[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [sandbox PATCH] virt-sandbox patch to launch containers with proper label



On Mon, Sep 30, 2013 at 08:39:35AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 09/30/2013 08:07 AM, Daniel P. Berrange wrote:
> > On Wed, Sep 25, 2013 at 04:50:23PM -0400, Dan Walsh wrote:
> >> virt-sandbox should be launching containers based off the lxc_context 
> >> file from selinux-policy. I changed the hard coded paths to match the 
> >> latest fedora assigned labels.
> >> 
> >> Fedora 20 SELinux Policy and beyond will have proper SELinux labels in
> >> its lxc_contexts file. --- bin/virt-sandbox-service                  |  2
> >> +- bin/virt-sandbox-service-clone.pod        |  5 ++- 
> >> bin/virt-sandbox-service-create.pod       |  7 ++-- bin/virt-sandbox.c
> >> |  5 ++- libvirt-sandbox/libvirt-sandbox-builder.c | 58
> >> +++++++++++++++++++++++++------ 5 files changed, 55 insertions(+), 22
> >> deletions(-)
> >> 
> >> diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index
> >> c4c4f54..b42fe08 100755 --- a/bin/virt-sandbox-service +++
> >> b/bin/virt-sandbox-service @@ -101,7 +101,7 @@ def copydirtree(src,
> >> dst): class Container: DEFAULT_PATH       =
> >> "/var/lib/libvirt/filesystems" DEFAULT_IMAGE      =
> >> "/var/lib/libvirt/images/%s.raw" -    SELINUX_FILE_TYPE  =
> >> "svirt_lxc_file_t" +    SELINUX_FILE_TYPE  = "svirt_sandbox_file_t"
> > 
> > This change will make it impossible to use the new release on existing 
> > distros since they won't have this new policy type. We need this to be 
> > conditionally changed.
> > 
> Well we could put the code into check if the type exists else use
> svirt_lxc_file_t.  (BTW Aliased in latest code.)
> >> diff --git a/libvirt-sandbox/libvirt-sandbox-builder.c
> >> b/libvirt-sandbox/libvirt-sandbox-builder.c index 1335042..613161a
> >> 100644 --- a/libvirt-sandbox/libvirt-sandbox-builder.c +++
> >> b/libvirt-sandbox/libvirt-sandbox-builder.c @@ -67,6 +67,48 @@
> >> gvir_sandbox_builder_error_quark(void) { return
> >> g_quark_from_static_string("gvir-sandbox-builder"); } +#include
> >> <selinux/selinux.h> +#include <errno.h> +static char line[1024]; + 
> >> +static const char *get_label(int type) { +    const char *path =
> >> selinux_lxc_contexts_path(); + +    FILE *fp = fopen(path, "r"); +    if
> >> (fp) { +        GType gt = gvir_config_domain_virt_type_get_type (); +
> >> GEnumClass *cls = g_type_class_ref (gt); +        GEnumValue *val =
> >> g_enum_get_value (cls, type); + +        while (val && fgets(line, sizeof
> >> line, fp)) { +            int len = strlen(line); +            if (len >
> >> 2) +                continue; +            if (line[len-1] == '\n') +
> >> line[len-1] = '\0'; +            char *name = line; +            char
> >> *value = strchr(name, '='); +            if (!value) +
> >> continue; +            *value = '\0'; +            value++; +
> >> if (strcmp(name,val->value_nick)) +                continue; +
> >> return value; +        } +        fclose(fp);


Your email client has completely mangled this quoted text. Please fix it
to preserve line breaks / whitespace, as it makes reading the replies
rather difficult.

> > 
> > I'm not sure I really understand what this code is doing. You seem to be
> > opening /etc/selinux/targetted/context/lxc_contexts and then searching for
> > the type for LXC, QEMU or KVM. This doesn't really make sense to me. I
> > wonder what the point of any of this code us, when the switch statement 
> > below looks to be sufficient.
> > 
> Well the idea is to allow other policy writers to write policy that would use
> different types, rather then hard code them into programs.  Dominick Grift is
> experimenting with other types of SELinux Policy, and any time he has a hard
> coded type, it breaks his code.   Obviously we need to move more types out of
> this code to make it fully functional.

Yeah, but I'm not seeing how this /etc/selinux/targetted/context/lxc_contexts
file content is working with this piece of code. With the updated policy
I see

$ cat /etc/selinux/targeted/contexts/lxc_contexts 
process = "system_u:system_r:svirt_lxc_net_t:s0"
file = "system_u:object_r:svirt_lxc_file_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"

so this code which is looking for 'kvm' and 'qemu' strings in that file
isn't doing anything useful


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]