On 07/07/2016 04:56 PM, Richard W.M. Jones wrote: > On Thu, Jul 07, 2016 at 09:50:17PM +0800, Jason Zaman wrote: >> Doesn't Android set the labels on the /system disk image during build? >> Maybe virt-builder can copy that? This would also speed up initial >> deployment of new images. > > Well this is the real problem. Because the guest policy is a binary > blob, and because the binary blobs are not (necessarily) compatible > across kernel versions, we cannot just load the policy blob of the > guest into our kernel, so we cannot label guests properly. Sure be > nice if policy wasn't stored in this way. Just to clarify, it is not necessary to load the guest policy into the host kernel in order to set labels on the guest filesystem. SELinux long ago introduced support for setting foreign/unknown labels on files by processes with the appropriate permissions, and that mechanism was used by livecd creator IIRC - it was also intended for use by rpm for labeling files before the corresponding policy module was installed but they never took advantage of it. The other approach would be to follow what we did in Android, i.e. extend the filesystem generation tools to look up the appropriate context and set the xattr when generating the image files. Similar support was also recently added to the OpenEmbedded tools for labeling those images. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
