[libvirt PATCH] run: add ability to set selinux context

Jonathon Jongsma jjongsma at redhat.com
Tue Apr 25 15:40:45 UTC 2023 

On 4/25/23 9:43 AM, Jonathon Jongsma wrote:
> On 4/25/23 8:11 AM, Erik Skultety wrote:
>> On Mon, Apr 24, 2023 at 03:50:48PM -0500, Jonathon Jongsma wrote:
>>> When running libvirt from the build directory with the 'run' script, it
>>> will run as unconfined_t. This can result in unexpected behavior when
>>> selinux is enforcing due to the fact that the selinux policies are
>>> written assuming that libvirt is running with the
>>> system_u:system_r:virtd_t context. This patch adds a new --selinux
>>> option to the run script. When this option is specified, it will launch
>>> the specified binary using the 'runcon' utility to set its selinux
>>> context to the one mentioned above. Since this requires root privileges,
>>> setting the selinux context is not the default behavior and must be
>>> enabled with the command line switch.
>>
>> A fiddled with writing custom selinux transition rules to achieve the 
>> same
>> thing a couple years back, but never finished it. No wonder, this is a 
>> much
>> cleaner approach.
>> I will only comment on the Python side of things, leaving the overall 
>> approach
>> and idea commenting to someone else.
>>
>>>
>>> Signed-off-by: Jonathon Jongsma <jjongsma at redhat.com>
>>> ---
>>>   run.in | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++------
>>>   1 file changed, 50 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/run.in b/run.in
>>> index c6d3411082..4aa458b791 100644
>>> --- a/run.in
>>> +++ b/run.in
>>> @@ -40,6 +40,7 @@
>>>   #
>>>   # 
>>> ----------------------------------------------------------------------
>>> +import argparse
>>>   import os
>>>   import os.path
>>>   import random
>>> @@ -59,15 +60,20 @@ def prepend(env, varname, extradir):
>>>   here = "@abs_builddir@"
>>> -if len(sys.argv) < 2:
>>> -    print("syntax: %s BINARY [ARGS...]" % sys.argv[0], file=sys.stderr)
>>
>> Since you decided to use argparse (yes please), we can drop ^this if we
>> properly set the arguments with argparse, it'll even generate the help 
>> for us.
>> This way it looks only like a partial solution. Argparse has great
>> documentation so you can just take one of the examples they list.
> 
> Yeah, I probably should have commented on why I used this 'partial' 
> approach. I tried a few different ways, including adding a positional 
> argument to argparse that would capture the target executable and its 
> arguments like so:
> 
> argsparse.add_argument("args",
>              nargs="+")
> 
> and then parsing with parser.parse_args() rather than 
> parse_known_args(). But that prevented me from passing arguments to the 
> target binary without inserting a '--' in to indicate that the run 
> script should stop parsing:
> 
> Fails:
> # ./_build/run --selinux ./_build/src/libvirtd --verbose
> usage: run [--selinux] args [args ...]
> run: error: unrecognized arguments: --verbose
> 
> Works:
> # ./_build/run --selinux -- ./_build/src/libvirtd --verbose
> 2023-04-25 14:26:32.175+0000: 1530463: info : libvirt version: 9.3.0
> ...
> 
> That seemed annoying to me.
> 
> Maybe we could keep using parse_known_args() with the 'args' argument 
> defined above, but I have a vague recollection that this caused some 
> other undesirable behavior so I switched back to the version I 
> submitted. I'll try to refresh my memory.

So here's one case that becomes more annoying when using the above setup 
(the new 'args' catchall argument combined with parse_known_args()):

./run gdb -- libvirtd --verbose
gdb: unrecognized option '--verbose'

the ./run script eats the '--' that should go to gdb, so gdb tries to 
interpret the --verbose option rather than passing it on to libvirtd.

>>
>>> +parser = argparse.ArgumentParser(add_help=False)
>>
>> Why don't we want the automatic help?
> 
> Because then the run script would intercept the --help option and 
> prevent us from passing it to e.g. libvirt or virsh. Maybe that's not 
> something that we really care about, but I made the choice to pass as 
> much through to the executable as possible.
> 
>>
>>> +parser.add_argument('--selinux',
>>> +                    action='store_true',
>>> +                    help='Run in the appropriate selinux context')
>>> +
>>> +opts, args = parser.parse_known_args()
>>
>> If you want to use ^this, then you need to be aware of prefix matching 
>> on the
>> options recognized by Argparse. IOW if one is to pass <args> to the 
>> <binary>
>> then none of the <args> can be a prefix of any of the long options 
>> argeparse
>> knows about (in this case --selinux), otherwise it'll consume it. Altough
>> unlikely, we should stay on the safe side and use:
>>      argparse.ArgumentParser(..., allow_abbrev=False) [1]
>>
>> [2] 
>> https://docs.python.org/3.11/library/argparse.html?highlight=argparse#allow-abbrev
> 
> ok, I wasn't aware of that option.
> 
>>
>>> +
>>> +if len(args) < 1:
>>> +    print("syntax: %s [--selinux] BINARY [ARGS...]" % sys.argv[0], 
>>> file=sys.stderr)
>>>       sys.exit(1)
>>
>> Same here, with argparse ^this is not needed if the args/options are 
>> defined
>> correctly.
>>
>>> -prog = sys.argv[1]
>>> -args = sys.argv[1:]
>>> +prog = args[0]
>>
>> argparse's parser obj has a 'prog' attribute [2].
>>
>> [2] https://docs.python.org/3/library/argparse.html#prog
> 
> I think that's the wrong 'prog' though. That would give me the './run' 
> script, whereas I want the 'libvirtd' program (or whatever) that the 
> user wants to execute.
> 
> 
>> The rest looks good from Python POV, but like I said, although I'm up 
>> for this
>> idea, I'll let someone else comment on that.
>>
>> Regards,
>> Erik
>>
>

More information about the libvir-list mailing list