[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Libguestfs] [PATCH v2 1/5] New internal API: internal_set_libvirt_selinux_label



From: "Richard W.M. Jones" <rjones redhat com>

This internal API sets two SELinux labels in the handle (the process
label and the image label -- they are closely related).

If using the libvirt attach-method with SELinux and sVirt, then this
will cause the following XML to be added to the appliance definition:

<seclabel type=static model=selinux relabel=yes>
  <label>[LABEL HERE]</label>
  <imagelabel>[IMAGELABEL HERE]</imagelabel>
</seclabel>

It is ignored by other attach-methods.
---
 generator/actions.ml   | 12 ++++++++++++
 src/guestfs-internal.h |  2 ++
 src/handle.c           |  2 ++
 src/launch-libvirt.c   | 36 ++++++++++++++++++++++++++++++++++++
 4 files changed, 52 insertions(+)

diff --git a/generator/actions.ml b/generator/actions.ml
index 8a8e3ff..59e667d 100644
--- a/generator/actions.ml
+++ b/generator/actions.ml
@@ -2694,6 +2694,18 @@ the default.  Else C</var/tmp> is the default." };
     longdesc = "\
 Get the directory used by the handle to store the appliance cache." };
 
+  { defaults with
+    name = "internal_set_libvirt_selinux_label";
+    style = RErr, [String "label"; String "imagelabel"], [];
+    blocking = false;
+    visibility = VInternal;
+    shortdesc = "set SELinux label used by the libvirt attach method";
+    longdesc = "\
+This internal function sets the SELinux security label (in
+reality, two labels: the process label and the image label)
+used by the appliance when the libvirt attach method is selected
+(it is ignored by other attach methods)." };
+
 ]
 
 (* daemon_functions are any functions which cause some action
diff --git a/src/guestfs-internal.h b/src/guestfs-internal.h
index e1a7d31..78e2bf5 100644
--- a/src/guestfs-internal.h
+++ b/src/guestfs-internal.h
@@ -322,6 +322,8 @@ struct guestfs_h
     virDomainPtr dom;           /* libvirt domain */
   } virt;
 #endif
+  char *virt_selinux_label;
+  char *virt_selinux_imagelabel;
 };
 
 /* Per-filesystem data stored for inspect_os. */
diff --git a/src/handle.c b/src/handle.c
index c630daf..2f44632 100644
--- a/src/handle.c
+++ b/src/handle.c
@@ -326,6 +326,8 @@ guestfs_close (guestfs_h *g)
 
   if (g->pda)
     hash_free (g->pda);
+  free (g->virt_selinux_label);
+  free (g->virt_selinux_imagelabel);
   free (g->tmpdir);
   free (g->env_tmpdir);
   free (g->int_tmpdir);
diff --git a/src/launch-libvirt.c b/src/launch-libvirt.c
index 7db2ce5..68d875e 100644
--- a/src/launch-libvirt.c
+++ b/src/launch-libvirt.c
@@ -855,6 +855,31 @@ construct_libvirt_xml_seclabel (guestfs_h *g,
                                            BAD_CAST "none"));
     XMLERROR (-1, xmlTextWriterEndElement (xo));
   }
+  else if (g->virt_selinux_label && g->virt_selinux_imagelabel) {
+    /* Enable sVirt and pass a custom <seclabel/> inherited from the
+     * original libvirt domain (when guestfs_add_domain was called).
+     * https://bugzilla.redhat.com/show_bug.cgi?id=912499#c7
+     */
+    XMLERROR (-1, xmlTextWriterStartElement (xo, BAD_CAST "seclabel"));
+    XMLERROR (-1,
+              xmlTextWriterWriteAttribute (xo, BAD_CAST "type",
+                                           BAD_CAST "static"));
+    XMLERROR (-1,
+              xmlTextWriterWriteAttribute (xo, BAD_CAST "model",
+                                           BAD_CAST "selinux"));
+    XMLERROR (-1,
+              xmlTextWriterWriteAttribute (xo, BAD_CAST "relabel",
+                                           BAD_CAST "yes"));
+    XMLERROR (-1, xmlTextWriterStartElement (xo, BAD_CAST "label"));
+    XMLERROR (-1, xmlTextWriterWriteString (xo,
+                                            BAD_CAST g->virt_selinux_label));
+    XMLERROR (-1, xmlTextWriterEndElement (xo));
+    XMLERROR (-1, xmlTextWriterStartElement (xo, BAD_CAST "imagelabel"));
+    XMLERROR (-1, xmlTextWriterWriteString (xo,
+                                            BAD_CAST g->virt_selinux_imagelabel));
+    XMLERROR (-1, xmlTextWriterEndElement (xo));
+    XMLERROR (-1, xmlTextWriterEndElement (xo));
+  }
 
   return 0;
 }
@@ -1603,3 +1628,14 @@ struct attach_ops attach_ops_libvirt = {
 };
 
 #endif /* no libvirt or libxml2 at compile time */
+
+int
+guestfs__internal_set_libvirt_selinux_label (guestfs_h *g, const char *label,
+                                             const char *imagelabel)
+{
+  free (g->virt_selinux_label);
+  g->virt_selinux_label = safe_strdup (g, label);
+  free (g->virt_selinux_imagelabel);
+  g->virt_selinux_imagelabel = safe_strdup (g, imagelabel);
+  return 0;
+}
-- 
1.8.1.2


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]