FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora/Linux Management Tools

 
 
LinkBack Thread Tools
 
Old 02-22-2009, 07:34 PM
Cole Robinson
 
Default Patch to python-virtinst to allow it to choose svirt labels

Daniel J Walsh wrote:

The patch didn't apply to latest upstream (there has been a lot of code
movement recently). I rediffed the patch to apply against current tip,
and made a few minor changes that don't change the overall result
(mentioned below).

> Also found at least one big bug in python-virtinst, VirtualDisk.py was
> dropping the "/" between dirname and basename of installation object,
> when you told it to create the object.
>

This is already fixed upstream. You also had a minor bug fix in the
Installer class that is fixed as well, so I dropped both pieces.

> I think we want to have a big switch stored in libvirt somewhere saying
> whether or not we want isolated virtual machines.
>

I think this should really be at the management tool level (i.e,
virt-manager). libvirt should be dumb in this respect, being passed a
label via the xml and doing with it what it's told.

I figure, virt-manager can have an option in Edit->Preferences,
something like "Isolate virtual machines with SELinux". Defaults to on.
If selinux isn't running, we disable the option with a tooltip
explaining why (or maybe hide it altogether). If the option is enabled,
virt-manager will assign labels to VMs at install time, and check all
active connections to avoid label collisions. More advanced behavior can
come later (assigning specific labels, some sort of collision
resolution with VMs on new connections, etc.)

Updated patch attached, I'll reply with patch specific comments later.

Thanks,
Cole
_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
 
Old 02-22-2009, 08:53 PM
Cole Robinson
 
Default Patch to python-virtinst to allow it to choose svirt labels

Cole Robinson wrote:
> Daniel J Walsh wrote:
>

<snip>

>
> Updated patch attached, I'll reply with patch specific comments later.
>
> Thanks,
> Cole
>

Two major pieces missing from this patch:

1) Some way to skip all this. If selinux isn't enabled on the host, or
the user doesn't request labeling, we shouldn't do the work.

2) Support in CapabilitiesParser for the host security policy, otherwise
we have no way of knowing if selinux is enabled on a remote host.

> diff -r 026a37ccd417 virtinst/Guest.py
> --- a/virtinst/Guest.py Sat Feb 21 14:36:07 2009 -0500
> +++ b/virtinst/Guest.py Sat Feb 21 15:09:49 2009 -0500
> @@ -27,6 +27,8 @@
> import libvirt
> import CapabilitiesParser
> import VirtualGraphics
> +import selinux

This import should be moved into gen_seclabels, and probably wrapped in
a try...except block, and if the import fails (libselinux-python isn't
isntalled) we just skip adding the labels to the xml. This will make it
easier for other distros who may not want the selinux support to avoid
problems.

> +import random
>
> import osdict
> from virtinst import _virtinst as _
> @@ -71,6 +73,8 @@
> self._cpuset = None
> self._graphics_dev = None
> self._consolechild = None
> + self._seclabel = None
> + self._imagelabel = None
>
> self._os_type = None
> self._os_variant = None
> @@ -101,6 +105,16 @@
>
> self._caps = CapabilitiesParser.parse(self.conn.getCapabilities ())
>
> + (self.default_seclabel,
> + self.default_imagelabel) = self._default_seclabels()
> +
> + while self._seclabel == None:
> + seclabel, imagelabel = self.gen_seclabels()
> + if self.is_conflict_seclabel(self.conn, seclabel):
> + continue
> + self.set_seclabel(seclabel)
> + self.set_imagelabel(imagelabel)
> +
>
> def get_installer(self):
> return self._installer
> @@ -110,6 +124,20 @@
> self._installer = val
> installer = property(get_installer, set_installer)
>
> + # Security context used to secure guest image
> + def get_imagelabel(self):
> + return self._imagelabel
> + def set_imagelabel(self, val):
> + self._imagelabel = val
> + imagelabel = property(get_imagelabel, set_imagelabel)
> +
> + # Security context used to secure guest process
> + def get_seclabel(self):
> + return self._seclabel
> + def set_seclabel(self, val):
> + self._seclabel = val
> + seclabel = property(get_seclabel, set_seclabel)
> +
> # Domain name of the guest
> def get_name(self):
> return self._name
> @@ -407,6 +435,19 @@
> xml = _util.xml_append(xml, sound_dev.get_xml_config())
> return xml
>
> + def _get_seclabel_xml(self):
> + xml = ""
> + if self._seclabel != None:
> + xml = """
> + <seclabel model='selinux'>
> + <label>%s</label>
> + <image>%s</image>
> + </seclabel>
> +""" % ( self._seclabel, self._imagelabel)
> + print xml
> + return xml
> +
> +

This doesn't look like it matches the latest svirt libvirt patches: I
don't see an <image> tag in those.

> def _get_device_xml(self, install=True):
> xml = ""
>
> @@ -494,6 +535,7 @@
> <devices>
> %(devices)s
> </devices>
> + %(secxml)s
> </domain>
> """ % { "type": self.type,
> "name": self.name,
> @@ -504,7 +546,8 @@
> "maxramkb": self.maxmemory * 1024,
> "devices": self._get_device_xml(install),
> "osblob": osblob,
> - "action": action }
> + "action": action,
> + "secxml": self._get_seclabel_xml()}
>
>
> def start_install(self, consolecb=None, meter=None, removeOld=False,
> @@ -537,6 +580,8 @@
> """Ensure that devices are setup"""
> for disk in self._install_disks:
> disk.setup(progresscb)
> + # Not sure of this, might want to put this in VirtualDisk class
> + selinux.setfilecon(disk.path, self._imagelabel)

Yes, this should be in the VirtualDisk class, in the setup method.
VirtualDisk would also need an imagelabel attribute in that case. It may
be nice to also keep the Guest one, rather than force the user to fill
in the imagelabel for every VirtualDisk object being added.

Either way, this will break the remote case as is.

> for nic in self._install_nics:
> nic.setup(self.conn)
>
> @@ -631,6 +676,80 @@
> if self.domain is not None:
> raise RuntimeError, _("Domain has already been started!")
>
> + def _default_seclabels(self):
> + try:
> + fd = open(selinux.selinux_virtual_domain_context_path() , 'r')
> + except OSError, (err_no, msg):
> + raise RuntimeError(_("Failed to find SELinux virtual domains "
> + "context: %s: %s %s" %
> + (selinux.selinux_virtual_domain_context_path(),
> + err_no, msg)))
> +
> + label = fd.read()
> + fd.close()
> + try:
> + fd = open(selinux.selinux_virtual_image_context_path(), 'r')
> + except OSError, (err_no, msg):
> + raise RuntimeError(_("Failed to find SELinux virtual image "
> + "context: %s: %s %s" %
> + (selinux.selinux_virtual_domain_context_path(),
> + err_no, msg)))
> +

What version of libselinux-python were these functions added in? They
don't seem present on F9 at least.

Also, this labeling would only be relevant on the local host. Maybe this
info should be exposed by libvirt capabilities?

If we do get this info from capabilities, then we may as well just
remove the dependency on libselinux-python, and just use 'chcon' directly.

The rest looks reasonable.

Thanks,
Cole

_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
 

Thread Tools




All times are GMT. The time now is 02:02 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org