-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/17/2013 05:52 AM, Daniel P. Berrange wrote:
> On Wed, May 15, 2013 at 02:36:32PM -0400, dwa...@redhat.com wrote:
>> From: Dan Walsh <dwa...@redhat.com>
>>
>> mcstransd is a translation tool that can translate MCS Labels into human
>> understandable code. I have patched it to watch for translation files in
>> the /run/setrans directory. This allows us to run commands like ps -eZ
>> and see system_u:system_r:svirt_t:Fedora18 rather then
>> system_u:system_r:svirt_t:s0:c1,c2. When used with containers it would
>> make an easy way to list all processes within a container using ps -eZ |
>> grep Fedora18 --- src/security/security_selinux.c | 59
>> ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 58
>> insertions(+), 1 deletion(-)
>>
>> diff --git a/src/security/security_selinux.c
>> b/src/security/security_selinux.c index 5d108b9..cbcd013 100644 ---
>> a/src/security/security_selinux.c +++ b/src/security/security_selinux.c
>> @@ -83,6 +83,57 @@
>> virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr
>> mgr, virDomainTPMDefPtr tpm);
>>
>>
>> +static int +virSecuritySELinuxAddMCSFile(const char *name, +
>> const char *label) +{ + int ret = -1; + char *tmp = NULL; +
>> context_t con = NULL; + + if (virAsprintf(&tmp, "%s/%s",
>> SELINUX_TRANS_DIR, name) < 0) { + virReportOOMError(); +
>> return -1; + } + if (! (con = context_new(label))) { +
>> virReportSystemError(errno, "%s", + _("unable
>> to allocate security context")); + goto cleanup; + } + if
>> (virFileWriteStr(tmp, context_range_get(con), 0) < 0) { +
>> virReportSystemError(errno, + _("unable to
>> create MCS file %s"), tmp); + goto cleanup; + } + ret = 0;
>> + +cleanup: + VIR_FREE(tmp); + context_free(con); + return ret;
>> +} + +static int +virSecuritySELinuxRemoveMCSFile(const char *name) +{ +
>> char *tmp=NULL; + int ret = -1; + if (virAsprintf(&tmp, "%s/%s",
>> SELINUX_TRANS_DIR, name) < 0) { + virReportOOMError(); +
>> return -1; + } + if (unlink(tmp) < 0 && errno != ENOENT) { +
>> virReportSystemError(errno, + _("Unable to
>> remove MCS file %s"), tmp); + goto cleanup; + } + ret = 0;
>> + +cleanup: + VIR_FREE(tmp); + return ret; +} + /* * Returns 0 on
>> success, 1 if already reserved, or -1 on fatal error */ @@ -1953,7
>> +2004,7 @@ virSecuritySELinuxReleaseSecurityLabel(virSecurityManagerPtr
>> mgr, } VIR_FREE(secdef->imagelabel);
>>
>> - return 0; + return virSecuritySELinuxRemoveMCSFile(def->name); }
>>
>>
>> @@ -2047,10 +2098,16 @@
>> virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr
>> ATTRIBUTE_UN return -1; }
>>
>> + if (virSecuritySELinuxAddMCSFile(def->name, secdef->label) < 0) { +
>> if (security_getenforce() == 1) + return -1; + } +
>
> As you mentioned offlist, this is not going to work because the
> SetProcessLabel function is called in a child process, where you can't
> guarantee to see the host's /run directory.
>
> Instead it should be done in the GenSecurityLabel function which is called
> from a safe context.
>
>
> Daniel
>
I did get this to work last night by moving the location of the
virSecurityManagerSetProcessLabel to happen in the PivorRoot code before
calling lxcContainerMountAllFS Which overmounts the /run directory.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlGWMYQACgkQrlYvE4MpobO9LgCePeIBlJuCTONdoAgeRk11EFE1
saYAnjX5ViWMMTXDI9qDlk59wlE6+3F8
=ju8u
-----END PGP SIGNATURE-----
>From 3faf3644d44771f49b61fb5cf453d1321f8c0272 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwa...@redhat.com>
Date: Thu, 16 May 2013 21:21:05 -0400
Subject: [PATCH 2/2] libvirt writes an mcs translation file to /run/setrans
directory
mcstransd is a translation tool that can translate MCS Labels into human
understandable code. I have patched it to watch for translation files in the
/run/setrans directory. This allows us to run commands like ps -eZ and see
system_u:system_r:svirt_t:Fedora18 rather then system_u:system_r:svirt_t:s0:c1,c2.
When used with containers it would make an easy way to list all processes within
a container using ps -eZ | grep Fedora18
---
src/lxc/lxc_container.c | 8 +++---
src/security/security_selinux.c | 57 ++++++++++++++++++++++++++++++++++++++++-
2 files changed, 60 insertions(+), 5 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 48ccc09..cb6ae6a 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1829,6 +1829,10 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
if (lxcContainerPopulateDevices(ttyPaths, nttyPaths) < 0)
goto cleanup;
+ VIR_DEBUG("Setting up security labeling");
+ if (virSecurityManagerSetProcessLabel(securityDriver, vmDef) < 0)
+ goto cleanup;
+
/* Sets up any non-root mounts from guest config */
if (lxcContainerMountAllFS(vmDef, sec_mount_options) < 0)
goto cleanup;
@@ -2027,10 +2031,6 @@ static int lxcContainerChild(void *data)
goto cleanup;
}
- VIR_DEBUG("Setting up security labeling");
- if (virSecurityManagerSetProcessLabel(argv->securityDriver, vmDef) < 0)
- goto cleanup;
-
if (lxcContainerSetStdio(argv->monitor, ttyfd, argv->handshakefd) < 0) {
goto cleanup;
}
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 5d108b9..5c04d5e 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -83,6 +83,57 @@ virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr mgr,
virDomainTPMDefPtr tpm);
+static int
+virSecuritySELinuxAddMCSFile(const char *name,
+ const char *label)
+{
+ int ret = -1;
+ char *tmp = NULL;
+ context_t con = NULL;
+
+ if (virAsprintf(&tmp, "%s/%s", SELINUX_TRANS_DIR, name) < 0) {
+ virReportOOMError();
+ return -1;
+ }
+ if (!(con = context_new(label))) {
+ virReportSystemError(errno, "%s",
+ _("unable to allocate security context"));
+ goto cleanup;
+ }
+ if (virFileWriteStr(tmp, context_range_get(con), S_IRUSR|S_IWUSR) < 0) {
+ virReportSystemError(errno,
+ _("unable to create MCS file %s"), tmp);
+ goto cleanup;
+ }
+ ret = 0;
+
+cleanup:
+ VIR_FREE(tmp);
+ context_free(con);
+ return ret;
+}
+
+static int
+virSecuritySELinuxRemoveMCSFile(const char *name)
+{
+ char *tmp = NULL;
+ int ret = -1;
+ if (virAsprintf(&tmp, "%s/%s", SELINUX_TRANS_DIR, name) < 0) {
+ virReportOOMError();
+ return -1;
+ }
+ if (unlink(tmp) < 0 && errno != ENOENT) {
+ virReportSystemError(errno,
+ _("Unable to remove MCS file %s"), tmp);
+ goto cleanup;
+ }
+ ret = 0;
+
+cleanup:
+ VIR_FREE(tmp);
+ return ret;
+}
+
/*
* Returns 0 on success, 1 if already reserved, or -1 on fatal error
*/
@@ -1953,7 +2004,7 @@ virSecuritySELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr,
}
VIR_FREE(secdef->imagelabel);
- return 0;
+ return virSecuritySELinuxRemoveMCSFile(def->name);
}
@@ -2047,10 +2098,14 @@ virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
return -1;
}
+ if (virSecuritySELinuxAddMCSFile(def->name, secdef->label) < 0)
+ return -1;
+
if (setexeccon_raw(secdef->label) == -1) {
virReportSystemError(errno,
_("unable to set security context '%s'"),
secdef->label);
+ virSecuritySELinuxRemoveMCSFile(def->name);
if (security_getenforce() == 1)
return -1;
}
--
1.8.2.1
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
