On Mon, Sep 30, 2013 at 08:39:35AM -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/30/2013 08:07 AM, Daniel P. Berrange wrote:
> On Wed, Sep 25, 2013 at 04:50:23PM -0400, Dan Walsh wrote:
>> virt-sandbox should be launching containers based off the lxc_context
>> file from selinux-policy. I changed the hard coded paths to match the
>> latest fedora assigned labels.
>>
>> Fedora 20 SELinux Policy and beyond will have proper SELinux labels in
>> its lxc_contexts file. --- bin/virt-sandbox-service | 2
>> +- bin/virt-sandbox-service-clone.pod | 5 ++-
>> bin/virt-sandbox-service-create.pod | 7 ++-- bin/virt-sandbox.c
>> | 5 ++- libvirt-sandbox/libvirt-sandbox-builder.c | 58
>> +++++++++++++++++++++++++------ 5 files changed, 55 insertions(+), 22
>> deletions(-)
>>
>> diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index
>> c4c4f54..b42fe08 100755 --- a/bin/virt-sandbox-service +++
>> b/bin/virt-sandbox-service @@ -101,7 +101,7 @@ def copydirtree(src,
>> dst): class Container: DEFAULT_PATH =
>> "/var/lib/libvirt/filesystems" DEFAULT_IMAGE =
>> "/var/lib/libvirt/images/%s.raw" - SELINUX_FILE_TYPE =
>> "svirt_lxc_file_t" + SELINUX_FILE_TYPE =
"svirt_sandbox_file_t"
>
> This change will make it impossible to use the new release on existing
> distros since they won't have this new policy type. We need this to be
> conditionally changed.
>
Well we could put the code into check if the type exists else use
svirt_lxc_file_t. (BTW Aliased in latest code.)
>> diff --git a/libvirt-sandbox/libvirt-sandbox-builder.c
>> b/libvirt-sandbox/libvirt-sandbox-builder.c index 1335042..613161a
>> 100644 --- a/libvirt-sandbox/libvirt-sandbox-builder.c +++
>> b/libvirt-sandbox/libvirt-sandbox-builder.c @@ -67,6 +67,48 @@
>> gvir_sandbox_builder_error_quark(void) { return
>> g_quark_from_static_string("gvir-sandbox-builder"); } +#include
>> <selinux/selinux.h> +#include <errno.h> +static char line[1024]; +
>> +static const char *get_label(int type) { + const char *path =
>> selinux_lxc_contexts_path(); + + FILE *fp = fopen(path, "r"); +
if
>> (fp) { + GType gt = gvir_config_domain_virt_type_get_type (); +
>> GEnumClass *cls = g_type_class_ref (gt); + GEnumValue *val =
>> g_enum_get_value (cls, type); + + while (val && fgets(line,
sizeof
>> line, fp)) { + int len = strlen(line); + if (len >
>> 2) + continue; + if (line[len-1] == '\n') +
>> line[len-1] = '\0'; + char *name = line; + char
>> *value = strchr(name, '='); + if (!value) +
>> continue; + *value = '\0'; + value++; +
>> if (strcmp(name,val->value_nick)) + continue; +
>> return value; + } + fclose(fp);
Your email client has completely mangled this quoted text. Please fix it
to preserve line breaks / whitespace, as it makes reading the replies
rather difficult.
>
> I'm not sure I really understand what this code is doing. You seem to be
> opening /etc/selinux/targetted/context/lxc_contexts and then searching for
> the type for LXC, QEMU or KVM. This doesn't really make sense to me. I
> wonder what the point of any of this code us, when the switch statement
> below looks to be sufficient.
>
Well the idea is to allow other policy writers to write policy that would use
different types, rather then hard code them into programs. Dominick Grift is
experimenting with other types of SELinux Policy, and any time he has a hard
coded type, it breaks his code. Obviously we need to move more types out of
this code to make it fully functional.
Yeah, but I'm not seeing how this /etc/selinux/targetted/context/lxc_contexts
file content is working with this piece of code. With the updated policy
I see
$ cat /etc/selinux/targeted/contexts/lxc_contexts
process = "system_u:system_r:svirt_lxc_net_t:s0"
file = "system_u:object_r:svirt_lxc_file_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
so this code which is looking for 'kvm' and 'qemu' strings in that file
isn't doing anything useful
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|