[libvirt] [PATCH 2/2] security: Save contexts of resources for restoring it.
Yang Dongsheng
yangds.fnst at cn.fujitsu.com
Mon Jun 24 10:12:01 UTC 2013
On 06/24/2013 05:50 PM, Daniel P. Berrange wrote:
> On Mon, Jun 24, 2013 at 02:42:16PM +0800, yangdongsheng wrote:
>> Before this patch, if relabel is yes or sec_type is dynamic in VM,
>> after VM stopped, resources this VM accessed will be restored to
>> default label on their path, but not the label before VM started.
>>
>> This patch instroduce a struct named _virSecuritySELinuxBackupContext to
>> save the path and the label before libvirt changing them. And labels will
>> be restored to path in VM being stopped.
>>
>> TODO: There is only restoring for imageFile in this patch,
>> files of other types will be implemented later.
>>
>> Signed-off-by: yangdongsheng<yangds.fnst at cn.fujitsu.com>
>> ---
>> src/security/security_selinux.c | 229 +++++++++++++++++++++++++++++++++++++--
>> 1 file changed, 222 insertions(+), 7 deletions(-)
>>
>> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
>> index 6fe063e..a780569 100644
>> --- a/src/security/security_selinux.c
>> +++ b/src/security/security_selinux.c
>> @@ -57,12 +57,16 @@ typedef virSecuritySELinuxData *virSecuritySELinuxDataPtr;
>> typedef struct _virSecuritySELinuxCallbackData virSecuritySELinuxCallbackData;
>> typedef virSecuritySELinuxCallbackData *virSecuritySELinuxCallbackDataPtr;
>>
>> +typedef struct _virSecuritySELinuxBackupContext virSecuritySELinuxBackupContext;
>> +typedef virSecuritySELinuxBackupContext *virSecuritySELinuxBackupContextPtr;
>> +
>> struct _virSecuritySELinuxData {
>> char *domain_context;
>> char *alt_domain_context;
>> char *file_context;
>> char *content_context;
>> virHashTablePtr mcs;
>> + virSecuritySELinuxBackupContextPtr backup_header;
> NACK
>
> You cannot store this data inside libvirtd. We need to cope with libvirtd
> being restarted at any time for software upgrades. We also need to cope
> with migration where the libvirtd restoring labels is not the same as
> the libvirtd setting the original labels. We also need to cope with shared
> disks where multiple VMs use a label& have ref counting.
>
> There was an attempt to fix this problem for the DAC labels, which
> stalled. Whatever approach is used for the DAC labels, should also be
> used for the SELinux labels
>
> http://www.redhat.com/archives/libvir-list/2013-March/msg01289.html
>
>
> Daniel
Got it.
Thanx :)
More information about the libvir-list
mailing list