[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libguestfs] selinux question and answer



On Wed, Aug 12, 2009 at 10:01:39AM -0400, Eric Paris wrote:
> On Wed, 2009-08-12 at 14:40 +0100, Richard W.M. Jones wrote:
> > After a bit of an epic struggle with a RHEL 5 guest, and thanks to
> > (3) We must run every external command (eg. "rpm") via the shell, so
> > in libguestfs using "sh", never "command".
> 
> Correct.  There is another (maybe harder?) option.  If you want to still
> be able to run things directly from your daemon you'll need to get the
> daemon labeled unconfined_t.  This would mean calling setexecon() and
> then re-execing the daemon.

We were just talking about this, and in fact this may be possible
for us to do relatively easily.

Question: can we use setexeccon before any policy has been
loaded?  Does it need /selinux?  (I'm guessing no, yes).

> You will need enforcing=0.  Dan just checked and none of our shipping
> policies would allow the kernel->unconfined transition we want you to
> use (normal systems all go kernel->init_t->unconfined_t, and you don't
> want to do all that)

Right, that's no problem.

> As future work instead of hard coding  system_u:object_r:unconfined_t:s0
> in the setexeccon() call, we should check out what the guest defines as
> the correct defualt context for the root user.  I'm sure dan could walk
> you through that, but it's a future enhancement, as there very few
> people who change this.

OK, thanks - you've been a great help in helping us to understand
all this.

Rich.

-- 
Richard Jones, Emerging Technologies, Red Hat  http://et.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]