Re: [Libguestfs] selinux question and answer

On 08/12/2009 10:30 AM, Matthew Booth wrote: > On 12/08/09 15:01, Eric Paris wrote: >> setexecon() takes an selinux context and then anything you exec after >> the call will be run in the given domain. So we suggest calling (pseudo >> code). >> >> mount /selinux >> call load_policy >> call setexeccon(unconfined_t) >> do everything in a shell from here on out. > > I've just been running some tests, and on the face of it we don't need > to worry about process contexts. > >><fs> sh "mount -t selinuxfs none /selinux" >><fs> sh "/usr/sbin/load_policy" >><fs> sh "id -Z" > system_u:system_r:kernel_t:s0 > >><fs> sh "rpm -ivh /mnt/xorg_x11.rpm" > Preparing... ################################################## > xorg-x11-xauth ################################################## > >><fs> sh "ls -Z /usr/bin/xauth" > -rwxr-xr-x root root system_u:object_r:xauth_exec_t:s0 /usr/bin/xauth > > So here rpm has installed xorg-x11-xauth, and /usr/bin/xauth has > correctly obtained its custom label. > > Also: > * creating a file in a random directory seems to pick up the label of > the parent directory. > * usermod can change a password without breaking /etc/shadow > > This covers everything we want to do so far. The guest in this case is > RHEL 5. What are we risking if we don't try to be clever with process > contexts? > > Thanks, > > Matt I think executing F11, F12, F..., RHEL6 ... setcon("unconfined_u:unconfined_r:unconfined_t:s0") RHEL5 setcon("user_u:system_r:unconfined_t:s0")