This is continuing/summarising a rather long discussion that happened on IRC ... We talked to some SELinux experts about what was required to make SELinux work with libguestfs, and it seems reasonably simple to load the policy from the guest filesystem. All that needs to be done is to mount the guest disks up and then run: sh "/usr/sbin/load_policy -i" That command also mounts up <sysroot>/selinux, so that solves the other problem they raised. I wasn't completely sure how to test this was actually working. My best effort was to try to run some commands that would label files. This is using a fresh Fedora 11 install that has SELinux enforcing on it: guestfish -a /dev/mapper/vg_trick-F11x64 --ro \ run : mount /dev/vg_f11x64/lv_root / : \ sh "/usr/sbin/load_policy -i" : \ sh "ls -lZ /etc/passwd" -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/passwd guestfish -a /dev/mapper/vg_trick-F11x64 --ro \ run : mount /dev/vg_f11x64/lv_root / : \ sh "/usr/sbin/load_policy -i" : \ sh "chcon user_u:object_r:file_t /etc/passwd" : \ sh "ls -lZ /etc/passwd" -rw-r--r--. root root user_u:object_r:file_t /etc/passwd So it seems that relabelling files (using chcon) works. Whether this means everything will work, I don't know. You will also get a warning when guestfish exits at the moment: libguestfs: error: umount: /sysroot: umount: /sysroot: device is busy. (In some cases useful info about processes that use the device is found by lsof(8) or fuser(1)) This happens because the load_policy command is mounting /sysroot/selinux and thus preventing /sysroot from being unmounted during the automatic shutdown phase at the end. [Note: The attached patch is also required, because at the moment we are booting the kernel with selinux=0 for other reasons. This should be made configurable]. Rich. -- Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://et.redhat.com/~rjones/virt-df/ -------------- next part -------------- diff --git a/src/guestfs.c b/src/guestfs.c index 9560aec..d1b12c0 100644 --- a/src/guestfs.c +++ b/src/guestfs.c @@ -1047,8 +1047,7 @@ guestfs_launch (guestfs_h *g) "udevtimeout=300 " /* good for very slow systems (RHBZ#480319) */ \ "noapic " /* workaround for RHBZ#502058 - ok if not SMP */ \ "acpi=off " /* we don't need ACPI, turn it off */ \ - "cgroup_disable=memory " /* saves us about 5 MB of RAM */ \ - "selinux=0 " /* SELinux is messed up if there's no policy */ + "cgroup_disable=memory " /* saves us about 5 MB of RAM */ /* Linux kernel command line. */ snprintf (append, sizeof append,
After a bit of an epic struggle with a RHEL 5 guest, and thanks to Eric Paris and Dan Walsh, we seem to have hit on a recipe to make SELinux work, we think: (1) The guestfsd daemon (ie. init process) must call setexeccon(3) to set the security context for exec'd children to "unconfined_t". (The daemon itself will still be running as "kernel_t"). (2) We must mount /selinux in the chroot and run /usr/sbin/load_policy inside the chroot. In libguestfs, the commands are: sh "mount -t selinuxfs none /selinux" sh "/usr/sbin/load_policy" (3) We must run every external command (eg. "rpm") via the shell, so in libguestfs using "sh", never "command". The reason for this is subtle, but to do with making sure the correct transitions from kernel_t (init) -> unconfined_t (shell) -> whatever rpm uses happen. (4) We also need the patch (see previous email) which removes selinux=0 parameter. Possibly we should use enforcing=0 however. And we think that'll allow us to run rpm and have it label things correctly. There is still a problem that brand new files created by the daemon directly won't have labels. In a real system this is handled by SELinux using inotify to quickly relabel files when they are created [yes, really]. To fix new files (or any file), use sh "restorecon filename". Rich. -- Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones New in Fedora 11: Fedora Windows cross-compiler. Compile Windows programs, test, and build Windows installers. Over 70 libraries supprt'd http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw