[libvirt] [PATCH 2/3] Set SELinux context label of pipes used for qemu migration
Laine Stump
laine at laine.org
Wed Jan 26 14:05:24 UTC 2011
On 01/26/2011 07:11 AM, Daniel P. Berrange wrote:
> On Tue, Jan 25, 2011 at 03:54:12PM -0500, Laine Stump wrote:
>> On 01/25/2011 12:49 PM, Daniel P. Berrange wrote:
>>> On Tue, Jan 25, 2011 at 04:24:19AM -0500, Laine Stump wrote:
>>>> This patch is a partial resolution to the following bug:
>>>>
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=667756
>>>>
>>>> (to complete the fix, an updated selinux-policy package is required,
>>>> to add the policy that allows libvirt to set the context of a fifo,
>>>> which was previously not allowed).
>>>>
>>>> Explanation : When an incoming migration is over a pipe (for example,
>>>> if the image was compressed and is being fed through gzip, or was on a
>>>> root-squash nfs server, so needed to be opened by a child process
>>>> running as a different uid), qemu cannot read it unless the selinux
>>>> context label for the pipe has been set properly.
>>>>
>>>> The solution is to check the fd used as the source of the migration
>>>> just before passing it to qemu; if it's a fifo (implying that it's a
>>>> pipe), we call the newly added virSecurityManagerSetFDLabel() function
>>>> to set the context properly.
>>>> ---
>>>> src/qemu/qemu_driver.c | 18 ++++++++++++++++++
>>>> 1 files changed, 18 insertions(+), 0 deletions(-)
>>
> Ok, I see what you mean here. ACK to the original patch
Thanks! I just pushed.
More information about the libvir-list
mailing list