Libguestfs - Aug 2009 - [PATCH] If using SELinux, mount /selinux in the appliance

I think this patch is also uncontroversial.

If selinux=1 then we mount /selinux in the appliance.  We also
bind-mount it into guests when running commands, just like we do for
/proc, /dev etc.

If SELinux is disabled, then /selinux doesn't get mounted.

Rich.

-- 
Richard Jones, Emerging Technologies, Red Hat  http://et.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v
-------------- next part --------------
>From e31c8587643ae8f5987198d39e014e041112a663 Mon Sep 17 00:00:00 2001
From: Richard Jones <rjones at trick.home.annexia.org>
Date: Wed, 12 Aug 2009 16:31:06 +0100
Subject: [PATCH] If using SELinux, mount /selinux in the appliance.

If selinux=1 on the Linux kernel command line, then we mount
/selinux in the appliance.  We will also bind-mount this
directory into guests when we run commands.
---
 appliance/init       |    4 ++++
 appliance/make.sh.in |    3 +++
 daemon/command.c     |   10 ++++++++--
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/appliance/init b/appliance/init
index b33a34c..fe135b4 100755
--- a/appliance/init
+++ b/appliance/init
@@ -33,6 +33,10 @@ else
   modprobe virtio_net
 fi
 
+if grep -sq selinux=1 /proc/cmdline; then
+  mount -t selinuxfs none /selinux
+fi
+
 modprobe dm_mod ||:
 
 ifconfig lo 127.0.0.1
diff --git a/appliance/make.sh.in b/appliance/make.sh.in
index d76c961..66bdebc 100755
--- a/appliance/make.sh.in
+++ b/appliance/make.sh.in
@@ -47,6 +47,9 @@ if [ "@DIST@" = "REDHAT" ]; then
   # Create /tmp if it is missing.
   @FEBOOTSTRAP_RUN@ initramfs -- mkdir -p --mode=0777 /tmp
 
+  # Create /selinux if it is missing.
+  @FEBOOTSTRAP_RUN@ initramfs -- mkdir -p --mode=0755 /selinux
+
   # Nuke some stuff.  The kernel pulls mkinitrd and plymouth which pulls in
   # all of Python.  Sheez.
   (cd initramfs && find -name '*plymouth*' -print0) |
diff --git a/daemon/command.c b/daemon/command.c
index 0399255..3261513 100644
--- a/daemon/command.c
+++ b/daemon/command.c
@@ -31,8 +31,9 @@ do_command (char **argv)
 {
   char *out, *err;
   int r;
-  char *sysroot_proc, *sysroot_dev, *sysroot_dev_pts, *sysroot_sys;
-  int proc_ok, dev_ok, dev_pts_ok, sys_ok;
+  char *sysroot_dev, *sysroot_dev_pts, *sysroot_proc,
+    *sysroot_selinux, *sysroot_sys;
+  int dev_ok, dev_pts_ok, proc_ok, selinux_ok, sys_ok;
 
   /* We need a root filesystem mounted to do this. */
   NEED_ROOT (NULL);
@@ -57,6 +58,7 @@ do_command (char **argv)
   sysroot_dev = sysroot_path ("/dev");
   sysroot_dev_pts = sysroot_path ("/dev/pts");
   sysroot_proc = sysroot_path ("/proc");
+  sysroot_selinux = sysroot_path ("/selinux");
   sysroot_sys = sysroot_path ("/sys");
 
   r = command (NULL, NULL, "mount", "--bind",
"/dev", sysroot_dev, NULL);
@@ -65,6 +67,8 @@ do_command (char **argv)
   dev_pts_ok = r != -1;
   r = command (NULL, NULL, "mount", "--bind",
"/proc", sysroot_proc, NULL);
   proc_ok = r != -1;
+  r = command (NULL, NULL, "mount", "--bind",
"/selinux", sysroot_selinux, NULL);
+  selinux_ok = r != -1;
   r = command (NULL, NULL, "mount", "--bind",
"/sys", sysroot_sys, NULL);
   sys_ok = r != -1;
 
@@ -73,6 +77,7 @@ do_command (char **argv)
   CHROOT_OUT;
 
   if (sys_ok) command (NULL, NULL, "umount", sysroot_sys, NULL);
+  if (selinux_ok) command (NULL, NULL, "umount", sysroot_selinux,
NULL);
   if (proc_ok) command (NULL, NULL, "umount", sysroot_proc, NULL);
   if (dev_pts_ok) command (NULL, NULL, "umount", sysroot_dev_pts,
NULL);
   if (dev_ok) command (NULL, NULL, "umount", sysroot_dev, NULL);
@@ -80,6 +85,7 @@ do_command (char **argv)
   free (sysroot_dev);
   free (sysroot_dev_pts);
   free (sysroot_proc);
+  free (sysroot_selinux);
   free (sysroot_sys);
 
   if (r == -1) {
-- 
1.6.2.5

On 12/08/09 16:42, Richard W.M. Jones wrote:
> I think this patch is also uncontroversial.
>
> If selinux=1 then we mount /selinux in the appliance.  We also
> bind-mount it into guests when running commands, just like we do for
> /proc, /dev etc.
>
> If SELinux is disabled, then /selinux doesn't get mounted.
ACK.


-- 
Matthew Booth, RHCA, RHCSS
Red Hat Engineering, Virtualisation Team

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

Richard W.M. Jones wrote:
> I think this patch is also uncontroversial.
>
> If selinux=1 then we mount /selinux in the appliance.  We also
> bind-mount it into guests when running commands, just like we do for
> /proc, /dev etc.
>
> If SELinux is disabled, then /selinux doesn't get mounted.
...
> diff --git a/daemon/command.c b/daemon/command.c
> index 0399255..3261513 100644
> --- a/daemon/command.c
> +++ b/daemon/command.c
> @@ -31,8 +31,9 @@ do_command (char **argv)
>  {
>    char *out, *err;
>    int r;
> -  char *sysroot_proc, *sysroot_dev, *sysroot_dev_pts, *sysroot_sys;
> -  int proc_ok, dev_ok, dev_pts_ok, sys_ok;
> +  char *sysroot_dev, *sysroot_dev_pts, *sysroot_proc,
> +    *sysroot_selinux, *sysroot_sys;
> +  int dev_ok, dev_pts_ok, proc_ok, selinux_ok, sys_ok;
>
>    /* We need a root filesystem mounted to do this. */
>    NEED_ROOT (NULL);
> @@ -57,6 +58,7 @@ do_command (char **argv)
>    sysroot_dev = sysroot_path ("/dev");
>    sysroot_dev_pts = sysroot_path ("/dev/pts");
>    sysroot_proc = sysroot_path ("/proc");
> +  sysroot_selinux = sysroot_path ("/selinux");
>    sysroot_sys = sysroot_path ("/sys");
>
>    r = command (NULL, NULL, "mount", "--bind",
"/dev", sysroot_dev, NULL);
Shouldn't each of these sysroot_* variables be tested,
in case sysroot_path's malloc has failed?