[libvirt] [sandbox PATCH] virt-sandbox patch to launch containers with proper label

Dan Walsh dwalsh at redhat.com
Wed Sep 25 20:50:23 UTC 2013 

virt-sandbox should be launching containers based off the lxc_context
file from selinux-policy. I changed the hard coded paths to match the
latest fedora assigned labels.

Fedora 20 SELinux Policy and beyond will have proper SELinux labels in its
lxc_contexts file.
---
 bin/virt-sandbox-service                  |  2 +-
 bin/virt-sandbox-service-clone.pod        |  5 ++-
 bin/virt-sandbox-service-create.pod       |  7 ++--
 bin/virt-sandbox.c                        |  5 ++-
 libvirt-sandbox/libvirt-sandbox-builder.c | 58 +++++++++++++++++++++++++------
 5 files changed, 55 insertions(+), 22 deletions(-)

diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service
index c4c4f54..b42fe08 100755
--- a/bin/virt-sandbox-service
+++ b/bin/virt-sandbox-service
@@ -101,7 +101,7 @@ def copydirtree(src, dst):
 class Container:
     DEFAULT_PATH       = "/var/lib/libvirt/filesystems"
     DEFAULT_IMAGE      = "/var/lib/libvirt/images/%s.raw"
-    SELINUX_FILE_TYPE  = "svirt_lxc_file_t"
+    SELINUX_FILE_TYPE  = "svirt_sandbox_file_t"
 
     def __init__(self, name=None, uri = "lxc:///", path = DEFAULT_PATH, config=None, create=False):
         self.uri = uri
diff --git a/bin/virt-sandbox-service-clone.pod b/bin/virt-sandbox-service-clone.pod
index cd261c4..3b4ecec 100644
--- a/bin/virt-sandbox-service-clone.pod
+++ b/bin/virt-sandbox-service-clone.pod
@@ -42,8 +42,7 @@ separated by commas. The following options are valid for SELinux
 
 Dynamically allocate an SELinux label, using the default base context.
 The default base context is system_u:system_r:svirt_lxc_net_t:s0 for LXC,
-system_u:system_r:svirt_t:s0 for KVM, system_u:system_r:svirt_tcg_t:s0
-for QEMU.
+system_u:system_r:svirt_qemu_net_t:s0 for KVM or QEMU.
 
 =item dynamic,label=USER:ROLE:TYPE:LEVEL
 
@@ -53,7 +52,7 @@ USER:ROLE:TYPE:LEVEL, instead of the default base context.
 =item static,label=USER:ROLE:TYPE:LEVEL
 
 To set a completely static label. For example,
-static,label=system_u:system_r:svirt_t:s0:c412,c355
+static,label=system_u:system_r:svirt_lxc_net_t:s0:c412,c355
 
 =back
 
diff --git a/bin/virt-sandbox-service-create.pod b/bin/virt-sandbox-service-create.pod
index 2ab289a..4bdca32 100644
--- a/bin/virt-sandbox-service-create.pod
+++ b/bin/virt-sandbox-service-create.pod
@@ -61,7 +61,7 @@ Default: C<Login GID of UID>.
 
 Set SELinux file type to use within container.
 
-Default: C<svirt_lxc_file_t>.
+Default: C<svirt_sandbox_file_t>.
 
 =item B<-p PATH>, B<--path PATH>
 
@@ -182,8 +182,7 @@ separated by commas. The following options are valid for SELinux
 
 Dynamically allocate an SELinux label, using the default base context.
 The default base context is system_u:system_r:svirt_lxc_net_t:s0 for LXC,
-system_u:system_r:svirt_t:s0 for KVM, system_u:system_r:svirt_tcg_t:s0
-for QEMU.
+system_u:system_r:svirt_qemu_net_t:s0 for KVM or QEMU.
 
 =item dynamic,label=USER:ROLE:TYPE:LEVEL
 
@@ -193,7 +192,7 @@ USER:ROLE:TYPE:LEVEL, instead of the default base context.
 =item static,label=USER:ROLE:TYPE:LEVEL
 
 To set a completely static label. For example,
-static,label=system_u:system_r:svirt_t:s0:c412,c355
+static,label=system_u:system_r:svirt_lxc_net_t:s0:c412,c355
 
 =back
 
diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c
index b16217b..f66b045 100644
--- a/bin/virt-sandbox.c
+++ b/bin/virt-sandbox.c
@@ -413,8 +413,7 @@ separated by commas. The following options are valid for SELinux
 
 Dynamically allocate an SELinux label, using the default base context.
 The default base context is system_u:system_r:svirt_lxc_net_t:s0 for LXC,
-system_u:system_r:svirt_t:s0 for KVM, system_u:system_r:svirt_tcg_t:s0
-for QEMU.
+system_u:system_r:svirt_qemu_net_t:s0 for KVM or QEMU.
 
 =item dynamic,label=USER:ROLE:TYPE:LEVEL
 
@@ -424,7 +423,7 @@ USER:ROLE:TYPE:LEVEL, instead of the default base context.
 =item static,label=USER:ROLE:TYPE:LEVEL
 
 To set a completely static label. For example,
-static,label=system_u:system_r:svirt_t:s0:c412,c355
+static,label=system_u:system_r:svirt_lxc_net_t:s0:c412,c355
 
 =item inherit
 
diff --git a/libvirt-sandbox/libvirt-sandbox-builder.c b/libvirt-sandbox/libvirt-sandbox-builder.c
index 1335042..613161a 100644
--- a/libvirt-sandbox/libvirt-sandbox-builder.c
+++ b/libvirt-sandbox/libvirt-sandbox-builder.c
@@ -67,6 +67,48 @@ gvir_sandbox_builder_error_quark(void)
 {
     return g_quark_from_static_string("gvir-sandbox-builder");
 }
+#include <selinux/selinux.h>
+#include <errno.h>
+static char line[1024];
+
+static const char *get_label(int type) {
+    const char *path = selinux_lxc_contexts_path();
+
+    FILE *fp = fopen(path, "r");
+    if (fp) {
+        GType gt = gvir_config_domain_virt_type_get_type ();
+        GEnumClass *cls = g_type_class_ref (gt);
+        GEnumValue *val = g_enum_get_value (cls, type);
+
+        while (val && fgets(line, sizeof line, fp)) {
+            int len = strlen(line);
+            if (len > 2)
+                continue;
+            if (line[len-1] == '\n')
+                line[len-1] = '\0';
+            char *name = line;
+            char *value = strchr(name, '=');
+            if (!value)
+                continue;
+            *value = '\0';
+            value++;
+            if (strcmp(name,val->value_nick))
+                continue;
+            return value;
+        }
+        fclose(fp);
+    }
+
+    switch (type) {
+    case GVIR_CONFIG_DOMAIN_VIRT_KVM:
+        return "system_u:system_r:svirt_qemu_net_t:s0";
+    case GVIR_CONFIG_DOMAIN_VIRT_QEMU:
+        return "system_u:system_r:svirt_qemu_net_t:s0";
+    case GVIR_CONFIG_DOMAIN_VIRT_LXC:
+    default:
+        return "system_u:system_r:svirt_lxc_net_t:s0";
+    }
+}
 
 static gboolean gvir_sandbox_builder_construct_domain(GVirSandboxBuilder *builder,
                                                       GVirSandboxConfig *config,
@@ -335,17 +377,11 @@ static gboolean gvir_sandbox_builder_construct_security(GVirSandboxBuilder *buil
     if (gvir_sandbox_config_get_security_dynamic(config)) {
         gvir_config_domain_seclabel_set_type(sec,
                                              GVIR_CONFIG_DOMAIN_SECLABEL_DYNAMIC);
-        if (label)
-            gvir_config_domain_seclabel_set_baselabel(sec, label);
-        else if (gvir_config_domain_get_virt_type(domain) ==
-                 GVIR_CONFIG_DOMAIN_VIRT_LXC)
-            gvir_config_domain_seclabel_set_baselabel(sec, "system_u:system_r:svirt_lxc_net_t:s0");
-        else if (gvir_config_domain_get_virt_type(domain) ==
-                 GVIR_CONFIG_DOMAIN_VIRT_QEMU)
-            gvir_config_domain_seclabel_set_baselabel(sec, "system_u:system_r:svirt_tcg_t:s0");
-        else if (gvir_config_domain_get_virt_type(domain) ==
-                 GVIR_CONFIG_DOMAIN_VIRT_KVM)
-            gvir_config_domain_seclabel_set_baselabel(sec, "system_u:system_r:svirt_t:s0");
+        if (!label)
+            label = get_label(gvir_config_domain_get_virt_type(domain));
+
+        gvir_config_domain_seclabel_set_baselabel(sec, label);
+
     } else {
         gvir_config_domain_seclabel_set_type(sec,
                                              GVIR_CONFIG_DOMAIN_SECLABEL_STATIC);
-- 
1.8.3.1

More information about the libvir-list mailing list