[Libguestfs] selinux question and answer
Matthew Booth
mbooth at redhat.com
Wed Aug 12 14:30:14 UTC 2009
On 12/08/09 15:01, Eric Paris wrote:
> setexecon() takes an selinux context and then anything you exec after
> the call will be run in the given domain. So we suggest calling (pseudo
> code).
>
> mount /selinux
> call load_policy
> call setexeccon(unconfined_t)
> do everything in a shell from here on out.
I've just been running some tests, and on the face of it we don't need
to worry about process contexts.
><fs> sh "mount -t selinuxfs none /selinux"
><fs> sh "/usr/sbin/load_policy"
><fs> sh "id -Z"
system_u:system_r:kernel_t:s0
><fs> sh "rpm -ivh /mnt/xorg_x11.rpm"
Preparing...
##################################################
xorg-x11-xauth
##################################################
><fs> sh "ls -Z /usr/bin/xauth"
-rwxr-xr-x root root system_u:object_r:xauth_exec_t:s0 /usr/bin/xauth
So here rpm has installed xorg-x11-xauth, and /usr/bin/xauth has
correctly obtained its custom label.
Also:
* creating a file in a random directory seems to pick up the label of
the parent directory.
* usermod can change a password without breaking /etc/shadow
This covers everything we want to do so far. The guest in this case is
RHEL 5. What are we risking if we don't try to be clever with process
contexts?
Thanks,
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat Engineering, Virtualisation Team
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
More information about the Libguestfs
mailing list