Re: [Libguestfs] selinux question and answer
On Wed, Aug 12, 2009 at 10:01:39AM -0400, Eric Paris wrote:
On Wed, 2009-08-12 at 14:40 +0100, Richard W.M. Jones wrote:
> After a bit of an epic struggle with a RHEL 5 guest, and thanks to
> (3) We must run every external command (eg. "rpm") via the shell, so
> in libguestfs using "sh", never "command".
Correct. There is another (maybe harder?) option. If you want to still
be able to run things directly from your daemon you'll need to get the
daemon labeled unconfined_t. This would mean calling setexecon() and
then re-execing the daemon.
We were just talking about this, and in fact this may be possible
for us to do relatively easily.
Question: can we use setexeccon before any policy has been
loaded? Does it need /selinux? (I'm guessing no, yes).
You will need enforcing=0. Dan just checked and none of our
shipping
policies would allow the kernel->unconfined transition we want you to
use (normal systems all go kernel->init_t->unconfined_t, and you don't
want to do all that)
Right, that's no problem.
As future work instead of hard coding
system_u:object_r:unconfined_t:s0
in the setexeccon() call, we should check out what the guest defines as
the correct defualt context for the root user. I'm sure dan could walk
you through that, but it's a future enhancement, as there very few
people who change this.
OK, thanks - you've been a great help in helping us to understand
all this.
Rich.
--
Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw