Richard W.M. Jones
2009-Aug-12 15:42 UTC
[Libguestfs] [PATCH] If using SELinux, mount /selinux in the appliance
I think this patch is also uncontroversial. If selinux=1 then we mount /selinux in the appliance. We also bind-mount it into guests when running commands, just like we do for /proc, /dev etc. If SELinux is disabled, then /selinux doesn't get mounted. Rich. -- Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into Xen guests. http://et.redhat.com/~rjones/virt-p2v -------------- next part -------------->From e31c8587643ae8f5987198d39e014e041112a663 Mon Sep 17 00:00:00 2001From: Richard Jones <rjones at trick.home.annexia.org> Date: Wed, 12 Aug 2009 16:31:06 +0100 Subject: [PATCH] If using SELinux, mount /selinux in the appliance. If selinux=1 on the Linux kernel command line, then we mount /selinux in the appliance. We will also bind-mount this directory into guests when we run commands. --- appliance/init | 4 ++++ appliance/make.sh.in | 3 +++ daemon/command.c | 10 ++++++++-- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/appliance/init b/appliance/init index b33a34c..fe135b4 100755 --- a/appliance/init +++ b/appliance/init @@ -33,6 +33,10 @@ else modprobe virtio_net fi +if grep -sq selinux=1 /proc/cmdline; then + mount -t selinuxfs none /selinux +fi + modprobe dm_mod ||: ifconfig lo 127.0.0.1 diff --git a/appliance/make.sh.in b/appliance/make.sh.in index d76c961..66bdebc 100755 --- a/appliance/make.sh.in +++ b/appliance/make.sh.in @@ -47,6 +47,9 @@ if [ "@DIST@" = "REDHAT" ]; then # Create /tmp if it is missing. @FEBOOTSTRAP_RUN@ initramfs -- mkdir -p --mode=0777 /tmp + # Create /selinux if it is missing. + @FEBOOTSTRAP_RUN@ initramfs -- mkdir -p --mode=0755 /selinux + # Nuke some stuff. The kernel pulls mkinitrd and plymouth which pulls in # all of Python. Sheez. (cd initramfs && find -name '*plymouth*' -print0) | diff --git a/daemon/command.c b/daemon/command.c index 0399255..3261513 100644 --- a/daemon/command.c +++ b/daemon/command.c @@ -31,8 +31,9 @@ do_command (char **argv) { char *out, *err; int r; - char *sysroot_proc, *sysroot_dev, *sysroot_dev_pts, *sysroot_sys; - int proc_ok, dev_ok, dev_pts_ok, sys_ok; + char *sysroot_dev, *sysroot_dev_pts, *sysroot_proc, + *sysroot_selinux, *sysroot_sys; + int dev_ok, dev_pts_ok, proc_ok, selinux_ok, sys_ok; /* We need a root filesystem mounted to do this. */ NEED_ROOT (NULL); @@ -57,6 +58,7 @@ do_command (char **argv) sysroot_dev = sysroot_path ("/dev"); sysroot_dev_pts = sysroot_path ("/dev/pts"); sysroot_proc = sysroot_path ("/proc"); + sysroot_selinux = sysroot_path ("/selinux"); sysroot_sys = sysroot_path ("/sys"); r = command (NULL, NULL, "mount", "--bind", "/dev", sysroot_dev, NULL); @@ -65,6 +67,8 @@ do_command (char **argv) dev_pts_ok = r != -1; r = command (NULL, NULL, "mount", "--bind", "/proc", sysroot_proc, NULL); proc_ok = r != -1; + r = command (NULL, NULL, "mount", "--bind", "/selinux", sysroot_selinux, NULL); + selinux_ok = r != -1; r = command (NULL, NULL, "mount", "--bind", "/sys", sysroot_sys, NULL); sys_ok = r != -1; @@ -73,6 +77,7 @@ do_command (char **argv) CHROOT_OUT; if (sys_ok) command (NULL, NULL, "umount", sysroot_sys, NULL); + if (selinux_ok) command (NULL, NULL, "umount", sysroot_selinux, NULL); if (proc_ok) command (NULL, NULL, "umount", sysroot_proc, NULL); if (dev_pts_ok) command (NULL, NULL, "umount", sysroot_dev_pts, NULL); if (dev_ok) command (NULL, NULL, "umount", sysroot_dev, NULL); @@ -80,6 +85,7 @@ do_command (char **argv) free (sysroot_dev); free (sysroot_dev_pts); free (sysroot_proc); + free (sysroot_selinux); free (sysroot_sys); if (r == -1) { -- 1.6.2.5
Matthew Booth
2009-Aug-12 16:35 UTC
[Libguestfs] [PATCH] If using SELinux, mount /selinux in the appliance
On 12/08/09 16:42, Richard W.M. Jones wrote:> I think this patch is also uncontroversial. > > If selinux=1 then we mount /selinux in the appliance. We also > bind-mount it into guests when running commands, just like we do for > /proc, /dev etc. > > If SELinux is disabled, then /selinux doesn't get mounted.ACK. -- Matthew Booth, RHCA, RHCSS Red Hat Engineering, Virtualisation Team M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
Jim Meyering
2009-Aug-12 17:15 UTC
[Libguestfs] [PATCH] If using SELinux, mount /selinux in the appliance
Richard W.M. Jones wrote:> I think this patch is also uncontroversial. > > If selinux=1 then we mount /selinux in the appliance. We also > bind-mount it into guests when running commands, just like we do for > /proc, /dev etc. > > If SELinux is disabled, then /selinux doesn't get mounted....> diff --git a/daemon/command.c b/daemon/command.c > index 0399255..3261513 100644 > --- a/daemon/command.c > +++ b/daemon/command.c > @@ -31,8 +31,9 @@ do_command (char **argv) > { > char *out, *err; > int r; > - char *sysroot_proc, *sysroot_dev, *sysroot_dev_pts, *sysroot_sys; > - int proc_ok, dev_ok, dev_pts_ok, sys_ok; > + char *sysroot_dev, *sysroot_dev_pts, *sysroot_proc, > + *sysroot_selinux, *sysroot_sys; > + int dev_ok, dev_pts_ok, proc_ok, selinux_ok, sys_ok; > > /* We need a root filesystem mounted to do this. */ > NEED_ROOT (NULL); > @@ -57,6 +58,7 @@ do_command (char **argv) > sysroot_dev = sysroot_path ("/dev"); > sysroot_dev_pts = sysroot_path ("/dev/pts"); > sysroot_proc = sysroot_path ("/proc"); > + sysroot_selinux = sysroot_path ("/selinux"); > sysroot_sys = sysroot_path ("/sys"); > > r = command (NULL, NULL, "mount", "--bind", "/dev", sysroot_dev, NULL);Shouldn't each of these sysroot_* variables be tested, in case sysroot_path's malloc has failed?
Maybe Matching Threads
- [PATCH 1/2] daemon: If /selinux exists in the guest, bind-mount /sys/fs/selinux to there.
- [PATCH 0/2] Implement virt-builder --selinux-relabel option.
- missing chdir before chroot in guestfsd
- [PATCH 00/13] Fix errors found using Coverity static analyzer.
- [PATCH 0/6 v2] [FOR COMMENTS ONLY] Rework inspection.