[Libguestfs] [PATCH 2/2] Use setfiles from the appliance for the SELinux relabel (RHBZ#1089100).
Pino Toscano
ptoscano at redhat.com
Tue May 27 14:43:31 UTC 2014
On Tuesday 27 May 2014 14:25:08 Richard W.M. Jones wrote:
> So I think an API which looks like this ...
>
> required params:
>
> None
>
> optional params:
>
> path =>
> Either a directory to be relabelled recursively, or a single
> file (defaults to "/").
>
> root =>
> Inspection root of guest. Optional, only makes sense when
> 'contexts' param is *omitted*.
>
> contexts =>
> The `file_contexts' file. Defaults to
> /etc/selinux/$selinux_type/contexts/files/file_contexts
>
> OSTree would probably want to pass:
>
> /ostree/deploy/$osname/deploy/$checksum/etc/selinux/targeted/contexts
> /files/file_contexts
>
> Inspection could be updated to parse /etc/selinux/config in order to
> get the default SELinux policy and pass it back through an API such as
> `inspect-get-selinux-type'.
>
> If 'contexts' is omitted, 'root' must be supplied, and it causes an
> internal call to guestfs_inspect_get_selinux_type (g, root) in order
> to get the default policy.
Note that not specifying a root could lead to issues, as the file
contexts are relative to a root. So if I say to relabel the path
/guestmountpoint/etc/myconfig according to some /path/of/file_contexts
without specifying what is the root, how should setfiles know that path
is /etc/myconfig mounted at /guestmountpoint?
At this point I'm thinking the best option would be making the root a
normal (mandatory) argument, leaving path and contexts as optional (with
the former being "/" as default value, and the latter as "find it from
the root").
In the situation above, path would become a relative path to the
specified root (so if I mount a guest into /guest and I want to relabel
it only under /etc, I would pass root=/guest and path=/etc).
--
Pino Toscano
More information about the Libguestfs
mailing list