Re: [Libguestfs] [PATCH 4/7] launch: libvirt: Allow the SELinux label to be set on qcow2 overlay files.
On Thu, Feb 28, 2013 at 02:14:42PM +0000, Matthew Booth wrote:
On Thu, 2013-02-28 at 10:57 +0000, Richard W.M. Jones wrote:
> From: "Richard W.M. Jones" <rjones(a)redhat.com>
>
> When a disk is opened readonly, the libvirt attach-method privately
> creates a qcow2 overlay on top.
>
> This commit lets that overlay get an SELinux label, and sets it to the
> label specified by guestfs_internal_set_libvirt_selinux_label.
>
> We have to adjust the SELinux label (which is a process label) to make
> it applicable to images. We do this by changing the role from
> 'system_r' to 'object_r', and the type from 'svirt_t' to
'svirt_image_t'.
The code below doesn't do this. Are you saying that the caller must set
the process context manually?
Yes you're correct. I've fixed the commit message to match what the
code does :-)
>
> The above only applies to the libvirt attach-method.
> ---
> src/launch-libvirt.c | 27 +++++++++++++++++++--------
> 1 file changed, 19 insertions(+), 8 deletions(-)
>
> diff --git a/src/launch-libvirt.c b/src/launch-libvirt.c
> index 45950e2..5c14155 100644
> --- a/src/launch-libvirt.c
> +++ b/src/launch-libvirt.c
> @@ -133,8 +133,8 @@ static int is_custom_qemu (guestfs_h *g);
> static int is_blk (const char *path);
> static int random_chars (char *ret, size_t len);
> static void ignore_errors (void *ignore, virErrorPtr ignore2);
> -static char *make_qcow2_overlay (guestfs_h *g, const char *path, const char
*format);
> -static int make_qcow2_overlay_for_drive (guestfs_h *g, struct drive *drv);
> +static char *make_qcow2_overlay (guestfs_h *g, const char *path, const char
*format, bool selinux_label);
> +static int make_qcow2_overlay_for_drive (guestfs_h *g, struct drive *drv, bool
selinux_label);
> static void drive_free_priv (void *);
> static void set_socket_create_context (guestfs_h *g);
> static void clear_socket_create_context (guestfs_h *g);
> @@ -235,13 +235,13 @@ launch_libvirt (guestfs_h *g, const char *libvirt_uri)
> * Note that appliance can be NULL if using the old-style appliance.
> */
> if (appliance) {
> - params.appliance_overlay = make_qcow2_overlay (g, appliance, "raw");
> + params.appliance_overlay = make_qcow2_overlay (g, appliance, "raw",
false);
> if (!params.appliance_overlay)
> goto cleanup;
> }
I'm surprised the appliance image overlay doesn't require a label. If
libvirt launches the appliance in a confined context, I wouldn't expect
it to be able to read anything which wasn't appropriately labelled,
which would include the image. I assume you've tested it and it works,
but I would like to understand why this is possible.
It's because libvirt relabels the overlay (and its backing file) in
this case. Note that we *don't* set <seclabel model=selinux relabel=no/>
on the appliance disk.
Relabelling the appliance could get complicated wrt multiple
appliances running simultaneously.
Right -- I suspect this is buggy actually, but it's quite hard to test
it since I need to run up lots of guests and run virt-df in parallel
on them. Also we put <shareable/> on the appliance disk, and I'm not
sure what libvirt does in that case.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v