On Saturday 24 May 2014 16:25:14 Richard W.M. Jones wrote: > What would be nice would be to have an API to just do this > relabelling. Libguestfs could change this API as required to handle > different guests. > > Dan Walsh helpfully pointed out to us that we've been doing it wrong > all along :-) A much better way to relabel is to run: > > setfiles /etc/selinux/targeted/contexts/files/file_contexts DIR > > where 'file_contexts' is a file which contains the default labels for > files (a set of regexps), and 'DIR' is the directory at which > relabelling starts. Note that 'setfiles' would be the libguestfs > appliance binary, so no guest binary needs to be run. > > A simple API could just look like this: > > guestfs_selinux_relabel (g); > > which would always use the 'targeted' policy from the guest, and > always start relabelling at the root. This would work fine for > virt-builder. > > For Colin's requirements for Project Atomic, I suspect he will want to > be able to set the file_contexts file and the root directory, but > I'll leave him to describe what would be useful.
I have been experiment/working on this last week (fighting against two SELinux, the one to make happy in the guest, and the active-but-not- enforcing one eventually present in the appliance), and now I have something working. As you said, there are various possibilities in configuring such selinux_relabel API; in my first implementation I chose to have it take as mandatory argument the root of the guest to relabel, and it is able to discover the configured policy there. Of course I am open to suggestions/complains/etc about it. -- Pino Toscano _______________________________________________ Libguestfs mailing list [email protected] https://www.redhat.com/mailman/listinfo/libguestfs
