This will allow us to run sandbox as the calling process, If I am
running a shell as staff_u:unconfined_r:unconfined_t:s0, and I
execute virt-sandbox -c lxc/// -- /bin/sh
/bin/sh will run as staff_u:unconfined_r:unconfined_t:s0
---
bin/virt-sandbox-service.pod | 6 +++++-
bin/virt-sandbox.c | 9 ++++++++-
configure.ac | 1 +
libvirt-sandbox.spec.in | 1 +
libvirt-sandbox/Makefile.am | 2 ++
libvirt-sandbox/libvirt-sandbox-config.c | 14 ++++++++++++++
m4/virt-selinux.m4 | 11 +++++++++++
7 files changed, 42 insertions(+), 2 deletions(-)
create mode 100644 m4/virt-selinux.m4
diff --git a/bin/virt-sandbox-service.pod b/bin/virt-sandbox-service.pod
index 7752145..b879a46 100644
--- a/bin/virt-sandbox-service.pod
+++ b/bin/virt-sandbox-service.pod
@@ -54,7 +54,11 @@ supported currently).
=head1 SEE ALSO
-C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>, C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>, C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>, C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)>, C<virt-sandbox-service-upgrade(1)>
+C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>,
+C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>,
+C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>,
+C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)>,
+C<virt-sandbox-service-upgrade(1)>
=head1 FILES
diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c
index 3ddcd17..1132c09 100644
--- a/bin/virt-sandbox.c
+++ b/bin/virt-sandbox.c
@@ -285,7 +285,10 @@ not allowed to open any other files.
=item B<-c URI>, B<--connect=URI>
Set the libvirt connection URI, defaults to qemu:///session if
-omitted. Currently only the QEMU and LXC drivers are supported.
+omitted. Alternatively the C<LIBVIRT_DEFAULT_URI> environment
+variable can be set, or the config file C</etc/libvirt/libvirt.conf>
+can have a default URI set. Currently only the QEMU and LXC drivers
+are supported.
=item B<-n NAME>, B<--name=NAME>
@@ -417,6 +420,10 @@ USER:ROLE:TYPE:LEVEL, instead of the default base context.
To set a completely static label. For example,
static,label=system_u:system_r:svirt_t:s0:c412,c355
+=item inherit
+
+Inherit the context from the process that is executing virt-sandbox.
+
=back
=item B<-p>, B<--privileged>
diff --git a/configure.ac b/configure.ac
index 32206b8..50f23fc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -84,6 +84,7 @@ LIBVIRT_SANDBOX_WIN32
LIBVIRT_SANDBOX_COVERAGE
LIBVIRT_SANDBOX_INTROSPECTION
LIBVIRT_SANDBOX_RPCGEN
+LIBVIRT_SANDBOX_SELINUX
dnl Should be in m4/virt-gettext.m4 but intltoolize is too
dnl dumb to find it there
diff --git a/libvirt-sandbox.spec.in b/libvirt-sandbox.spec.in
index a9721b5..718c27b 100644
--- a/libvirt-sandbox.spec.in
+++ b/libvirt-sandbox.spec.in
@@ -25,6 +25,7 @@ BuildRequires: gobject-introspection-devel
BuildRequires: glibc-static
BuildRequires: /usr/bin/pod2man
BuildRequires: intltool
+BuildRequires: libselinux-devel
BuildRequires: glib2-devel >= 2.32.0
Requires: rpm-python
# For virsh lxc-enter-namespace command
diff --git a/libvirt-sandbox/Makefile.am b/libvirt-sandbox/Makefile.am
index 4e0ea00..0882490 100644
--- a/libvirt-sandbox/Makefile.am
+++ b/libvirt-sandbox/Makefile.am
@@ -169,6 +169,7 @@ libvirt_sandbox_init_common_CFLAGS = \
$(LIBVIRT_GLIB_CFLAGS) \
$(LIBVIRT_GOBJECT_CFLAGS) \
$(CAPNG_CFLAGS) \
+ $(SELINUX_CFLAGS) \
$(WARN_CFLAGS) \
$(NULL)
libvirt_sandbox_init_common_LDFLAGS = \
@@ -178,6 +179,7 @@ libvirt_sandbox_init_common_LDFLAGS = \
$(LIBVIRT_GLIB_LIBS) \
$(LIBVIRT_GOBJECT_LIBS) \
$(CAPNG_LIBS) \
+ $(SELINUX_LIBS) \
$(WARN_CFLAGS) \
$(NULL)
libvirt_sandbox_init_common_LDADD = \
diff --git a/libvirt-sandbox/libvirt-sandbox-config.c b/libvirt-sandbox/libvirt-sandbox-config.c
index ccdb3bc..8e8ac65 100644
--- a/libvirt-sandbox/libvirt-sandbox-config.c
+++ b/libvirt-sandbox/libvirt-sandbox-config.c
@@ -27,6 +27,8 @@
#include <glib/gi18n.h>
#include "libvirt-sandbox/libvirt-sandbox.h"
+#include <errno.h>
+#include <selinux/selinux.h>
/**
* SECTION: libvirt-sandbox-config
@@ -1521,6 +1523,18 @@ gboolean gvir_sandbox_config_set_security_opts(GVirSandboxConfig *config,
gvir_sandbox_config_set_security_dynamic(config, TRUE);
} else if (g_str_equal(tmp, "static")) {
gvir_sandbox_config_set_security_dynamic(config, FALSE);
+ } else if (g_str_equal(tmp, "inherit")) {
+ gvir_sandbox_config_set_security_dynamic(config, FALSE);
+ security_context_t scon;
+ if (getcon(&scon) < 0) {
+ g_set_error(error, GVIR_SANDBOX_CONFIG_ERROR, 0,
+ _("Unable to get SELinux context of user: %s"),
+ strerror(errno));
+ return FALSE;
+ }
+ gvir_sandbox_config_set_security_label(config, scon);
+ freecon(scon);
+
} else {
g_set_error(error, GVIR_SANDBOX_CONFIG_ERROR, 0,
_("Unknown security option '%s'"), tmp);
diff --git a/m4/virt-selinux.m4 b/m4/virt-selinux.m4
new file mode 100644
index 0000000..ef41721
--- /dev/null
+++ b/m4/virt-selinux.m4
@@ -0,0 +1,11 @@
+AC_DEFUN([LIBVIRT_SANDBOX_SELINUX], [
+ fail=0
+ old_LIBS=$LIBS
+ old_CFLAGS=$CFLAGS
+ AC_CHECK_HEADER([selinux/selinux.h],[],[fail=1])
+ AC_CHECK_LIB([selinux], [fgetfilecon],[],[fail=1])
+ LIBS=$old_LIBS
+ CFLAGS=$old_CFLAGS
+ test $fail = 1 &&
+ AC_MSG_ERROR([You must install the libselinux development package in order to compile libvirt-sandbox])
+])
--
1.8.3.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list