[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 2/3] Set SELinux context label of pipes used for qemu migration



On 01/26/2011 07:11 AM, Daniel P. Berrange wrote:
On Tue, Jan 25, 2011 at 03:54:12PM -0500, Laine Stump wrote:
On 01/25/2011 12:49 PM, Daniel P. Berrange wrote:
On Tue, Jan 25, 2011 at 04:24:19AM -0500, Laine Stump wrote:
This patch is a partial resolution to the following bug:

    https://bugzilla.redhat.com/show_bug.cgi?id=667756

(to complete the fix, an updated selinux-policy package is required,
to add the policy that allows libvirt to set the context of a fifo,
which was previously not allowed).

Explanation : When an incoming migration is over a pipe (for example,
if the image was compressed and is being fed through gzip, or was on a
root-squash nfs server, so needed to be opened by a child process
running as a different uid), qemu cannot read it unless the selinux
context label for the pipe has been set properly.

The solution is to check the fd used as the source of the migration
just before passing it to qemu; if it's a fifo (implying that it's a
pipe), we call the newly added virSecurityManagerSetFDLabel() function
to set the context properly.
---
  src/qemu/qemu_driver.c |   18 ++++++++++++++++++
  1 files changed, 18 insertions(+), 0 deletions(-)

Ok, I see what you mean here. ACK to the original patch

Thanks! I just pushed.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]