[Libguestfs] selinux question and answer
Richard W.M. Jones
rjones at redhat.com
Wed Aug 12 14:07:22 UTC 2009
On Wed, Aug 12, 2009 at 10:01:39AM -0400, Eric Paris wrote:
> On Wed, 2009-08-12 at 14:40 +0100, Richard W.M. Jones wrote:
> > After a bit of an epic struggle with a RHEL 5 guest, and thanks to
> > (3) We must run every external command (eg. "rpm") via the shell, so
> > in libguestfs using "sh", never "command".
>
> Correct. There is another (maybe harder?) option. If you want to still
> be able to run things directly from your daemon you'll need to get the
> daemon labeled unconfined_t. This would mean calling setexecon() and
> then re-execing the daemon.
We were just talking about this, and in fact this may be possible
for us to do relatively easily.
Question: can we use setexeccon before any policy has been
loaded? Does it need /selinux? (I'm guessing no, yes).
> You will need enforcing=0. Dan just checked and none of our shipping
> policies would allow the kernel->unconfined transition we want you to
> use (normal systems all go kernel->init_t->unconfined_t, and you don't
> want to do all that)
Right, that's no problem.
> As future work instead of hard coding system_u:object_r:unconfined_t:s0
> in the setexeccon() call, we should check out what the guest defines as
> the correct defualt context for the root user. I'm sure dan could walk
> you through that, but it's a future enhancement, as there very few
> people who change this.
OK, thanks - you've been a great help in helping us to understand
all this.
Rich.
--
Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw
More information about the Libguestfs
mailing list