From: "Richard W.M. Jones" <rjones(a)redhat.com>
This internal API sets two SELinux labels in the handle (the process
label and the image label -- they are closely related).
If using the libvirt attach-method with SELinux and sVirt, then this
will cause the following XML to be added to the appliance definition:
<seclabel type=static model=selinux relabel=yes>
<label>[LABEL HERE]</label>
<imagelabel>[IMAGELABEL HERE]</imagelabel>
</seclabel>
It is ignored by other attach-methods.
---
generator/actions.ml | 12 ++++++++++++
src/guestfs-internal.h | 2 ++
src/handle.c | 2 ++
src/launch-libvirt.c | 36 ++++++++++++++++++++++++++++++++++++
4 files changed, 52 insertions(+)
diff --git a/generator/actions.ml b/generator/actions.ml
index 8a8e3ff..59e667d 100644
--- a/generator/actions.ml
+++ b/generator/actions.ml
@@ -2694,6 +2694,18 @@ the default. Else C</var/tmp> is the default." };
longdesc = "\
Get the directory used by the handle to store the appliance cache." };
+ { defaults with
+ name = "internal_set_libvirt_selinux_label";
+ style = RErr, [String "label"; String "imagelabel"], [];
+ blocking = false;
+ visibility = VInternal;
+ shortdesc = "set SELinux label used by the libvirt attach method";
+ longdesc = "\
+This internal function sets the SELinux security label (in
+reality, two labels: the process label and the image label)
+used by the appliance when the libvirt attach method is selected
+(it is ignored by other attach methods)." };
+
]
(* daemon_functions are any functions which cause some action
diff --git a/src/guestfs-internal.h b/src/guestfs-internal.h
index e1a7d31..78e2bf5 100644
--- a/src/guestfs-internal.h
+++ b/src/guestfs-internal.h
@@ -322,6 +322,8 @@ struct guestfs_h
virDomainPtr dom; /* libvirt domain */
} virt;
#endif
+ char *virt_selinux_label;
+ char *virt_selinux_imagelabel;
};
/* Per-filesystem data stored for inspect_os. */
diff --git a/src/handle.c b/src/handle.c
index c630daf..2f44632 100644
--- a/src/handle.c
+++ b/src/handle.c
@@ -326,6 +326,8 @@ guestfs_close (guestfs_h *g)
if (g->pda)
hash_free (g->pda);
+ free (g->virt_selinux_label);
+ free (g->virt_selinux_imagelabel);
free (g->tmpdir);
free (g->env_tmpdir);
free (g->int_tmpdir);
diff --git a/src/launch-libvirt.c b/src/launch-libvirt.c
index 7db2ce5..68d875e 100644
--- a/src/launch-libvirt.c
+++ b/src/launch-libvirt.c
@@ -855,6 +855,31 @@ construct_libvirt_xml_seclabel (guestfs_h *g,
BAD_CAST "none"));
XMLERROR (-1, xmlTextWriterEndElement (xo));
}
+ else if (g->virt_selinux_label && g->virt_selinux_imagelabel) {
+ /* Enable sVirt and pass a custom <seclabel/> inherited from the
+ * original libvirt domain (when guestfs_add_domain was called).
+ *
https://bugzilla.redhat.com/show_bug.cgi?id=912499#c7
+ */
+ XMLERROR (-1, xmlTextWriterStartElement (xo, BAD_CAST "seclabel"));
+ XMLERROR (-1,
+ xmlTextWriterWriteAttribute (xo, BAD_CAST "type",
+ BAD_CAST "static"));
+ XMLERROR (-1,
+ xmlTextWriterWriteAttribute (xo, BAD_CAST "model",
+ BAD_CAST "selinux"));
+ XMLERROR (-1,
+ xmlTextWriterWriteAttribute (xo, BAD_CAST "relabel",
+ BAD_CAST "yes"));
+ XMLERROR (-1, xmlTextWriterStartElement (xo, BAD_CAST "label"));
+ XMLERROR (-1, xmlTextWriterWriteString (xo,
+ BAD_CAST g->virt_selinux_label));
+ XMLERROR (-1, xmlTextWriterEndElement (xo));
+ XMLERROR (-1, xmlTextWriterStartElement (xo, BAD_CAST "imagelabel"));
+ XMLERROR (-1, xmlTextWriterWriteString (xo,
+ BAD_CAST g->virt_selinux_imagelabel));
+ XMLERROR (-1, xmlTextWriterEndElement (xo));
+ XMLERROR (-1, xmlTextWriterEndElement (xo));
+ }
return 0;
}
@@ -1603,3 +1628,14 @@ struct attach_ops attach_ops_libvirt = {
};
#endif /* no libvirt or libxml2 at compile time */
+
+int
+guestfs__internal_set_libvirt_selinux_label (guestfs_h *g, const char *label,
+ const char *imagelabel)
+{
+ free (g->virt_selinux_label);
+ g->virt_selinux_label = safe_strdup (g, label);
+ free (g->virt_selinux_imagelabel);
+ g->virt_selinux_imagelabel = safe_strdup (g, imagelabel);
+ return 0;
+}
--
1.8.1.2