Re: [Libguestfs] selinux question and answer

On Wed, Aug 12, 2009 at 10:13:25AM -0400, Eric Paris wrote: > On Wed, 2009-08-12 at 15:07 +0100, Richard W.M. Jones wrote: > > On Wed, Aug 12, 2009 at 10:01:39AM -0400, Eric Paris wrote: > > > On Wed, 2009-08-12 at 14:40 +0100, Richard W.M. Jones wrote: > > > > After a bit of an epic struggle with a RHEL 5 guest, and thanks to > > > > (3) We must run every external command (eg. "rpm") via the shell, so > > > > in libguestfs using "sh", never "command". > > > > > > Correct. There is another (maybe harder?) option. If you want to still > > > be able to run things directly from your daemon you'll need to get the > > > daemon labeled unconfined_t. This would mean calling setexecon() and > > > then re-execing the daemon. > > > > We were just talking about this, and in fact this may be possible > > for us to do relatively easily. > > > > Question: can we use setexeccon before any policy has been > > loaded? Does it need /selinux? (I'm guessing no, yes). > > Policy must be loaded. /selinux must be mounted somewhere. (libselinux > is smart enough to find it even if it isn't mounted at /selinux) Matt, I think what we need to do here to make this work:

(1) Mount /selinux during *appliance* boot, so it's mounted in the appliance. (2) In the /init script, we can exec the daemon with correct label. It'll have to be "unconfined_t" however, since at this point we won't be able to work out the correct label to use. Hopefully this doesn't matter in any practical situation. (3) Bind-mount /selinux into the guest chroot as we currently do for /proc, /sys etc. (4) Have an API call to load policy once the guest is mounted. The above should mean the daemon is labelled correctly, so most of the API is covered by SELinux. Rich.