[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libguestfs] selinux question and answer



On Wed, 2009-08-12 at 15:24 +0100, Richard W.M. Jones wrote:
> On Wed, Aug 12, 2009 at 10:13:25AM -0400, Eric Paris wrote:
> > On Wed, 2009-08-12 at 15:07 +0100, Richard W.M. Jones wrote:
> > > On Wed, Aug 12, 2009 at 10:01:39AM -0400, Eric Paris wrote:
> > > > On Wed, 2009-08-12 at 14:40 +0100, Richard W.M. Jones wrote:
> > > > > After a bit of an epic struggle with a RHEL 5 guest, and thanks to
> > > > > (3) We must run every external command (eg. "rpm") via the shell, so
> > > > > in libguestfs using "sh", never "command".
> > > > 
> > > > Correct.  There is another (maybe harder?) option.  If you want to still
> > > > be able to run things directly from your daemon you'll need to get the
> > > > daemon labeled unconfined_t.  This would mean calling setexecon() and
> > > > then re-execing the daemon.
> > > 
> > > We were just talking about this, and in fact this may be possible
> > > for us to do relatively easily.
> > > 
> > > Question: can we use setexeccon before any policy has been
> > > loaded?  Does it need /selinux?  (I'm guessing no, yes).
> > 
> > Policy must be loaded.  /selinux must be mounted somewhere.  (libselinux
> > is smart enough to find it even if it isn't mounted at /selinux)
> 
> Matt, I think what we need to do here to make this work:

Sorry, you need to have called load_policy before you can call
setexeccon.

(1) mount guest chroot
(2) mount /selinux inside guest chroot
(3) load_policy inside chroot
(4) setexeccon()
(5) *possible relaunch your init daemon*
(6) users can run/do anything they want.

> (1) Mount /selinux during *appliance* boot, so it's mounted in
> the appliance.
> 
> (2) In the /init script, we can exec the daemon with correct label.
> 
> It'll have to be "unconfined_t" however, since at this point we won't
> be able to work out the correct label to use.  Hopefully this doesn't
> matter in any practical situation.
> 
> (3) Bind-mount /selinux into the guest chroot as we currently do for
> /proc, /sys etc.
> 
> (4) Have an API call to load policy once the guest is mounted.
> 
> The above should mean the daemon is labelled correctly, so most of the
> API is covered by SELinux.
> 
> Rich.
> 



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]