[Libguestfs] SELinux relabel API

[Pino Toscano]

On Saturday 24 May 2014 16:25:14 Richard W.M. Jones wrote:
> What would be nice would be to have an API to just do this
> relabelling.  Libguestfs could change this API as required to handle
> different guests.
> 
> Dan Walsh helpfully pointed out to us that we've been doing it wrong
> all along :-)  A much better way to relabel is to run:
> 
>   setfiles /etc/selinux/targeted/contexts/files/file_contexts DIR
> 
> where 'file_contexts' is a file which contains the default labels for
> files (a set of regexps), and 'DIR' is the directory at which
> relabelling starts.  Note that 'setfiles' would be the libguestfs
> appliance binary, so no guest binary needs to be run.
> 
> A simple API could just look like this:
> 
>   guestfs_selinux_relabel (g);
> 
> which would always use the 'targeted' policy from the guest, and
> always start relabelling at the root.  This would work fine for
> virt-builder.
> 
> For Colin's requirements for Project Atomic, I suspect he will want to
> be able to set the file_contexts file and the root directory, but
> I'll leave him to describe what would be useful.

I have been experiment/working on this last week (fighting against two 
SELinux, the one to make happy in the guest, and the active-but-not-
enforcing one eventually present in the appliance), and now I have 
something working.

As you said, there are various possibilities in configuring such 
selinux_relabel API; in my first implementation I chose to have it take 
as mandatory argument the root of the guest to relabel, and it is able 
to discover the configured policy there. Of course I am open to 
suggestions/complains/etc about it.

-- 
Pino Toscano