libvirt/python
Daniel P. Berrange e4e69e899e Apply security label when entering LXC namespaces
Add a new virDomainLxcEnterSecurityLabel() function as a
counterpart to virDomainLxcEnterNamespaces(), which can
change the current calling process to have a new security
context. This call runs client side, not in libvirtd
so we can't use the security driver infrastructure.

When entering a namespace, the process spawned from virsh
will default to running with the security label of virsh.
The actual desired behaviour is to run with the security
label of the container most of the time. So this changes
virsh lxc-enter-namespace command to invoke the
virDomainLxcEnterSecurityLabel method.

The current behaviour is:

LABEL                             PID TTY          TIME CMD
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 29 ? 00:00:00 dhclient
staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 47 ? 00:00:00 ps

Note the ps command is running as unconfined_t,  After this patch,

The new behaviour is this:

virsh -c lxc:/// lxc-enter-namespace dan -- /bin/ps -eZ
LABEL                             PID TTY          TIME CMD
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ? 00:00:00 dhclient
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 38 ? 00:00:00 ps

The '--noseclabel' flag can be used to skip security labelling.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-13 15:16:37 +00:00
..
tests Remove more trailing semicolons in Python files 2013-02-07 19:52:44 +01:00
generator.py Apply security label when entering LXC namespaces 2013-03-13 15:16:37 +00:00
libvirt-lxc-override-api.xml Introduce an LXC specific public API & library 2013-01-14 13:58:34 +00:00
libvirt-lxc-override.c Introduce an LXC specific public API & library 2013-01-14 13:58:34 +00:00
libvirt-override-api.xml python: Implement virDomainMigrateGetCompressionCache wrapper 2013-02-22 17:35:59 +01:00
libvirt-override-virConnect.py Remove more trailing semicolons in Python files 2013-02-07 19:52:44 +01:00
libvirt-override-virDomain.py list: provide python bindings for snapshots 2012-06-19 13:50:03 -06:00
libvirt-override-virDomainSnapshot.py python: Fix bindings for virDomainSnapshotGet{Domain,Connect} 2013-01-24 21:24:30 +01:00
libvirt-override-virStoragePool.py list: Expose virStoragePoolListAllVolumes to Python binding 2012-09-10 10:41:18 +08:00
libvirt-override-virStream.py python: correct a copy-paste error 2012-02-01 10:26:57 +01:00
libvirt-override.c python: Implement virDomainMigrateGetCompressionCache wrapper 2013-02-22 17:35:59 +01:00
libvirt-override.py Cosmetics: Remove semicolons 2013-02-07 07:49:57 +01:00
libvirt-qemu-override-api.xml agent: add python module support 2012-08-23 19:07:53 +08:00
libvirt-qemu-override.c agent: add python module support 2012-08-23 19:07:53 +08:00
Makefile.am sanitytest.py: Do not rely on system libvirt 2013-02-05 21:01:15 +01:00
README
sanitytest.py Check if classes are derived from object 2013-02-11 18:00:10 +01:00
TODO
typewrappers.c Rename memory.{c,h} to viralloc.{c,h} 2012-12-21 11:17:14 +00:00
typewrappers.h python: Add new helper functions for python to C integral conversion 2012-03-28 08:42:40 -06:00

    libvirt Python Bindings README
    ==============================

Most of the libvirt python binding code is automatically generated
using the script  generator.py, and the API description from
docs/libvirt-api.xml


Manually written files:

 - libvirt-override.c: methods where the C binding needs to be hand crafted
 - libvirt-override.py: global methods where the C and python bindings have different args
 - libvirt-override-api.xml: methods where the auto-extracted API docs are not
   suitable for python auto-generator. Overriding this if the method is going
   into libvirt-override.c, but we still want auto-generated libvirt-override.py
 - libvirt-override-virConnect.py: virConnect class methods
 - typewrappers.h,.c: Python object wrappers for each libvirt C object


Auto-generated files:

  - libvirt.py: The main python binding. Comprises auto-generated code, along
    with contents from libvirt-override.py and libvirt-override-virConnect.py
  - libvirt.c, libvirt.h: The C glue layer for the python binding. Comprises
    auto-generated code, along with libvirt-override.c
  - libvirt-export.c: List of auto-generated C methods, included into
    the libvirt-override.c method table