Dan Walsh's Blog

Got SELinux?

Previous Entry Share Next Entry
SELinux and guestfish
       First let me apologize for the previous post.  For some reason livejournal.com was adding a bunch of line-breaks (</br>) to my previous post when I submitted it.  I tried to remove it but the editor did not show them.  Must be a bug with using tables in the editor.

The other day, Richard Jones posted a blog on using guestfish to fix an SELinux issue.

After reading the blog, I thought I would play around with guestfish a little bit.  He suggested that you could fix  a labelling issue on a virtual image by execute touch /.autorelabel and then booting the virtual image.    I experimented around and found that you could execute the following command and fix the labels before the boot.  I have an virtual machine named f12.

# guestfish -i f12

A potential easier solution to fix the labelling issue brought up in Richard's blog would be

><fs> sh “/sbin/setfiles -q /etc/selinux/targeted/contexts/files/file_contexts /”

This command would correct the labels on the system.  It will run for while.

><fs> sh "/usr/sbin/sestatus"
SELinux status:                                  disabled

One problem with guestfish is that it does not setup the environment enough for the SELinux libraries to recognise that this is an SELinux environment.   libselinux uses the /proc/filesystem and /selinux file systems to figure out if SELinux is enabled or not.  Since these file systems are not enabled, the tools are fooled into thinking the system is disabled.  This is both a good and a bad thing.  It is a good thing because tools like load_policy will not actually load the policy.  Loading policy could mess up your host machine.  S you were running on F12 and connected to a RHEL5 guest, if you loaded policy in the guest and it got loaded onto the host, you machine would probably break badly.  Not recognising SELinux is enabled on this os can be a bad thing in that tools like restorecon will not work.   Restorecon exits on disabled machines.  Tools like setfiles and semanage can run on disabled machines.  Semanage requires you to specify the store (-s targeted) in order to work on a "disabled" machine.  For example semanage user -l -s targeted.

One possible use of this functionality would be to change the policy type on a guest os. If you wanted to turn the box into an MLS box you could execute.

><fs> sh "/bin/sed s/SELINUXTYPE=.*/SELINUXTYPE=mls/g /etc/selinux/config"
><fs> sh "/sbin/setfiles -q /etc/selinux/mls/targeted/contexts/files/file_contexts /"
><fs> sync
><fs> sync

Of course the mls policy would have had to be installed before this would work.  I don't think you can run yum install selinux-policy-mls from guestfish. 

If you wanted to change the ports that apache can listen on you could execute a command like:

><fs> sh "/usr/sbin/semanage port -a -s targeted -t http_port_t -p tcp 81"

Someone seems to have built some SELinux code into guestfish and guestfs. (Not me).

set-selinux 0 or 1
seems to set the boot flag to enable or disable SELinux (Enabled defaults to permissive mode)

Not sure if this works, as examining the /etc/grub and /etc/selinux/config file is not modified. 

I think I would tend to avoid using the built-in commands, as they do not seem to work correctly.

You are viewing danwalsh