Daniel P. Berrange e4e69e899e Apply security label when entering LXC namespaces
Add a new virDomainLxcEnterSecurityLabel() function as a
counterpart to virDomainLxcEnterNamespaces(), which can
change the current calling process to have a new security
context. This call runs client side, not in libvirtd
so we can't use the security driver infrastructure.

When entering a namespace, the process spawned from virsh
will default to running with the security label of virsh.
The actual desired behaviour is to run with the security
label of the container most of the time. So this changes
virsh lxc-enter-namespace command to invoke the
virDomainLxcEnterSecurityLabel method.

The current behaviour is:

LABEL                             PID TTY          TIME CMD
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 29 ? 00:00:00 dhclient
staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 47 ? 00:00:00 ps

Note the ps command is running as unconfined_t,  After this patch,

The new behaviour is this:

virsh -c lxc:/// lxc-enter-namespace dan -- /bin/ps -eZ
LABEL                             PID TTY          TIME CMD
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ? 00:00:00 dhclient
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 38 ? 00:00:00 ps

The '--noseclabel' flag can be used to skip security labelling.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-13 15:16:37 +00:00
..

    libvirt Python Bindings README
    ==============================

Most of the libvirt python binding code is automatically generated
using the script  generator.py, and the API description from
docs/libvirt-api.xml


Manually written files:

 - libvirt-override.c: methods where the C binding needs to be hand crafted
 - libvirt-override.py: global methods where the C and python bindings have different args
 - libvirt-override-api.xml: methods where the auto-extracted API docs are not
   suitable for python auto-generator. Overriding this if the method is going
   into libvirt-override.c, but we still want auto-generated libvirt-override.py
 - libvirt-override-virConnect.py: virConnect class methods
 - typewrappers.h,.c: Python object wrappers for each libvirt C object


Auto-generated files:

  - libvirt.py: The main python binding. Comprises auto-generated code, along
    with contents from libvirt-override.py and libvirt-override-virConnect.py
  - libvirt.c, libvirt.h: The C glue layer for the python binding. Comprises
    auto-generated code, along with libvirt-override.c
  - libvirt-export.c: List of auto-generated C methods, included into
    the libvirt-override.c method table