[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Libguestfs] selinux question and answer



This is continuing/summarising a rather long discussion that happened
on IRC ...

We talked to some SELinux experts about what was required to make
SELinux work with libguestfs, and it seems reasonably simple to load
the policy from the guest filesystem.

All that needs to be done is to mount the guest disks up and then run:

  sh "/usr/sbin/load_policy -i"

That command also mounts up <sysroot>/selinux, so that solves the
other problem they raised.

I wasn't completely sure how to test this was actually working.  My
best effort was to try to run some commands that would label files.
This is using a fresh Fedora 11 install that has SELinux enforcing on
it:

  guestfish -a /dev/mapper/vg_trick-F11x64 --ro \
    run : mount /dev/vg_f11x64/lv_root / : \
    sh "/usr/sbin/load_policy -i" : \
    sh "ls -lZ /etc/passwd"
  -rw-r--r--. root root system_u:object_r:etc_t:s0       /etc/passwd

  guestfish -a /dev/mapper/vg_trick-F11x64 --ro \
    run : mount /dev/vg_f11x64/lv_root / : \
    sh "/usr/sbin/load_policy -i" : \
    sh "chcon user_u:object_r:file_t /etc/passwd" : \
    sh "ls -lZ /etc/passwd"
  -rw-r--r--. root root user_u:object_r:file_t           /etc/passwd

So it seems that relabelling files (using chcon) works.  Whether
this means everything will work, I don't know.

You will also get a warning when guestfish exits at the moment:

libguestfs: error: umount: /sysroot: umount: /sysroot: device is busy.
        (In some cases useful info about processes that use
         the device is found by lsof(8) or fuser(1))

This happens because the load_policy command is mounting
/sysroot/selinux and thus preventing /sysroot from being unmounted
during the automatic shutdown phase at the end.

[Note: The attached patch is also required, because at the moment we
are booting the kernel with selinux=0 for other reasons.  This should
be made configurable].

Rich.

-- 
Richard Jones, Emerging Technologies, Red Hat  http://et.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://et.redhat.com/~rjones/virt-df/
diff --git a/src/guestfs.c b/src/guestfs.c
index 9560aec..d1b12c0 100644
--- a/src/guestfs.c
+++ b/src/guestfs.c
@@ -1047,8 +1047,7 @@ guestfs_launch (guestfs_h *g)
     "udevtimeout=300 " /* good for very slow systems (RHBZ#480319) */	\
     "noapic "          /* workaround for RHBZ#502058 - ok if not SMP */ \
     "acpi=off "        /* we don't need ACPI, turn it off */		\
-    "cgroup_disable=memory " /* saves us about 5 MB of RAM */           \
-    "selinux=0 "       /* SELinux is messed up if there's no policy */
+    "cgroup_disable=memory " /* saves us about 5 MB of RAM */
 
     /* Linux kernel command line. */
     snprintf (append, sizeof append,

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]