[Libguestfs] selinux question and answer

[Matthew Booth]

On 13/08/09 10:31, Richard W.M. Jones wrote:
>> Ok. We have a use case (/etc/mtab) which would be broken without this.
>> I'd go ahead and add it.
>>
>> I'm inclined to try setcon to an ordered list of targets, stopping when
>> one works. So far, I think we've got:
>>
>> 1. unconfined_u:unconfined_r:unconfined_t:s0
>> 2. user_u:system_r:unconfined_t:s0
>> 3. system_u:object_r:unconfined_t:s0
>>
>> sysadm_t was mentioned on our call yesterday as being the root login
>> domain for an MLS policy. What's a good set for MLS?
>
> I'm not even sure what "MLS" is.
>
> Anyway, isn't there a way to get this from the /etc/selinux
> configuration of the guest?  For example on a Fedora 10 machine I see:
>
> $ cat /etc/selinux/targeted/contexts/default_type
> auditadm_r:auditadm_t
> secadm_r:secadm_t
> sysadm_r:sysadm_t
> staff_r:staff_t
> unconfined_r:unconfined_t
> user_r:user_t
>
> $ cat /etc/selinux/targeted/contexts/default_contexts
> system_r:crond_t:s0        system_r:system_crond_t:s0
> system_r:local_login_t:s0  user_r:user_t:s0
> system_r:remote_login_t:s0 user_r:user_t:s0
> system_r:sshd_t:s0         user_r:user_t:s0
> system_r:sulogin_t:s0      sysadm_r:sysadm_t:s0
> system_r:xdm_t:s0          user_r:user_t:s0

I just looked at the contents of these files for the minimum and mls 
policies on F11, and they're all (nearly) identical. I'm not sure we can 
use these to distinguish.

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat Engineering, Virtualisation Team

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490