On Mon, Sep 30, 2013 at 08:39:35AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/30/2013 08:07 AM, Daniel P. Berrange wrote:
> > On Wed, Sep 25, 2013 at 04:50:23PM -0400, Dan Walsh wrote:
> >> virt-sandbox should be launching containers based off the lxc_context
> >> file from selinux-policy. I changed the hard coded paths to match the
> >> latest fedora assigned labels.
> >>
> >> Fedora 20 SELinux Policy and beyond will have proper SELinux labels in
> >> its lxc_contexts file. --- bin/virt-sandbox-service | 2
> >> +- bin/virt-sandbox-service-clone.pod | 5 ++-
> >> bin/virt-sandbox-service-create.pod | 7 ++-- bin/virt-sandbox.c
> >> | 5 ++- libvirt-sandbox/libvirt-sandbox-builder.c | 58
> >> +++++++++++++++++++++++++------ 5 files changed, 55 insertions(+), 22
> >> deletions(-)
> >>
> >> diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index
> >> c4c4f54..b42fe08 100755 --- a/bin/virt-sandbox-service +++
> >> b/bin/virt-sandbox-service @@ -101,7 +101,7 @@ def copydirtree(src,
> >> dst): class Container: DEFAULT_PATH =
> >> "/var/lib/libvirt/filesystems" DEFAULT_IMAGE =
> >> "/var/lib/libvirt/images/%s.raw" - SELINUX_FILE_TYPE =
> >> "svirt_lxc_file_t" + SELINUX_FILE_TYPE = "svirt_sandbox_file_t"
> >
> > This change will make it impossible to use the new release on existing
> > distros since they won't have this new policy type. We need this to be
> > conditionally changed.
> >
> Well we could put the code into check if the type exists else use
> svirt_lxc_file_t. (BTW Aliased in latest code.)
> >> diff --git a/libvirt-sandbox/libvirt-sandbox-builder.c
> >> b/libvirt-sandbox/libvirt-sandbox-builder.c index 1335042..613161a
> >> 100644 --- a/libvirt-sandbox/libvirt-sandbox-builder.c +++
> >> b/libvirt-sandbox/libvirt-sandbox-builder.c @@ -67,6 +67,48 @@
> >> gvir_sandbox_builder_error_quark(void) { return
> >> g_quark_from_static_string("gvir-sandbox-builder"); } +#include
> >> <selinux/selinux.h> +#include <errno.h> +static char line[1024]; +
> >> +static const char *get_label(int type) { + const char *path =
> >> selinux_lxc_contexts_path(); + + FILE *fp = fopen(path, "r"); + if
> >> (fp) { + GType gt = gvir_config_domain_virt_type_get_type (); +
> >> GEnumClass *cls = g_type_class_ref (gt); + GEnumValue *val =
> >> g_enum_get_value (cls, type); + + while (val && fgets(line, sizeof
> >> line, fp)) { + int len = strlen(line); + if (len >
> >> 2) + continue; + if (line[len-1] == '\n') +
> >> line[len-1] = '\0'; + char *name = line; + char
> >> *value = strchr(name, '='); + if (!value) +
> >> continue; + *value = '\0'; + value++; +
> >> if (strcmp(name,val->value_nick)) + continue; +
> >> return value; + } + fclose(fp);
Your email client has completely mangled this quoted text. Please fix it
to preserve line breaks / whitespace, as it makes reading the replies
rather difficult.
> >
> > I'm not sure I really understand what this code is doing. You seem to be
> > opening /etc/selinux/targetted/context/lxc_contexts and then searching for
> > the type for LXC, QEMU or KVM. This doesn't really make sense to me. I
> > wonder what the point of any of this code us, when the switch statement
> > below looks to be sufficient.
> >
> Well the idea is to allow other policy writers to write policy that would use
> different types, rather then hard code them into programs. Dominick Grift is
> experimenting with other types of SELinux Policy, and any time he has a hard
> coded type, it breaks his code. Obviously we need to move more types out of
> this code to make it fully functional.
Yeah, but I'm not seeing how this /etc/selinux/targetted/context/lxc_contexts
file content is working with this piece of code. With the updated policy
I see
$ cat /etc/selinux/targeted/contexts/lxc_contexts
process = "system_u:system_r:svirt_lxc_net_t:s0"
file = "system_u:object_r:svirt_lxc_file_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
so this code which is looking for 'kvm' and 'qemu' strings in that file
isn't doing anything useful
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list