[Libguestfs] [PATCH 4/7] launch: libvirt: Allow the SELinux label to be set on qcow2 overlay files.

Thu Feb 28 14:24:30 UTC 2013

On Thu, Feb 28, 2013 at 02:14:42PM +0000, Matthew Booth wrote:
> On Thu, 2013-02-28 at 10:57 +0000, Richard W.M. Jones wrote:
> > From: "Richard W.M. Jones" <rjones at redhat.com>
> > 
> > When a disk is opened readonly, the libvirt attach-method privately
> > creates a qcow2 overlay on top.
> > 
> > This commit lets that overlay get an SELinux label, and sets it to the
> > label specified by guestfs_internal_set_libvirt_selinux_label.
> > 
> > We have to adjust the SELinux label (which is a process label) to make
> > it applicable to images.  We do this by changing the role from
> > 'system_r' to 'object_r', and the type from 'svirt_t' to 'svirt_image_t'.
> 
> The code below doesn't do this. Are you saying that the caller must set
> the process context manually?

Yes you're correct.  I've fixed the commit message to match what the
code does :-)

> > 
> > The above only applies to the libvirt attach-method.
> > ---
> >  src/launch-libvirt.c | 27 +++++++++++++++++++--------
> >  1 file changed, 19 insertions(+), 8 deletions(-)
> > 
> > diff --git a/src/launch-libvirt.c b/src/launch-libvirt.c
> > index 45950e2..5c14155 100644
> > --- a/src/launch-libvirt.c
> > +++ b/src/launch-libvirt.c
> > @@ -133,8 +133,8 @@ static int is_custom_qemu (guestfs_h *g);
> >  static int is_blk (const char *path);
> >  static int random_chars (char *ret, size_t len);
> >  static void ignore_errors (void *ignore, virErrorPtr ignore2);
> > -static char *make_qcow2_overlay (guestfs_h *g, const char *path, const char *format);
> > -static int make_qcow2_overlay_for_drive (guestfs_h *g, struct drive *drv);
> > +static char *make_qcow2_overlay (guestfs_h *g, const char *path, const char *format, bool selinux_label);
> > +static int make_qcow2_overlay_for_drive (guestfs_h *g, struct drive *drv, bool selinux_label);
> >  static void drive_free_priv (void *);
> >  static void set_socket_create_context (guestfs_h *g);
> >  static void clear_socket_create_context (guestfs_h *g);
> > @@ -235,13 +235,13 @@ launch_libvirt (guestfs_h *g, const char *libvirt_uri)
> >     * Note that appliance can be NULL if using the old-style appliance.
> >     */
> >    if (appliance) {
> > -    params.appliance_overlay = make_qcow2_overlay (g, appliance, "raw");
> > +    params.appliance_overlay = make_qcow2_overlay (g, appliance, "raw", false);
> >      if (!params.appliance_overlay)
> >        goto cleanup;
> >    }
> 
> I'm surprised the appliance image overlay doesn't require a label. If
> libvirt launches the appliance in a confined context, I wouldn't expect
> it to be able to read anything which wasn't appropriately labelled,
> which would include the image. I assume you've tested it and it works,
> but I would like to understand why this is possible.

It's because libvirt relabels the overlay (and its backing file) in
this case.  Note that we *don't* set <seclabel model=selinux relabel=no/>
on the appliance disk.

> Relabelling the appliance could get complicated wrt multiple
> appliances running simultaneously.

Right -- I suspect this is buggy actually, but it's quite hard to test
it since I need to run up lots of guests and run virt-df in parallel
on them.  Also we put <shareable/> on the appliance disk, and I'm not
sure what libvirt does in that case.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v