[Libguestfs] [PATCH 2/2] Use setfiles from the appliance for the SELinux relabel (RHBZ#1089100).
Richard W.M. Jones
rjones at redhat.com
Tue May 27 13:25:08 UTC 2014
[Including libguestfs mailing list this time]
On Tue, May 27, 2014 at 06:05:15AM -0700, Colin Walters wrote:
> On Tue, May 27, 2014, at 02:04 AM, Richard W.M. Jones wrote:
> >
> > I'm still anxious for Colin to tell us if this API is suitable for his
> > needs.
>
> I'd like an API that allows me to only relabel *unlabeled* files.
> The use case here is: I have an existing disk image with an OS,
> I want to inject e.g. a systemd service into it. If I do this offline
> from libguestfs, the injected /usr/libexec/mydaemon and
> /usr/lib/systemd/system/mydaemon.service
> won't be labeled, but everything else will be.
>
> > I'm guessing that OStree does not have /etc/selinux/config,
>
> Right, it's in the "deployment root" of
> /ostree/deploy/$osname/deploy/$checksum/etc/selinux/config
Got it:
><fs> ll /ostree/deploy/project-atomic-controller/deploy/afc1794b4b42df77edf1988897b167573b99e299fa39a15b07b235a0e7387d02.0/etc/selinux/targeted/contexts/files/file_contexts
-rw-r--r--. 1 root root 352240 Apr 14 20:14 /sysroot/ostree/deploy/project-atomic-controller/deploy/afc1794b4b42df77edf1988897b167573b99e299fa39a15b07b235a0e7387d02.0/etc/selinux/targeted/contexts/files/file_contexts
> To figure that out you'd want to use the OSTree APIs; and then it
> introduces
> further questions around *which* deployments you want to relabel. All?
> Only
> one (the default?).
>
> What I do currently in my scripts is only relabel the default, and that
> would
> be the best default for an API.
>
> But a totally valid thing to do with OSTree is - say you're running
> RHEL7,
> and you want to check whether the latest Fedora kernel fixes an issue
> you're seeing. You can use ostree to dynamically parallel install
> Fedora content in a new deployment root, try it with near-total
> safety[1],
> and then if it doesn't work, just delete it and free up the space.
So I think an API which looks like this ...
required params:
None
optional params:
path =>
Either a directory to be relabelled recursively, or a single
file (defaults to "/").
root =>
Inspection root of guest. Optional, only makes sense when
'contexts' param is *omitted*.
contexts =>
The `file_contexts' file. Defaults to
/etc/selinux/$selinux_type/contexts/files/file_contexts
OSTree would probably want to pass:
/ostree/deploy/$osname/deploy/$checksum/etc/selinux/targeted/contexts/files/file_contexts
Inspection could be updated to parse /etc/selinux/config in order to
get the default SELinux policy and pass it back through an API such as
`inspect-get-selinux-type'.
If 'contexts' is omitted, 'root' must be supplied, and it causes an
internal call to guestfs_inspect_get_selinux_type (g, root) in order
to get the default policy.
What do you think?
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
More information about the Libguestfs
mailing list