[Libguestfs] selinux question and answer

This is continuing/summarising a rather long discussion that happened on IRC ... We talked to some SELinux experts about what was required to make SELinux work with libguestfs, and it seems reasonably simple to load the policy from the guest filesystem. All that needs to be done is to mount the guest disks up and then run: sh "/usr/sbin/load_policy -i" That command also mounts up <sysroot>/selinux, so that solves the other problem they raised. I wasn't completely sure how to test this was actually working. My best effort was to try to run some commands that would label files. This is using a fresh Fedora 11 install that has SELinux enforcing on it: guestfish -a /dev/mapper/vg_trick-F11x64 --ro \ run : mount /dev/vg_f11x64/lv_root / : \ sh "/usr/sbin/load_policy -i" : \ sh "ls -lZ /etc/passwd" -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/passwd guestfish -a /dev/mapper/vg_trick-F11x64 --ro \ run : mount /dev/vg_f11x64/lv_root / : \ sh "/usr/sbin/load_policy -i" : \ sh "chcon user_u:object_r:file_t /etc/passwd" : \ sh "ls -lZ /etc/passwd" -rw-r--r--. root root user_u:object_r:file_t /etc/passwd So it seems that relabelling files (using chcon) works. Whether this means everything will work, I don't know. You will also get a warning when guestfish exits at the moment: libguestfs: error: umount: /sysroot: umount: /sysroot: device is busy. (In some cases useful info about processes that use the device is found by lsof(8) or fuser(1)) This happens because the load_policy command is mounting /sysroot/selinux and thus preventing /sysroot from being unmounted during the automatic shutdown phase at the end. [Note: The attached patch is also required, because at the moment we are booting the kernel with selinux=0 for other reasons. This should be made configurable]. Rich. -- Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://et.redhat.com/~rjones/virt-df/