Bug 554829 - SELinux handling could be done better.
SELinux handling could be done better.
Status: NEW
Product: Virtualization Tools
Classification: Community
Component: libguestfs (Show other bugs)
unspecified
All Linux
low Severity medium
: ---
: ---
Assigned To: Richard W.M. Jones
:
Depends On: 1089100
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-12 13:55 EST by Daniel Walsh
Modified: 2014-06-11 06:05 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2010-01-12 13:55:07 EST
Description of problem:

If a guest OS supports SELinux you should default the guestfish to --selinux and load the policy.  Otherwise files created by guestfish will have no labels and cause SELinux headaches when the machine boots.

You can either parse /etc/selinux/config looking for the SELINUX= lines to determine whether selinux is enabled or use the libselinux function.

extern int selinux_init_load_policy(int *enforce);
Comment 1 Richard W.M. Jones 2010-01-12 14:03:23 EST
I discussed several features with Dan Walsh which make sense to
implement to make SELinux handling more robust in virt-v2v and
libguestfs in general.  They are:

(1) virt-inspector should find out if the guest OS supports selinux,
and the default enablement state.

(2) virt-inspector to support the --selinux flag based on above.

(3) replace sh load_policy advice in
http://libguestfs.org/guestfs.3.html#selinux with a direct call to
selinux_init_load_policy

(4) add an API to get the security context from
selinux_failsafe_context_path

Note You need to log in before you can comment on or make changes to this bug.