[Libguestfs] selinux question and answer

[Daniel J Walsh]

On 08/12/2009 03:42 PM, Eric Paris wrote:
> On Wed, 2009-08-12 at 14:41 -0400, Daniel J Walsh wrote:
>> On 08/12/2009 10:30 AM, Matthew Booth wrote:
>>> On 12/08/09 15:01, Eric Paris wrote:
>>>> setexecon() takes an selinux context and then anything you exec after
>>>> the call will be run in the given domain.  So we suggest calling (pseudo
>>>> code).
>>>>
>>>> mount /selinux
>>>> call load_policy
>>>> call setexeccon(unconfined_t)
>>>> do everything in a shell from here on out.
>>>
>>> I've just been running some tests, and on the face of it we don't need
>>> to worry about process contexts.
>>>
>>>> <fs> sh "mount -t selinuxfs none /selinux"
>>>> <fs> sh "/usr/sbin/load_policy"
>>>> <fs> sh "id -Z"
>>> system_u:system_r:kernel_t:s0
>>>
>>>> <fs> sh "rpm -ivh /mnt/xorg_x11.rpm"
>>> Preparing... ##################################################
>>> xorg-x11-xauth ##################################################
>>>
>>>> <fs> sh "ls -Z /usr/bin/xauth"
>>> -rwxr-xr-x  root root system_u:object_r:xauth_exec_t:s0 /usr/bin/xauth
>>>
>>> So here rpm has installed xorg-x11-xauth, and /usr/bin/xauth has
>>> correctly obtained its custom label.
>>>
>>> Also:
>>> * creating a file in a random directory seems to pick up the label of
>>> the parent directory.
>>> * usermod can change a password without breaking /etc/shadow
>>>
>>> This covers everything we want to do so far. The guest in this case is
>>> RHEL 5. What are we risking if we don't try to be clever with process
>>> contexts?
>>>
>>> Thanks,
>>>
>>> Matt
>> I think executing 
>>
>> F11, F12, F..., RHEL6 ...
>> setcon("unconfined_u:unconfined_r:unconfined_t:s0")
>>
>> RHEL5
>> setcon("user_u:system_r:unconfined_t:s0")
> 
> wouldn't "system_u:object_r:unconfined_t:s0" work just as well and it
> would work RHEL4-rawhide?  No need to know anything about the guest?
> 
> object_r having that black magic noone seems to talk about....
> 
> -Eric
> 
You could try it out.