qemu/tests/docker/dockerfiles
Richard W.M. Jones 3d212b41e9 nbd/server: Add --selinux-label option
Under SELinux, Unix domain sockets have two labels.  One is on the
disk and can be set with commands such as chcon(1).  There is a
different label stored in memory (called the process label).  This can
only be set by the process creating the socket.  When using SELinux +
SVirt and wanting qemu to be able to connect to a qemu-nbd instance,
you must set both labels correctly first.

For qemu-nbd the options to set the second label are awkward.  You can
create the socket in a wrapper program and then exec into qemu-nbd.
Or you could try something with LD_PRELOAD.

This commit adds the ability to set the label straightforwardly on the
command line, via the new --selinux-label flag.  (The name of the flag
is the same as the equivalent nbdkit option.)

A worked example showing how to use the new option can be found in
this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1984938

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1984938
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

[eblake: rebase to configure changes, reject --selinux-label if it is
not compiled in or not used on a Unix socket]
Note that we may relax some of these restrictions at a later date,
such as making it possible to label a TCP socket, although it may be
smarter to do so as a generic QMP action rather than more one-off
command lines in qemu-nbd.
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20211115202944.615966-1-eblake@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
[eblake: adjust meson output as suggested by thuth]
Signed-off-by: Eric Blake <eblake@redhat.com>
2021-11-16 10:16:38 -06:00
..
debian-hexagon-cross.docker.d docker: Add Hexagon image 2021-05-18 09:35:39 +01:00
debian-microblaze-cross.d tests/docker: Add debian-microblaze-cross image 2021-11-04 10:32:00 +00:00
debian-nios2-cross.d tests/docker: Add debian-nios2-cross image 2021-11-04 10:31:32 +00:00
alpine.docker tcg: Build ffi data structures for helpers 2021-06-19 08:51:11 -07:00
centos8.docker nbd/server: Add --selinux-label option 2021-11-16 10:16:38 -06:00
debian10.docker tests/docker: remove FEATURES env var from templates 2021-07-14 14:33:53 +01:00
debian11.docker tests/docker: use explicit docker.io registry 2021-07-14 14:33:53 +01:00
debian-all-test-cross.docker tests/docker: add a linux-user testing focused image 2020-07-11 15:53:00 +01:00
debian-alpha-cross.docker tests/docker: change tag naming scheme of our images 2020-07-11 15:53:00 +01:00
debian-amd64-cross.docker tests/docker: change tag naming scheme of our images 2020-07-11 15:53:00 +01:00
debian-amd64.docker gitlab-ci.yml: Avoid some submodules to speed up the CI a little bit 2021-01-26 18:38:37 +01:00
debian-arm64-cross.docker tests/docker: change tag naming scheme of our images 2020-07-11 15:53:00 +01:00
debian-arm64-test-cross.docker tests/docker: change tag naming scheme of our images 2020-07-11 15:53:00 +01:00
debian-armel-cross.docker tests/docker: change tag naming scheme of our images 2020-07-11 15:53:00 +01:00
debian-armhf-cross.docker tests/docker: change tag naming scheme of our images 2020-07-11 15:53:00 +01:00
debian-bootstrap.docker docker: add commentary to debian-bootstrap.docker 2018-07-24 11:45:25 +01:00
debian-bootstrap.pre tests/docker: add support for DEB_KEYRING 2020-07-27 09:41:35 +01:00
debian-hexagon-cross.docker docker: Add Hexagon image 2021-05-18 09:35:39 +01:00
debian-hppa-cross.docker tests/docker: change tag naming scheme of our images 2020-07-11 15:53:00 +01:00
debian-m68k-cross.docker tests/docker: change tag naming scheme of our images 2020-07-11 15:53:00 +01:00
debian-mips64-cross.docker tests/docker: change tag naming scheme of our images 2020-07-11 15:53:00 +01:00
debian-mips64el-cross.docker tests/docker: change tag naming scheme of our images 2020-07-11 15:53:00 +01:00
debian-mips-cross.docker tests/docker: change tag naming scheme of our images 2020-07-11 15:53:00 +01:00
debian-mipsel-cross.docker tests/docker: change tag naming scheme of our images 2020-07-11 15:53:00 +01:00
debian-native.docker tests/docker: add a debian-native image and make available 2021-10-12 08:38:10 +01:00
debian-powerpc-test-cross.docker tests/docker: gcc-10 based images for ppc64{,le} tests 2021-05-18 09:36:21 +01:00
debian-ppc64el-cross.docker tests/docker: change tag naming scheme of our images 2020-07-11 15:53:00 +01:00
debian-riscv64-cross.docker tests/docker: promote debian-riscv64-cross to a full image 2021-10-12 08:37:05 +01:00
debian-s390x-cross.docker tests/docker: change tag naming scheme of our images 2020-07-11 15:53:00 +01:00
debian-sh4-cross.docker tests/docker: change tag naming scheme of our images 2020-07-11 15:53:00 +01:00
debian-sparc64-cross.docker tests/docker: change tag naming scheme of our images 2020-07-11 15:53:00 +01:00
debian-toolchain.docker tests/docker: Add debian-nios2-cross image 2021-11-04 10:31:32 +00:00
debian-tricore-cross.docker gitlab: enable a very minimal build with the tricore container 2021-07-23 17:22:16 +01:00
debian-xtensa-cross.docker tests/docker: use explicit docker.io registry 2021-07-14 14:33:53 +01:00
empty.docker tests/docker: add a docker-exec-copy-test 2021-02-08 09:41:00 +00:00
fedora-cris-cross.docker tests/docker: use project specific container registries 2021-07-14 14:33:53 +01:00
fedora-i386-cross.docker nbd/server: Add --selinux-label option 2021-11-16 10:16:38 -06:00
fedora-win32-cross.docker ci: add libusb for windows builds 2021-07-29 11:18:24 +02:00
fedora-win64-cross.docker ci: add libusb for windows builds 2021-07-29 11:18:24 +02:00
fedora.docker nbd/server: Add --selinux-label option 2021-11-16 10:16:38 -06:00
opensuse-leap.docker nbd/server: Add --selinux-label option 2021-11-16 10:16:38 -06:00
python.docker gitlab: add python linters to CI 2021-06-01 16:21:21 -04:00
ubuntu1804.docker nbd/server: Add --selinux-label option 2021-11-16 10:16:38 -06:00
ubuntu2004.docker nbd/server: Add --selinux-label option 2021-11-16 10:16:38 -06:00
ubuntu.docker tests/docker: remove FEATURES env var from templates 2021-07-14 14:33:53 +01:00