On Tue, May 21, 2013 at 09:12:49AM -0400, dwalsh@xxxxxxxxxx wrote: > From: Dan Walsh <dwalsh@xxxxxxxxxx> > > mcstransd is a translation tool that can translate MCS Labels into human > understandable code. I have patched it to watch for translation files in the > /run/setrans directory. This allows us to run commands like ps -eZ and see > system_u:system_r:svirt_t:Fedora18 rather then system_u:system_r:svirt_t:s0:c1,c2. > When used with containers it would make an easy way to list all processes within > a container using ps -eZ | grep Fedora18 > > Pass in privileged field into Security Manager so this is only attempted on privileged > machines Did you actually test this patch, because it doesn't work at all ? An LXC guest fails to start: 2013-05-21 16:26:30.894+0000: 1: error : virSecuritySELinuxAddMCSFile:107 : unable to create MCS file /var/run/setrans/busy: No such file or directory If I create that directory inside the container, it at least starts, but doesn't have any effect because you're trying to write to /var/run directory inside the container, rather than in the host. With a QEMU guest this does nothing at all, because the QEMU driver uses virSecurityManagerSetChildProcessLabel instead of virSecurityManagerSetProcessLabel so this new code simply never runs. Trying todo this from the virSecurityManagerSetProcessLabel method is just wrong. As I said last time, virSecurityManagerGenProcessLabel is a better place IMHO. > diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c > index 5d108b9..c416666 100644 > --- a/src/security/security_selinux.c > +++ b/src/security/security_selinux.c > @@ -83,6 +83,57 @@ virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr mgr, > virDomainTPMDefPtr tpm); > > > +static int > +virSecuritySELinuxAddMCSFile(const char *name, > + const char *label) > +{ > + int ret = -1; > + char *tmp = NULL; > + context_t con = NULL; > + > + if (virAsprintf(&tmp, "%s/%s", SELINUX_TRANS_DIR, name) < 0) { SELINUX_TRANS_DIR doesn't appear to exist in any libselinux package prior to Fedora 19, so this breaks the build on all RHEL distros and Fedora < 18. This code needs to be made conditional on this constant existing in the headers. > + virReportOOMError(); > + return -1; > + } > + if (!(con = context_new(label))) { > + virReportSystemError(errno, "%s", > + _("unable to allocate security context")); > + goto cleanup; > + } > + if (virFileWriteStr(tmp, context_range_get(con), S_IRUSR|S_IWUSR) < 0) { > + virReportSystemError(errno, > + _("unable to create MCS file %s"), tmp); > + goto cleanup; > + } > + ret = 0; > + > +cleanup: > + VIR_FREE(tmp); > + context_free(con); > + return ret; > +} > + > +static int > +virSecuritySELinuxRemoveMCSFile(const char *name) > +{ > + char *tmp = NULL; > + int ret = -1; > + if (virAsprintf(&tmp, "%s/%s", SELINUX_TRANS_DIR, name) < 0) { > + virReportOOMError(); > + return -1; > + } > + if (unlink(tmp) < 0 && errno != ENOENT) { > + virReportSystemError(errno, > + _("Unable to remove MCS file %s"), tmp); > + goto cleanup; > + } > + ret = 0; > + > +cleanup: > + VIR_FREE(tmp); > + return ret; > +} > + > /* > * Returns 0 on success, 1 if already reserved, or -1 on fatal error > */ > @@ -1953,7 +2004,7 @@ virSecuritySELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr, > } > VIR_FREE(secdef->imagelabel); > > - return 0; > + return virSecuritySELinuxRemoveMCSFile(def->name); > } > > > @@ -2047,10 +2098,14 @@ virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN > return -1; > } > > + if (virSecurityManagerGetPrivileged(mgr) && (virSecuritySELinuxAddMCSFile(def->name, secdef->label) < 0)) > + return -1; As I said last time, failure to create the MCS file should not be treated as a fatal error IMHO. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list