Re: [Libguestfs] selinux question and answer
On 12/08/09 15:01, Eric Paris wrote:
setexecon() takes an selinux context and then anything you exec
after
the call will be run in the given domain. So we suggest calling (pseudo
code).
mount /selinux
call load_policy
call setexeccon(unconfined_t)
do everything in a shell from here on out.
I've just been running some tests, and on the face of it we don't need
to worry about process contexts.
<fs> sh "mount -t selinuxfs none /selinux"
<fs> sh "/usr/sbin/load_policy"
<fs> sh "id -Z"
system_u:system_r:kernel_t:s0
<fs> sh "rpm -ivh /mnt/xorg_x11.rpm"
Preparing...
##################################################
xorg-x11-xauth
##################################################
<fs> sh "ls -Z /usr/bin/xauth"
-rwxr-xr-x root
root system_u:object_r:xauth_exec_t:s0 /usr/bin/xauth
So here rpm has installed xorg-x11-xauth, and /usr/bin/xauth has
correctly obtained its custom label.
Also:
* creating a file in a random directory seems to pick up the label of
the parent directory.
* usermod can change a password without breaking /etc/shadow
This covers everything we want to do so far. The guest in this case is
RHEL 5. What are we risking if we don't try to be clever with process
contexts?
Thanks,
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat Engineering, Virtualisation Team
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490