After a bit of an epic struggle with a RHEL 5 guest, and thanks to
Eric Paris and Dan Walsh, we seem to have hit on a recipe to make
SELinux work, we think:
(1) The guestfsd daemon (ie. init process) must call setexeccon(3) to
set the security context for exec'd children to "unconfined_t".
(The daemon itself will still be running as "kernel_t").
(2) We must mount /selinux in the chroot and run /usr/sbin/load_policy
inside the chroot.
In libguestfs, the commands are:
sh "mount -t selinuxfs none /selinux"
sh "/usr/sbin/load_policy"
(3) We must run every external command (eg. "rpm") via the shell, so
in libguestfs using "sh", never "command".
The reason for this is subtle, but to do with making sure the correct
transitions from kernel_t (init) -> unconfined_t (shell) -> whatever
rpm uses happen.
(4) We also need the patch (see previous email) which removes
selinux=0 parameter. Possibly we should use enforcing=0 however.
And we think that'll allow us to run rpm and have it label things
correctly.
There is still a problem that brand new files created by the daemon
directly won't have labels. In a real system this is handled by
SELinux using inotify to quickly relabel files when they are created
[yes, really].
To fix new files (or any file), use sh "restorecon filename".
Rich.
--
Richard Jones, Emerging Technologies, Red Hat
http://et.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw