Re: [Libguestfs] selinux question and answer

On 12/08/09 15:01, Eric Paris wrote: > setexecon() takes an selinux context and then anything you exec after > the call will be run in the given domain. So we suggest calling (pseudo > code). > > mount /selinux > call load_policy > call setexeccon(unconfined_t) > do everything in a shell from here on out. I've just been running some tests, and on the face of it we don't need to worry about process contexts. ><fs> sh "mount -t selinuxfs none /selinux" ><fs> sh "/usr/sbin/load_policy" ><fs> sh "id -Z" system_u:system_r:kernel_t:s0 ><fs> sh "rpm -ivh /mnt/xorg_x11.rpm" Preparing... ################################################## xorg-x11-xauth ################################################## ><fs> sh "ls -Z /usr/bin/xauth" -rwxr-xr-x root root system_u:object_r:xauth_exec_t:s0 /usr/bin/xauth So here rpm has installed xorg-x11-xauth, and /usr/bin/xauth has correctly obtained its custom label. Also: * creating a file in a random directory seems to pick up the label of the parent directory. * usermod can change a password without breaking /etc/shadow This covers everything we want to do so far. The guest in this case is RHEL 5. What are we risking if we don't try to be clever with process contexts? Thanks, Matt