Richard W.M. Jones
2009-Aug-12 15:22 UTC
[Libguestfs] [PATCH] Allow selinux=? and enforcing=? kernel flags to be controlled
This is a pretty uncontroversial patch which just allows the selinux=? and enforcing=? flags on the kernel command line to be controlled. Currently libguestfs unconditionally passes selinux=0. By default this patch does the same thing, but allows programs to enable SELinux in the kernel and/or set it to enforcing mode. Rich. -- Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://et.redhat.com/~rjones/virt-top -------------- next part -------------->From d747b641cc683ce05dc83a9d3c94d3d482e97318 Mon Sep 17 00:00:00 2001From: Richard Jones <rjones at trick.home.annexia.org> Date: Wed, 12 Aug 2009 16:10:35 +0100 Subject: [PATCH] =?utf-8?q?Allow=20selinux=3D=3F=20and=20enforcing=3D=3F=20kernel=20flags=20to=20be=20controlled.? Adds new API calls to set and get these flags. --- src/generator.ml | 45 +++++++++++++++++++++++++++++++++++++++++++++ src/guestfs.c | 45 ++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 85 insertions(+), 5 deletions(-) diff --git a/src/generator.ml b/src/generator.ml index 8d16945..d44f2a6 100755 --- a/src/generator.ml +++ b/src/generator.ml @@ -761,6 +761,51 @@ C<$major.$minor.$release$extra> I<Note:> Don't use this call to test for availability of features. Distro backports makes this unreliable."); + ("set_selinux", (RErr, [Bool "selinux"]), -1, [FishAlias "selinux"], + [InitNone, Always, TestOutputTrue ( + [["set_selinux"; "true"]; + ["get_selinux"]])], + "set SELinux enabled or disabled at appliance boot", + "\ +This sets the selinux flag that is passed to the appliance +at boot time. The default is C<selinux=0> (disabled). + +For more information on the architecture of libguestfs, +see L<guestfs(3)>."); + + ("get_selinux", (RBool "selinux", []), -1, [], + [], + "get SELinux enabled flag", + "\ +This returns the current setting of the selinux flag which +is passed to the appliance at boot time. See C<guestfs_set_selinux>. + +For more information on the architecture of libguestfs, +see L<guestfs(3)>."); + + ("set_selinux_enforcing", (RErr, [Bool "enforcing"]), -1, [FishAlias "selinux_enforcing"], + [InitNone, Always, TestOutputTrue ( + [["set_selinux_enforcing"; "true"]; + ["get_selinux_enforcing"]])], + "set SELinux enforcing or permissive at appliance boot", + "\ +This sets the enforcing flag that is passed to the appliance +at boot time. The default is C<enforcing=0> (permissive). + +For more information on the architecture of libguestfs, +see L<guestfs(3)>."); + + ("get_selinux_enforcing", (RBool "enforcing", []), -1, [], + [], + "get SELinux enforcing flag", + "\ +This returns the current setting of the enforcing flag which +is passed to the appliance at boot time. +See C<guestfs_set_selinux_enforcing> and C<guestfs_set_selinux>. + +For more information on the architecture of libguestfs, +see L<guestfs(3)>."); + ] (* daemon_functions are any functions which cause some action diff --git a/src/guestfs.c b/src/guestfs.c index 9560aec..c7943a5 100644 --- a/src/guestfs.c +++ b/src/guestfs.c @@ -177,6 +177,9 @@ struct guestfs_h int memsize; /* Size of RAM (megabytes). */ + int selinux; /* selinux enabled? */ + int selinux_enforcing; /* selinux enforcing? */ + char *last_error; /* Callbacks. */ @@ -689,6 +692,32 @@ guestfs_get_memsize (guestfs_h *g) } int +guestfs_set_selinux (guestfs_h *g, int selinux) +{ + g->selinux = selinux; + return 0; +} + +int +guestfs_get_selinux (guestfs_h *g) +{ + return g->selinux; +} + +int +guestfs_set_selinux_enforcing (guestfs_h *g, int selinux_enforcing) +{ + g->selinux_enforcing = selinux_enforcing; + return 0; +} + +int +guestfs_get_selinux_enforcing (guestfs_h *g) +{ + return g->selinux_enforcing; +} + +int guestfs_get_pid (guestfs_h *g) { if (g->pid > 0) @@ -1047,15 +1076,21 @@ guestfs_launch (guestfs_h *g) "udevtimeout=300 " /* good for very slow systems (RHBZ#480319) */ \ "noapic " /* workaround for RHBZ#502058 - ok if not SMP */ \ "acpi=off " /* we don't need ACPI, turn it off */ \ - "cgroup_disable=memory " /* saves us about 5 MB of RAM */ \ - "selinux=0 " /* SELinux is messed up if there's no policy */ + "cgroup_disable=memory " /* saves us about 5 MB of RAM */ /* Linux kernel command line. */ snprintf (append, sizeof append, - LINUX_CMDLINE "guestfs=%s:%d%s%s%s", + LINUX_CMDLINE + "guestfs=%s:%d " + "%s" /* (selinux) */ + "%s" /* (enforcing) */ + "%s" /* (verbose) */ + "%s", /* (append) */ VMCHANNEL_ADDR, VMCHANNEL_PORT, - g->verbose ? " guestfs_verbose=1" : "", - g->append ? " " : "", g->append ? g->append : ""); + g->selinux ? "selinux=1 " : "selinux=0 ", + g->selinux_enforcing ? "enforcing=1 " : "enforcing=0 ", + g->verbose ? "guestfs_verbose=1 " : " ", + g->append ? g->append : ""); snprintf (memsize_str, sizeof memsize_str, "%d", g->memsize); -- 1.6.2.5
Matthew Booth
2009-Aug-12 15:32 UTC
[Libguestfs] [PATCH] Allow selinux=? and enforcing=? kernel flags to be controlled
On 12/08/09 16:22, Richard W.M. Jones wrote:> This is a pretty uncontroversial patch which just allows the > selinux=? and enforcing=? flags on the kernel command line > to be controlled. > > Currently libguestfs unconditionally passes selinux=0. By default > this patch does the same thing, but allows programs to enable SELinux > in the kernel and/or set it to enforcing mode.Patch looks ok except that we shouldn't include the enforcing flag. I can't conceive of any reason we'd want SELinux in enforcing mode in the appliance. If selinux=1, then assume enforcing=0. Matt -- Matthew Booth, RHCA, RHCSS Red Hat Engineering, Virtualisation Team M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490