thr3ads.net - Libguestfs - [Libguestfs] [PATCH] Add 'setcon', 'getcon' commands to set and get the SELinux context [Aug 2009]

If this information is useful, please help other people find it:
Share via:

Richard W.M. Jones

2009-Aug-12 16:21 UTC

[Libguestfs] [PATCH] Add 'setcon', 'getcon' commands to set and get the SELinux context

These commands let you set and get the SELinux context of the daemon
and all operations in the API and processes run from the daemon:

  $ ./fish/guestfish --ro -a /dev/mapper/vg_trick-F11x64 \
    selinux 1 : \
    run : \
    mount /dev/vg_f11x64/lv_root / : \
    sh "/usr/sbin/load_policy" : \
    getcon : \
    setcon "system_u:system_r:unconfined_t:s0" : \
    getcon
  
  system_u:system_r:kernel_t:s0
  system_u:system_r:unconfined_t:s0

Rich.

-- 
Richard Jones, Emerging Technologies, Red Hat  http://et.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://et.redhat.com/~rjones/virt-df/
-------------- next part -------------->From 4633bff07a20ba4a7e2278fa13f400971bdfdaf5 Mon Sep 17 00:00:00 2001From: Richard Jones <rjones at trick.home.annexia.org>
Date: Wed, 12 Aug 2009 16:56:09 +0100
Subject: [PATCH] Add 'setcon', 'getcon' commands to set and get
the SELinux context.

---
 appliance/packagelist.in |    1 +
 daemon/Makefile.am       |    1 +
 daemon/configure.ac      |   11 ++++++
 daemon/selinux.c         |   81 ++++++++++++++++++++++++++++++++++++++++++++++
 po/POTFILES.in           |    1 +
 src/MAX_PROC_NR          |    2 +-
 src/generator.ml         |   18 ++++++++++
 7 files changed, 114 insertions(+), 1 deletions(-)
 create mode 100644 daemon/selinux.c

diff --git a/appliance/packagelist.in b/appliance/packagelist.in
index be45fc4..abcd429 100644
--- a/appliance/packagelist.in
+++ b/appliance/packagelist.in
@@ -15,6 +15,7 @@
   MAKEDEV
   ntfsprogs
   scrub
+  libselinux
   udev
   util-linux-ng
 #elif DEBIAN == 1
diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index 43cc752..9406944 100644
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -61,6 +61,7 @@ guestfsd_SOURCES = \
 	readdir.c \
 	realpath.c \
 	scrub.c \
+	selinux.c \
 	sfdisk.c \
 	sleep.c \
 	stat.c \
diff --git a/daemon/configure.ac b/daemon/configure.ac
index 43e331b..62c28ee 100644
--- a/daemon/configure.ac
+++ b/daemon/configure.ac
@@ -64,6 +64,17 @@ if test "x$have_augeas" = "xyes"; then
         AC_DEFINE([HAVE_AUGEAS],[1],[Define to 1 if you have Augeas])
 fi
 
+dnl Check for libselinux (optional).
+AC_CHECK_HEADERS([selinux/selinux.h])
+AC_CHECK_LIB([selinux],[setexeccon],[
+        LIBS="-lselinux $LIBS"
+	have_libselinux="$ac_cv_header_selinux_selinux_h"
+        AC_CHECK_FUNCS([setcon getcon])
+        ],[have_libselinux=no])
+if test "x$have_libselinux" = "xyes"; then
+        AC_DEFINE([HAVE_LIBSELINUX],[1],[Define to 1 if you have libselinux])
+fi
+
 dnl Check for XDR library.
 AC_CHECK_LIB([portablexdr],[xdrmem_create],[],[
         AC_SEARCH_LIBS([xdrmem_create],[rpc xdr nsl])
diff --git a/daemon/selinux.c b/daemon/selinux.c
new file mode 100644
index 0000000..6e2b347
--- /dev/null
+++ b/daemon/selinux.c
@@ -0,0 +1,81 @@
+/* libguestfs - the guestfsd daemon
+ * Copyright (C) 2009 Red Hat Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef HAVE_SELINUX_SELINUX_H
+#include <selinux/selinux.h>
+#endif
+
+#include "../src/guestfs_protocol.h"
+#include "daemon.h"
+#include "actions.h"
+
+#ifdef HAVE_LIBSELINUX
+
+/* setcon is only valid under the following circumstances:
+ * - single threaded
+ * - enforcing=0
+ */
+int
+do_setcon (char *context)
+{
+#ifdef HAVE_SETCON
+  if (setcon ((char *) context) == -1) {
+    reply_with_perror ("setcon");
+    return -1;
+  }
+
+  return 0;
+#else
+  reply_with_error ("%s is not available", __func__);
+  return -1;
+#endif
+}
+
+char *
+do_getcon (void)
+{
+#ifdef HAVE_GETCON
+  security_context_t context;
+  char *r;
+
+  if (getcon (&context) == -1) {
+    reply_with_perror ("getcon");
+    return NULL;
+  }
+
+  r = strdup (context);
+  freecon (context);
+  if (r == NULL) {
+    reply_with_perror ("strdup");
+    return NULL;
+  }
+
+  return r;                     /* caller frees */
+#else
+  reply_with_error ("%s is not available", __func__);
+  return -1;
+#endif
+}
+
+#endif /* HAVE_LIBSELINUX */
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 382cd3a..79a2856 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -37,6 +37,7 @@ daemon/proto.c
 daemon/readdir.c
 daemon/realpath.c
 daemon/scrub.c
+daemon/selinux.c
 daemon/sfdisk.c
 daemon/sleep.c
 daemon/stat.c
diff --git a/src/MAX_PROC_NR b/src/MAX_PROC_NR
index dc37bbd..bc3d544 100644
--- a/src/MAX_PROC_NR
+++ b/src/MAX_PROC_NR
@@ -1 +1 @@
-184
+186
diff --git a/src/generator.ml b/src/generator.ml
index 0bd9924..e6d1a84 100755
--- a/src/generator.ml
+++ b/src/generator.ml
@@ -3427,6 +3427,24 @@ This closes the inotify handle which was previously
 opened by inotify_init.  It removes all watches, throws
 away any pending events, and deallocates all resources.");
 
+  ("setcon", (RErr, [String "context"]), 185, [],
+   [],
+   "set SELinux security context",
+   "\
+This sets the SELinux security context of the daemon
+to the string C<context>.
+
+See the documentation about SELINUX in L<guestfs(3)>.");
+
+  ("getcon", (RString "context", []), 186, [],
+   [],
+   "get SELinux security context",
+   "\
+This gets the SELinux security context of the daemon.
+
+See the documentation about SELINUX in L<guestfs(3)>,
+and C<guestfs_setcon>");
+
 ]
 
 let all_functions = non_daemon_functions @ daemon_functions
-- 
1.6.2.5

Richard W.M. Jones

2009-Aug-12 16:36 UTC

head link

[Libguestfs] [PATCH] Add 'setcon', 'getcon' commands to set and get the SELinux context

On Wed, Aug 12, 2009 at 05:21:37PM +0100, Richard W.M. Jones
wrote:>     setcon "system_u:system_r:unconfined_t:s0" : \
In case anyone gets the wrong idea, for Fedora/RHEL that context
should actually be:

unconfined_u:unconfined_r:unconfined_t:s0

And it could be different for other distributions, or even for
variations of RHEL.

Rich.

-- 
Richard Jones, Emerging Technologies, Red Hat  http://et.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v

Apparently Analagous Threads

Search for more apparently analagous threads

Libguestfs - Aug 2009 - [PATCH] Add 'setcon', 'getcon' commands to set and get the SELinux context

[Libguestfs] [PATCH] Add 'setcon', 'getcon' commands to set and get the SELinux context

[Libguestfs] [PATCH] Add 'setcon', 'getcon' commands to set and get the SELinux context

Apparently Analagous Threads