[Libguestfs] [PATCH] Add 'setcon', 'getcon' commands to set and get the SELinux context
Richard W.M. Jones
rjones at redhat.com
Wed Aug 12 16:21:37 UTC 2009
These commands let you set and get the SELinux context of the daemon
and all operations in the API and processes run from the daemon:
$ ./fish/guestfish --ro -a /dev/mapper/vg_trick-F11x64 \
selinux 1 : \
run : \
mount /dev/vg_f11x64/lv_root / : \
sh "/usr/sbin/load_policy" : \
getcon : \
setcon "system_u:system_r:unconfined_t:s0" : \
getcon
system_u:system_r:kernel_t:s0
system_u:system_r:unconfined_t:s0
Rich.
--
Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://et.redhat.com/~rjones/virt-df/
-------------- next part --------------
>From 4633bff07a20ba4a7e2278fa13f400971bdfdaf5 Mon Sep 17 00:00:00 2001
From: Richard Jones <rjones at trick.home.annexia.org>
Date: Wed, 12 Aug 2009 16:56:09 +0100
Subject: [PATCH] Add 'setcon', 'getcon' commands to set and get the SELinux context.
---
appliance/packagelist.in | 1 +
daemon/Makefile.am | 1 +
daemon/configure.ac | 11 ++++++
daemon/selinux.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++
po/POTFILES.in | 1 +
src/MAX_PROC_NR | 2 +-
src/generator.ml | 18 ++++++++++
7 files changed, 114 insertions(+), 1 deletions(-)
create mode 100644 daemon/selinux.c
diff --git a/appliance/packagelist.in b/appliance/packagelist.in
index be45fc4..abcd429 100644
--- a/appliance/packagelist.in
+++ b/appliance/packagelist.in
@@ -15,6 +15,7 @@
MAKEDEV
ntfsprogs
scrub
+ libselinux
udev
util-linux-ng
#elif DEBIAN == 1
diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index 43cc752..9406944 100644
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -61,6 +61,7 @@ guestfsd_SOURCES = \
readdir.c \
realpath.c \
scrub.c \
+ selinux.c \
sfdisk.c \
sleep.c \
stat.c \
diff --git a/daemon/configure.ac b/daemon/configure.ac
index 43e331b..62c28ee 100644
--- a/daemon/configure.ac
+++ b/daemon/configure.ac
@@ -64,6 +64,17 @@ if test "x$have_augeas" = "xyes"; then
AC_DEFINE([HAVE_AUGEAS],[1],[Define to 1 if you have Augeas])
fi
+dnl Check for libselinux (optional).
+AC_CHECK_HEADERS([selinux/selinux.h])
+AC_CHECK_LIB([selinux],[setexeccon],[
+ LIBS="-lselinux $LIBS"
+ have_libselinux="$ac_cv_header_selinux_selinux_h"
+ AC_CHECK_FUNCS([setcon getcon])
+ ],[have_libselinux=no])
+if test "x$have_libselinux" = "xyes"; then
+ AC_DEFINE([HAVE_LIBSELINUX],[1],[Define to 1 if you have libselinux])
+fi
+
dnl Check for XDR library.
AC_CHECK_LIB([portablexdr],[xdrmem_create],[],[
AC_SEARCH_LIBS([xdrmem_create],[rpc xdr nsl])
diff --git a/daemon/selinux.c b/daemon/selinux.c
new file mode 100644
index 0000000..6e2b347
--- /dev/null
+++ b/daemon/selinux.c
@@ -0,0 +1,81 @@
+/* libguestfs - the guestfsd daemon
+ * Copyright (C) 2009 Red Hat Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef HAVE_SELINUX_SELINUX_H
+#include <selinux/selinux.h>
+#endif
+
+#include "../src/guestfs_protocol.h"
+#include "daemon.h"
+#include "actions.h"
+
+#ifdef HAVE_LIBSELINUX
+
+/* setcon is only valid under the following circumstances:
+ * - single threaded
+ * - enforcing=0
+ */
+int
+do_setcon (char *context)
+{
+#ifdef HAVE_SETCON
+ if (setcon ((char *) context) == -1) {
+ reply_with_perror ("setcon");
+ return -1;
+ }
+
+ return 0;
+#else
+ reply_with_error ("%s is not available", __func__);
+ return -1;
+#endif
+}
+
+char *
+do_getcon (void)
+{
+#ifdef HAVE_GETCON
+ security_context_t context;
+ char *r;
+
+ if (getcon (&context) == -1) {
+ reply_with_perror ("getcon");
+ return NULL;
+ }
+
+ r = strdup (context);
+ freecon (context);
+ if (r == NULL) {
+ reply_with_perror ("strdup");
+ return NULL;
+ }
+
+ return r; /* caller frees */
+#else
+ reply_with_error ("%s is not available", __func__);
+ return -1;
+#endif
+}
+
+#endif /* HAVE_LIBSELINUX */
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 382cd3a..79a2856 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -37,6 +37,7 @@ daemon/proto.c
daemon/readdir.c
daemon/realpath.c
daemon/scrub.c
+daemon/selinux.c
daemon/sfdisk.c
daemon/sleep.c
daemon/stat.c
diff --git a/src/MAX_PROC_NR b/src/MAX_PROC_NR
index dc37bbd..bc3d544 100644
--- a/src/MAX_PROC_NR
+++ b/src/MAX_PROC_NR
@@ -1 +1 @@
-184
+186
diff --git a/src/generator.ml b/src/generator.ml
index 0bd9924..e6d1a84 100755
--- a/src/generator.ml
+++ b/src/generator.ml
@@ -3427,6 +3427,24 @@ This closes the inotify handle which was previously
opened by inotify_init. It removes all watches, throws
away any pending events, and deallocates all resources.");
+ ("setcon", (RErr, [String "context"]), 185, [],
+ [],
+ "set SELinux security context",
+ "\
+This sets the SELinux security context of the daemon
+to the string C<context>.
+
+See the documentation about SELINUX in L<guestfs(3)>.");
+
+ ("getcon", (RString "context", []), 186, [],
+ [],
+ "get SELinux security context",
+ "\
+This gets the SELinux security context of the daemon.
+
+See the documentation about SELINUX in L<guestfs(3)>,
+and C<guestfs_setcon>");
+
]
let all_functions = non_daemon_functions @ daemon_functions
--
1.6.2.5
More information about the Libguestfs
mailing list