Richard W.M. Jones
2009-Aug-12 16:46 UTC
[Libguestfs] [PATCH] Add documentation for SELinux configuration
This patch documents how to use the new SELinux configuration. Rich. -- Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones New in Fedora 11: Fedora Windows cross-compiler. Compile Windows programs, test, and build Windows installers. Over 70 libraries supprt'd http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw -------------- next part -------------->From da1fc98ac230329a132de02f8019c0f024374459 Mon Sep 17 00:00:00 2001From: Richard Jones <rjones at trick.home.annexia.org> Date: Wed, 12 Aug 2009 17:40:22 +0100 Subject: [PATCH 1/2] Add documentation for SELinux configuration. --- guestfs.pod | 38 ++++++++++++++++++++++++++++++++++++++ 1 files changed, 38 insertions(+), 0 deletions(-) diff --git a/guestfs.pod b/guestfs.pod index 4d462f3..bc16ecb 100644 --- a/guestfs.pod +++ b/guestfs.pod @@ -316,6 +316,11 @@ Only supports Linux guests (not Windows, BSD, etc). Architecture limitations (eg. won't work for a PPC guest on an X86 host). +=item * + +For SELinux guests, you may need to enable SELinux and load policy +first. See I<SELINUX> in this manpage. + =back The two main API calls to run commands are C<guestfs_command> and @@ -337,6 +342,39 @@ directory, plus additional information about each one. C<guestfs_find> can be used to recursively list files. +=head2 SELINUX + +We support SELinux guests. To ensure that labeling happens correctly +in SELinux guests, you need to enable SELinux and load the guest's +policy: + +=over 4 + +=item 1. + +Before launching, do: + + guestfs_set_selinux (g, 1); + +=item 2. + +After mounting the guest's filesystem(s), load the policy. This +is best done by running the L<load_policy(8)> command in the +guest itself: + + guestfs_sh (g, "/usr/sbin/load_policy"); + +(Older versions of C<load_policy> require you to specify the +name of the policy file). + +=back + +This will work for running commands and editing existing files. + +When new files are created, you may need to label them explicitly, +for example by running the external command +C<restorecon pathname>. + =head1 HIGH-LEVEL API ACTIONS =head2 ABI GUARANTEE -- 1.6.2.5
Matthew Booth
2009-Aug-12 17:05 UTC
[Libguestfs] [PATCH] Add documentation for SELinux configuration
On 12/08/09 17:46, Richard W.M. Jones wrote:>> From da1fc98ac230329a132de02f8019c0f024374459 Mon Sep 17 00:00:00 2001 > From: Richard Jones<rjones at trick.home.annexia.org> > Date: Wed, 12 Aug 2009 17:40:22 +0100 > Subject: [PATCH 1/2] Add documentation for SELinux configuration. > > --- > guestfs.pod | 38 ++++++++++++++++++++++++++++++++++++++ > 1 files changed, 38 insertions(+), 0 deletions(-) > > diff --git a/guestfs.pod b/guestfs.pod > index 4d462f3..bc16ecb 100644 > --- a/guestfs.pod > +++ b/guestfs.pod > @@ -316,6 +316,11 @@ Only supports Linux guests (not Windows, BSD, etc). > Architecture limitations (eg. won't work for a PPC guest on > an X86 host). > > +=item * > + > +For SELinux guests, you may need to enable SELinux and load policy > +first. See I<SELINUX> in this manpage. > +I think this should be L</"SELINUX">> +This will work for running commands and editing existing files. > + > +When new files are created, you may need to label them explicitly, > +for example by running the external command > +C<restorecon pathname>. > +Yup. Looks good. Matt -- Matthew Booth, RHCA, RHCSS Red Hat Engineering, Virtualisation Team M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490