[Libguestfs] [PATCH 4/7] launch: libvirt: Allow the SELinux label to be set on qcow2 overlay files.
Richard W.M. Jones
rjones at redhat.com
Thu Feb 28 14:24:30 UTC 2013
On Thu, Feb 28, 2013 at 02:14:42PM +0000, Matthew Booth wrote:
> On Thu, 2013-02-28 at 10:57 +0000, Richard W.M. Jones wrote:
> > From: "Richard W.M. Jones" <rjones at redhat.com>
> >
> > When a disk is opened readonly, the libvirt attach-method privately
> > creates a qcow2 overlay on top.
> >
> > This commit lets that overlay get an SELinux label, and sets it to the
> > label specified by guestfs_internal_set_libvirt_selinux_label.
> >
> > We have to adjust the SELinux label (which is a process label) to make
> > it applicable to images. We do this by changing the role from
> > 'system_r' to 'object_r', and the type from 'svirt_t' to 'svirt_image_t'.
>
> The code below doesn't do this. Are you saying that the caller must set
> the process context manually?
Yes you're correct. I've fixed the commit message to match what the
code does :-)
> >
> > The above only applies to the libvirt attach-method.
> > ---
> > src/launch-libvirt.c | 27 +++++++++++++++++++--------
> > 1 file changed, 19 insertions(+), 8 deletions(-)
> >
> > diff --git a/src/launch-libvirt.c b/src/launch-libvirt.c
> > index 45950e2..5c14155 100644
> > --- a/src/launch-libvirt.c
> > +++ b/src/launch-libvirt.c
> > @@ -133,8 +133,8 @@ static int is_custom_qemu (guestfs_h *g);
> > static int is_blk (const char *path);
> > static int random_chars (char *ret, size_t len);
> > static void ignore_errors (void *ignore, virErrorPtr ignore2);
> > -static char *make_qcow2_overlay (guestfs_h *g, const char *path, const char *format);
> > -static int make_qcow2_overlay_for_drive (guestfs_h *g, struct drive *drv);
> > +static char *make_qcow2_overlay (guestfs_h *g, const char *path, const char *format, bool selinux_label);
> > +static int make_qcow2_overlay_for_drive (guestfs_h *g, struct drive *drv, bool selinux_label);
> > static void drive_free_priv (void *);
> > static void set_socket_create_context (guestfs_h *g);
> > static void clear_socket_create_context (guestfs_h *g);
> > @@ -235,13 +235,13 @@ launch_libvirt (guestfs_h *g, const char *libvirt_uri)
> > * Note that appliance can be NULL if using the old-style appliance.
> > */
> > if (appliance) {
> > - params.appliance_overlay = make_qcow2_overlay (g, appliance, "raw");
> > + params.appliance_overlay = make_qcow2_overlay (g, appliance, "raw", false);
> > if (!params.appliance_overlay)
> > goto cleanup;
> > }
>
> I'm surprised the appliance image overlay doesn't require a label. If
> libvirt launches the appliance in a confined context, I wouldn't expect
> it to be able to read anything which wasn't appropriately labelled,
> which would include the image. I assume you've tested it and it works,
> but I would like to understand why this is possible.
It's because libvirt relabels the overlay (and its backing file) in
this case. Note that we *don't* set <seclabel model=selinux relabel=no/>
on the appliance disk.
> Relabelling the appliance could get complicated wrt multiple
> appliances running simultaneously.
Right -- I suspect this is buggy actually, but it's quite hard to test
it since I need to run up lots of guests and run virt-df in parallel
on them. Also we put <shareable/> on the appliance disk, and I'm not
sure what libvirt does in that case.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
More information about the Libguestfs
mailing list