>From e31c8587643ae8f5987198d39e014e041112a663 Mon Sep 17 00:00:00 2001 From: Richard Jones Date: Wed, 12 Aug 2009 16:31:06 +0100 Subject: [PATCH] If using SELinux, mount /selinux in the appliance. If selinux=1 on the Linux kernel command line, then we mount /selinux in the appliance. We will also bind-mount this directory into guests when we run commands. --- appliance/init | 4 ++++ appliance/make.sh.in | 3 +++ daemon/command.c | 10 ++++++++-- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/appliance/init b/appliance/init index b33a34c..fe135b4 100755 --- a/appliance/init +++ b/appliance/init @@ -33,6 +33,10 @@ else modprobe virtio_net fi +if grep -sq selinux=1 /proc/cmdline; then + mount -t selinuxfs none /selinux +fi + modprobe dm_mod ||: ifconfig lo 127.0.0.1 diff --git a/appliance/make.sh.in b/appliance/make.sh.in index d76c961..66bdebc 100755 --- a/appliance/make.sh.in +++ b/appliance/make.sh.in @@ -47,6 +47,9 @@ if [ "@DIST@" = "REDHAT" ]; then # Create /tmp if it is missing. @FEBOOTSTRAP_RUN@ initramfs -- mkdir -p --mode=0777 /tmp + # Create /selinux if it is missing. + @FEBOOTSTRAP_RUN@ initramfs -- mkdir -p --mode=0755 /selinux + # Nuke some stuff. The kernel pulls mkinitrd and plymouth which pulls in # all of Python. Sheez. (cd initramfs && find -name '*plymouth*' -print0) | diff --git a/daemon/command.c b/daemon/command.c index 0399255..3261513 100644 --- a/daemon/command.c +++ b/daemon/command.c @@ -31,8 +31,9 @@ do_command (char **argv) { char *out, *err; int r; - char *sysroot_proc, *sysroot_dev, *sysroot_dev_pts, *sysroot_sys; - int proc_ok, dev_ok, dev_pts_ok, sys_ok; + char *sysroot_dev, *sysroot_dev_pts, *sysroot_proc, + *sysroot_selinux, *sysroot_sys; + int dev_ok, dev_pts_ok, proc_ok, selinux_ok, sys_ok; /* We need a root filesystem mounted to do this. */ NEED_ROOT (NULL); @@ -57,6 +58,7 @@ do_command (char **argv) sysroot_dev = sysroot_path ("/dev"); sysroot_dev_pts = sysroot_path ("/dev/pts"); sysroot_proc = sysroot_path ("/proc"); + sysroot_selinux = sysroot_path ("/selinux"); sysroot_sys = sysroot_path ("/sys"); r = command (NULL, NULL, "mount", "--bind", "/dev", sysroot_dev, NULL); @@ -65,6 +67,8 @@ do_command (char **argv) dev_pts_ok = r != -1; r = command (NULL, NULL, "mount", "--bind", "/proc", sysroot_proc, NULL); proc_ok = r != -1; + r = command (NULL, NULL, "mount", "--bind", "/selinux", sysroot_selinux, NULL); + selinux_ok = r != -1; r = command (NULL, NULL, "mount", "--bind", "/sys", sysroot_sys, NULL); sys_ok = r != -1; @@ -73,6 +77,7 @@ do_command (char **argv) CHROOT_OUT; if (sys_ok) command (NULL, NULL, "umount", sysroot_sys, NULL); + if (selinux_ok) command (NULL, NULL, "umount", sysroot_selinux, NULL); if (proc_ok) command (NULL, NULL, "umount", sysroot_proc, NULL); if (dev_pts_ok) command (NULL, NULL, "umount", sysroot_dev_pts, NULL); if (dev_ok) command (NULL, NULL, "umount", sysroot_dev, NULL); @@ -80,6 +85,7 @@ do_command (char **argv) free (sysroot_dev); free (sysroot_dev_pts); free (sysroot_proc); + free (sysroot_selinux); free (sysroot_sys); if (r == -1) { -- 1.6.2.5