilla thread:
    https://bugzilla.redhat.com/show_bug.cgi?id=1060423
    That's not how we should do things.  Let's discuss it on the
    mailing list.
  ]

One thing that virt-customize/virt-sysprep/virt-builder have to do is
relabel SELinux guests.

What we do at the moment is run:

      if load_policy && fixfiles restore; then
        rm -f /.autorelabel
      else
        touch /.autorelabel
        echo '%s: SELinux relabelling failed, will relabel at boot instead.'
      fi

while chrooted into the guest (using the 'guestfs_sh' API).

This has a number of problems:

 - It has to load the policy using 'load_policy', but this doesn't
   work sometimes:

    * RHEL 5 load_policy takes a parameter.

    * Doesn't work if appliance kernel is significantly different from
      guest kernel version, because the binary policy format changes
      irregularly and is not backwards compatible.

    * Requires the appliance [host] kernel to be compiled with
      LSM/SELinux support.

 - Touching /.autorelabel is often broken, eg. it's broken in Fedora 20
   because of systemd (RHBZ#1049656).

 - /etc/resolv.conf will not be relabelled if guestfs network is on,
   because of resolv.conf shenanigans in libguestfs.git/daemon/command.c

 - It requires running guest code, which we'd like to avoid.

What would be nice would be to have an API to just do this
relabelling.  Libguestfs could change this API as required to handle
different guests.

Dan Walsh helpfully pointed out to us that we've been doing it wrong
all along :-)  A much better way to relabel is to run:

  setfiles /etc/selinux/targeted/contexts/files/file_contexts DIR

where 'file_contexts' is a file which contains the default labels for
files (a set of regexps), and 'DIR' is the directory at which
relabelling starts.  Note that 'setfiles' would be the libguestfs
appliance binary, so no guest binary needs to be run.

A simple API could just look like this:

  guestfs_selinux_relabel (g);

which would always use the 'targeted' policy from the guest, and
always start relabelling at the root.  This would work fine for
virt-builder.

For Colin's requirements for Project Atomic, I suspect he will want to
be able to set the file_contexts file and the root directory, but I'll
leave him to describe what would be useful.

A couple of notes:

 - I'd like to avoid baking in assumptions from the 'setfiles' command
   as far as possible.  libguestfs APIs last for many years and some
   have caused us many years of regret (but that's our job) :-/

 - Is it a good idea to tie this into inspection in some way -- for
   example, inspection could provide us with the path to the current or
   default SELinux policy.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top

More information about the Libguestfs mailing list