virt-sandbox should be launching containers based off the lxc_context file from selinux-policy. I changed the hard coded paths to match the latest fedora assigned labels. Fedora 20 SELinux Policy and beyond will have proper SELinux labels in its lxc_contexts file. --- bin/virt-sandbox-service | 34 ++++++++++++++-- bin/virt-sandbox-service-clone.pod | 5 +-- bin/virt-sandbox-service-create.pod | 16 +++++--- bin/virt-sandbox.c | 5 +-- libvirt-sandbox/libvirt-sandbox-builder.c | 68 +++++++++++++++++++++++++------ 5 files changed, 101 insertions(+), 27 deletions(-) diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index c4c4f54..0bfadfe 100755 --- a/bin/virt-sandbox-service +++ b/bin/virt-sandbox-service @@ -114,12 +114,32 @@ class Container: else: self.name = name self.dest = "%s/%s" % (self.path, self.name) - self.file_type = self.SELINUX_FILE_TYPE + self.init_selinux_types() + self.file_type = self.get_selinux_file_type() self.conn = None self.image = None self.uid = 0 self.mounts = [] + def init_selinux_types(self): + self.selinux_dict={} + fd = open(selinux.selinux_lxc_contexts_path(),"r") + records = fd.readlines() + fd.close() + for l in records: + try: + (name, val) = l.split("=") + self.selinux_dict[name.strip()]=val.strip() + except ValueError: + pass + + def get_selinux_file_type(self): + try: + return self.selinux_dict["file"].split(":")[2] + except KeyError: + pass + return self.SELINUX_FILE_TYPE + def get_file_type(self): return self.file_type @@ -1072,9 +1092,17 @@ def default_security_opts(): if selinux is None: return None - # XXX vary per URI for kvm/qemu/lxc. + label = "system_u:system_r:svirt_lxc_net_t:s0" # XXX generate a random category - return "static,label=system_u:system_r:svirt_lxc_net_t:s0" + try: + for uri in ("lxc", "qemu", "kvm"): + if self.uri.startswith(uri): + label = self.selinux_dict[uri] + break + + except KeyError: + pass + return "static,label=%s" % label def gen_create_args(subparser): parser = subparser.add_parser("create", diff --git a/bin/virt-sandbox-service-clone.pod b/bin/virt-sandbox-service-clone.pod index cd261c4..3b4ecec 100644 --- a/bin/virt-sandbox-service-clone.pod +++ b/bin/virt-sandbox-service-clone.pod @@ -42,8 +42,7 @@ separated by commas. The following options are valid for SELinux Dynamically allocate an SELinux label, using the default base context. The default base context is system_u:system_r:svirt_lxc_net_t:s0 for LXC, -system_u:system_r:svirt_t:s0 for KVM, system_u:system_r:svirt_tcg_t:s0 -for QEMU. +system_u:system_r:svirt_qemu_net_t:s0 for KVM or QEMU. =item dynamic,label=USER:ROLE:TYPE:LEVEL @@ -53,7 +52,7 @@ USER:ROLE:TYPE:LEVEL, instead of the default base context. =item static,label=USER:ROLE:TYPE:LEVEL To set a completely static label. For example, -static,label=system_u:system_r:svirt_t:s0:c412,c355 +static,label=system_u:system_r:svirt_lxc_net_t:s0:c412,c355 =back diff --git a/bin/virt-sandbox-service-create.pod b/bin/virt-sandbox-service-create.pod index 2ab289a..cbfd73d 100644 --- a/bin/virt-sandbox-service-create.pod +++ b/bin/virt-sandbox-service-create.pod @@ -61,7 +61,7 @@ Default: C<Login GID of UID>. Set SELinux file type to use within container. -Default: C<svirt_lxc_file_t>. +Default: C<svirt_sandbox_file_t>. =item B<-p PATH>, B<--path PATH> @@ -180,10 +180,14 @@ separated by commas. The following options are valid for SELinux =item dynamic -Dynamically allocate an SELinux label, using the default base context. -The default base context is system_u:system_r:svirt_lxc_net_t:s0 for LXC, -system_u:system_r:svirt_t:s0 for KVM, system_u:system_r:svirt_tcg_t:s0 -for QEMU. +Dynamically allocate an SELinux label, using the default base context for the connection URI: +The default base context are: + +B<LXC> = system_u:system_r:svirt_lxc_net_t:s0 + +B<KVM> = system_u:system_r:svirt_kvm_net_t:s0 + +B<QEMU> = system_u:system_r:svirt_qemu_net_t:s0 =item dynamic,label=USER:ROLE:TYPE:LEVEL @@ -193,7 +197,7 @@ USER:ROLE:TYPE:LEVEL, instead of the default base context. =item static,label=USER:ROLE:TYPE:LEVEL To set a completely static label. For example, -static,label=system_u:system_r:svirt_t:s0:c412,c355 +static,label=system_u:system_r:svirt_lxc_net_t:s0:c412,c355 =back diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c index b16217b..f66b045 100644 --- a/bin/virt-sandbox.c +++ b/bin/virt-sandbox.c @@ -413,8 +413,7 @@ separated by commas. The following options are valid for SELinux Dynamically allocate an SELinux label, using the default base context. The default base context is system_u:system_r:svirt_lxc_net_t:s0 for LXC, -system_u:system_r:svirt_t:s0 for KVM, system_u:system_r:svirt_tcg_t:s0 -for QEMU. +system_u:system_r:svirt_qemu_net_t:s0 for KVM or QEMU. =item dynamic,label=USER:ROLE:TYPE:LEVEL @@ -424,7 +423,7 @@ USER:ROLE:TYPE:LEVEL, instead of the default base context. =item static,label=USER:ROLE:TYPE:LEVEL To set a completely static label. For example, -static,label=system_u:system_r:svirt_t:s0:c412,c355 +static,label=system_u:system_r:svirt_lxc_net_t:s0:c412,c355 =item inherit diff --git a/libvirt-sandbox/libvirt-sandbox-builder.c b/libvirt-sandbox/libvirt-sandbox-builder.c index 1335042..b74f918 100644 --- a/libvirt-sandbox/libvirt-sandbox-builder.c +++ b/libvirt-sandbox/libvirt-sandbox-builder.c @@ -67,6 +67,53 @@ gvir_sandbox_builder_error_quark(void) { return g_quark_from_static_string("gvir-sandbox-builder"); } +#include <selinux/selinux.h> +#include <errno.h> +static char line[1024]; + +static const char *get_label(int type, GError **error) +{ + const char *path = selinux_lxc_contexts_path(); + + GType gt = gvir_config_domain_virt_type_get_type (); + GEnumClass *cls = g_type_class_ref (gt); + GEnumValue *val = g_enum_get_value (cls, type); + + FILE *fp = fopen(path, "r"); + if (fp) { + + while (val && fgets(line, sizeof line, fp)) { + int len = strlen(line); + if (len > 2) + continue; + if (line[len-1] == '\n') + line[len-1] = '\0'; + char *name = line; + char *value = strchr(name, '='); + if (!value) + continue; + *value = '\0'; + value++; + if (strcmp(name,val->value_nick)) + continue; + return value; + } + fclose(fp); + } + + switch (type) { + case GVIR_CONFIG_DOMAIN_VIRT_KVM: + return "system_u:system_r:svirt_kvm_net_t:s0"; + case GVIR_CONFIG_DOMAIN_VIRT_QEMU: + return "system_u:system_r:svirt_qemu_net_t:s0"; + case GVIR_CONFIG_DOMAIN_VIRT_LXC: + return "system_u:system_r:svirt_lxc_net_t:s0"; + default: + *error = g_error_new(GVIR_SANDBOX_BUILDER_ERROR, 0, + "No builder available for URI %s", val->value_nick); + return NULL; + } +} static gboolean gvir_sandbox_builder_construct_domain(GVirSandboxBuilder *builder, GVirSandboxConfig *config, @@ -326,7 +373,7 @@ static gboolean gvir_sandbox_builder_construct_security(GVirSandboxBuilder *buil GVirSandboxConfig *config G_GNUC_UNUSED, const gchar *statedir G_GNUC_UNUSED, GVirConfigDomain *domain, - GError **error G_GNUC_UNUSED) + GError **error) { GVirConfigDomainSeclabel *sec = gvir_config_domain_seclabel_new(); const char *label = gvir_sandbox_config_get_security_label(config); @@ -335,17 +382,14 @@ static gboolean gvir_sandbox_builder_construct_security(GVirSandboxBuilder *buil if (gvir_sandbox_config_get_security_dynamic(config)) { gvir_config_domain_seclabel_set_type(sec, GVIR_CONFIG_DOMAIN_SECLABEL_DYNAMIC); - if (label) - gvir_config_domain_seclabel_set_baselabel(sec, label); - else if (gvir_config_domain_get_virt_type(domain) == - GVIR_CONFIG_DOMAIN_VIRT_LXC) - gvir_config_domain_seclabel_set_baselabel(sec, "system_u:system_r:svirt_lxc_net_t:s0"); - else if (gvir_config_domain_get_virt_type(domain) == - GVIR_CONFIG_DOMAIN_VIRT_QEMU) - gvir_config_domain_seclabel_set_baselabel(sec, "system_u:system_r:svirt_tcg_t:s0"); - else if (gvir_config_domain_get_virt_type(domain) == - GVIR_CONFIG_DOMAIN_VIRT_KVM) - gvir_config_domain_seclabel_set_baselabel(sec, "system_u:system_r:svirt_t:s0"); + if (!label) + label = get_label(gvir_config_domain_get_virt_type(domain), error); + + if (!label) + return FALSE; + + gvir_config_domain_seclabel_set_baselabel(sec, label); + } else { gvir_config_domain_seclabel_set_type(sec, GVIR_CONFIG_DOMAIN_SECLABEL_STATIC); -- 1.8.3.1