4:40 a.m.
Hi,
I was investigating rh#1089100, which is about /etc/resolv.conf not
being properly SELinux-labelled.
Basically the problem is due to /etc/resolv.conf in the guest (so
available as /sysroot/etc/resolv.conf in the appliance) being moved when
executing shell commands (eg guestfs_sh) by the daemon.
This operation involves:
a) moving away guest's /etc/resolv.conf
b) replacing it with the /etc/resolv.conf in the appliance
c) executing the actual shell command
d) moving the guest's /etc/resolv.conf back
... but only if the network is enabled (which is by default).
So far all the ideas I found (to fix the label of /etc/resolv.conf when
--selinux-relabel is asked) were:
1) get the security.selinux xattr before (a), and restore it after (d).
This seems to not have worked at all, at least for me: the read xattr
is "unlabeled", which SELinux obviously refuses later; hence I
discarded it
2) closing the guestfs handle, open a new one with the network disabled
and do the relabel.
This works for me, but has the drawback to slow the process if the
relabel is asked and the network is enabled, as closing+opening an
appliance could not be that fast
3) allow to switch the network on/off also when the appliance is up.
This would require to actually turn on/off the networking at
runtime, which surely cannot be done with the direct backend and most
probably neither with libvirt (but I didn't research hard on this).
Is anything obvious I'm missing? Can I go with solution #2?
--
Pino Toscano
3:03 p.m.
On Fri, Apr 25, 2014 at 11:40:35AM +0200, Pino Toscano wrote:
Hi,
I was investigating rh#1089100, which is about /etc/resolv.conf not
being properly SELinux-labelled.
Basically the problem is due to /etc/resolv.conf in the guest (so
available as /sysroot/etc/resolv.conf in the appliance) being moved when
executing shell commands (eg guestfs_sh) by the daemon.
This operation involves:
a) moving away guest's /etc/resolv.conf
b) replacing it with the /etc/resolv.conf in the appliance
c) executing the actual shell command
d) moving the guest's /etc/resolv.conf back
... but only if the network is enabled (which is by default).
Does bind-mounting /etc/resolv.conf into /sysroot not work?
So far all the ideas I found (to fix the label of /etc/resolv.conf
when
--selinux-relabel is asked) were:
1) get the security.selinux xattr before (a), and restore it after (d).
This seems to not have worked at all, at least for me: the read xattr
is "unlabeled", which SELinux obviously refuses later; hence I
discarded it
This was going to be my suggestion. Surprising there is no label on
the file.
2) closing the guestfs handle, open a new one with the network
disabled
and do the relabel.
This works for me, but has the drawback to slow the process if the
relabel is asked and the network is enabled, as closing+opening an
appliance could not be that fast
Yup, this sounds like a hack ...
3) allow to switch the network on/off also when the appliance is up.
This would require to actually turn on/off the networking at
runtime, which surely cannot be done with the direct backend and most
probably neither with libvirt (but I didn't research hard on this).
It probably could be done with the libvirt backend, ie. dropping or
adding the network interface, but it'd be really ugly and hard.
Is anything obvious I'm missing? Can I go with solution #2?
Another possibility might be to have an optional flag on guestfs_sh
for enabling/disabling resolv.conf munging. Unfortunately resolv.conf
munging is an implementation detail / hack, and it's not nice to
expose implementation details through the API. We've regretted doing
this before.
I'm afraid I don't have a good answer here ..
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
11:32 a.m.
On Friday 25 April 2014 21:03:13 Richard W.M. Jones wrote:
On Fri, Apr 25, 2014 at 11:40:35AM +0200, Pino Toscano wrote:
> Hi,
>
> I was investigating rh#1089100, which is about /etc/resolv.conf not
> being properly SELinux-labelled.
>
> Basically the problem is due to /etc/resolv.conf in the guest (so
> available as /sysroot/etc/resolv.conf in the appliance) being moved
> when executing shell commands (eg guestfs_sh) by the daemon.
> This operation involves:
> a) moving away guest's /etc/resolv.conf
> b) replacing it with the /etc/resolv.conf in the appliance
> c) executing the actual shell command
> d) moving the guest's /etc/resolv.conf back
> ... but only if the network is enabled (which is by default).
Does bind-mounting /etc/resolv.conf into /sysroot not work?
The comments in set_up_etc_resolv_conf (top and inline) talk about
/etc/resolv.conf potentially being a symlink (and a dangling one), hence
ruling this possibility out.
> So far all the ideas I found (to fix the label of
/etc/resolv.conf
> when --selinux-relabel is asked) were:
>
> 1) get the security.selinux xattr before (a), and restore it after
> (d).>
> This seems to not have worked at all, at least for me: the read
> xattr
> is "unlabeled", which SELinux obviously refuses later; hence I
> discarded it
This was going to be my suggestion. Surprising there is no label on
the file.
And interestingly, they are "unlabeled" even when reading
security.selinux xattr before mounting the selinux mount point(s).
> 2) closing the guestfs handle, open a new one with the network
> disabled>
> and do the relabel.
> This works for me, but has the drawback to slow the process if
> the
> relabel is asked and the network is enabled, as closing+opening
> an
> appliance could not be that fast
Yup, this sounds like a hack ...
> 3) allow to switch the network on/off also when the appliance is up.
>
> This would require to actually turn on/off the networking at
> runtime, which surely cannot be done with the direct backend and
> most
> probably neither with libvirt (but I didn't research hard on
> this).
It probably could be done with the libvirt backend, ie. dropping or
adding the network interface, but it'd be really ugly and hard.
> Is anything obvious I'm missing? Can I go with solution #2?
Another possibility might be to have an optional flag on guestfs_sh
for enabling/disabling resolv.conf munging. Unfortunately resolv.conf
munging is an implementation detail / hack, and it's not nice to
expose implementation details through the API. We've regretted doing
this before.
Agree, let's keep it private.
I did another experiment, that is, instead of copy+restore, just
link+unlink resolv.conf. But of course it doesn't work either, since
executing "load_policy && fixfiles restore" will change the label of the
file, whereever it is copied/linked within /sysroot.
The other possible solution it came into my mind is adding a new API,
say selinux_relabel or so, which would just handle daemon-side all the
details needed to make sure linux guests with selinux would have proper
labels on their files. This way, clients would just do an API call, and
the daemon can do whatever it is needed (even changing the actual
implementation from version to version).
--
Pino Toscano
1:23 p.m.
On Mon, May 19, 2014 at 06:32:49PM +0200, Pino Toscano wrote:
The other possible solution it came into my mind is adding a new API,
say selinux_relabel or so, which would just handle daemon-side all the
details needed to make sure linux guests with selinux would have proper
labels on their files. This way, clients would just do an API call, and
the daemon can do whatever it is needed (even changing the actual
implementation from version to version).
(Unfortunately) I think this is the way to go. Like inspection it
means that we build all this knowledge into libguestfs to save users
from having to handle all the details, and (like inspection) giving us
a constant headache :-)
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
3839
days inactive
3863
days old
3 comments
2 participants
participants (2)
-
Pino Toscano -
Richard W.M. Jones