Bug 554829

Summary: SELinux handling could be done better.
Product: [Community] Virtualization Tools Reporter: Daniel Walsh <dwalsh>
Component: libguestfsAssignee: Richard W.M. Jones <rjones>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: mbooth, ptoscano, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 1089100    
Bug Blocks:    

Description Daniel Walsh 2010-01-12 13:55:07 EST
Description of problem:

If a guest OS supports SELinux you should default the guestfish to --selinux and load the policy.  Otherwise files created by guestfish will have no labels and cause SELinux headaches when the machine boots.

You can either parse /etc/selinux/config looking for the SELINUX= lines to determine whether selinux is enabled or use the libselinux function.

extern int selinux_init_load_policy(int *enforce);
Comment 1 Richard W.M. Jones 2010-01-12 14:03:23 EST
I discussed several features with Dan Walsh which make sense to
implement to make SELinux handling more robust in virt-v2v and
libguestfs in general.  They are:

(1) virt-inspector should find out if the guest OS supports selinux,
and the default enablement state.

(2) virt-inspector to support the --selinux flag based on above.

(3) replace sh load_policy advice in
http://libguestfs.org/guestfs.3.html#selinux with a direct call to
selinux_init_load_policy

(4) add an API to get the security context from
selinux_failsafe_context_path