Re: [Libguestfs] selinux question and answer

On Wed, 2009-08-12 at 14:41 -0400, Daniel J Walsh wrote: > On 08/12/2009 10:30 AM, Matthew Booth wrote: >> On 12/08/09 15:01, Eric Paris wrote: >>> setexecon() takes an selinux context and then anything you exec after >>> the call will be run in the given domain. So we suggest calling (pseudo >>> code). >>> >>> mount /selinux >>> call load_policy >>> call setexeccon(unconfined_t) >>> do everything in a shell from here on out. >> >> I've just been running some tests, and on the face of it we don't need >> to worry about process contexts. >> >>> <fs> sh "mount -t selinuxfs none /selinux" >>> <fs> sh "/usr/sbin/load_policy" >>> <fs> sh "id -Z" >> system_u:system_r:kernel_t:s0 >> >>> <fs> sh "rpm -ivh /mnt/xorg_x11.rpm" >> Preparing... ################################################## >> xorg-x11-xauth ################################################## >> >>> <fs> sh "ls -Z /usr/bin/xauth" >> -rwxr-xr-x root root system_u:object_r:xauth_exec_t:s0 /usr/bin/xauth >> >> So here rpm has installed xorg-x11-xauth, and /usr/bin/xauth has >> correctly obtained its custom label. >> >> Also: >> * creating a file in a random directory seems to pick up the label of >> the parent directory. >> * usermod can change a password without breaking /etc/shadow >> >> This covers everything we want to do so far. The guest in this case is >> RHEL 5. What are we risking if we don't try to be clever with process >> contexts? >> >> Thanks, >> >> Matt > I think executing > > F11, F12, F..., RHEL6 ... > setcon("unconfined_u:unconfined_r:unconfined_t:s0") > > RHEL5 > setcon("user_u:system_r:unconfined_t:s0") wouldn't "system_u:object_r:unconfined_t:s0" work just as well and it would work RHEL4-rawhide? No need to know anything about the guest? object_r having that black magic noone seems to talk about.... -Eric