[libvirt] Re: [PATCH 1/2] Re-label shared and readonly images

Fri Jul 3 10:04:57 UTC 2009

On Fri, Jul 03, 2009 at 10:35:56AM +0100, Mark McLoughlin wrote:
> From: Daniel P. Berrange <berrange at redhat.com>
> 
> This patch was posted ages ago here:
> 
>   https://bugzilla.redhat.com/493692
> 
> But was never posted upstream AFAICT.
> 
> Signed-off-by: Mark McLoughlin <markmc at redhat.com>

Doh, I dropped the ball on that one.

ACK

Daniel

> ---
>  src/security_selinux.c |   27 +++++++++++++++++----------
>  1 files changed, 17 insertions(+), 10 deletions(-)
> 
> diff --git a/src/security_selinux.c b/src/security_selinux.c
> index 4fb7c86..87073d2 100644
> --- a/src/security_selinux.c
> +++ b/src/security_selinux.c
> @@ -24,11 +24,12 @@
>  #include "virterror_internal.h"
>  #include "util.h"
>  #include "memory.h"
> -
> +#include "logging.h"
>  
>  #define VIR_FROM_THIS VIR_FROM_SECURITY
>  
>  static char default_domain_context[1024];
> +static char default_content_context[1024];
>  static char default_image_context[1024];
>  #define SECURITY_SELINUX_VOID_DOI       "0"
>  #define SECURITY_SELINUX_NAME "selinux"
> @@ -148,8 +149,13 @@ SELinuxInitialize(virConnectPtr conn)
>      close(fd);
>  
>      ptr = strchrnul(default_image_context, '\n');
> -    *ptr = '\0';
> -
> +    if (*ptr == '\n') {
> +        *ptr = '\0';
> +        strcpy(default_content_context, ptr+1);
> +        ptr = strchrnul(default_content_context, '\n');
> +        if (*ptr == '\n')
> +            *ptr = '\0';
> +    }
>      return 0;
>  }
>  
> @@ -313,6 +319,8 @@ SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon)
>  {
>      char ebuf[1024];
>  
> +    VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);
> +
>      if(setfilecon(path, tcon) < 0) {
>          virSecurityReportError(conn, VIR_ERR_ERROR,
>                                 _("%s: unable to set security context "
> @@ -337,9 +345,6 @@ SELinuxRestoreSecurityImageLabel(virConnectPtr conn,
>      char *newpath = NULL;
>      const char *path = disk->src;
>  
> -    if (disk->readonly || disk->shared)
> -        return 0;
> -
>      if ((err = virFileResolveLink(path, &newpath)) < 0) {
>          virReportSystemError(conn, err,
>                               _("cannot resolve symlink %s"), path);
> @@ -366,8 +371,13 @@ SELinuxSetSecurityImageLabel(virConnectPtr conn,
>  {
>      const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
>  
> -    if (secdef->imagelabel)
> +    if (disk->shared) {
> +        return SELinuxSetFilecon(conn, disk->src, default_image_context);
> +    } else if (disk->readonly) {
> +        return SELinuxSetFilecon(conn, disk->src, default_content_context);
> +    } else if (secdef->imagelabel) {
>          return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel);
> +    }
>  
>      return 0;
>  }
> @@ -441,9 +451,6 @@ SELinuxSetSecurityLabel(virConnectPtr conn,
>  
>      if (secdef->imagelabel) {
>          for (i = 0 ; i < vm->def->ndisks ; i++) {
> -            if (vm->def->disks[i]->readonly ||
> -                vm->def->disks[i]->shared) continue;
> -
>              if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0)
>                  return -1;
>          }
> -- 
> 1.6.2.5
> 

-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|