[libvirt] [PATCH for 1.2.8] selinux: properly label tap FDs with imagelabel
Pavel Hrdina
phrdina at redhat.com
Mon Sep 1 13:36:49 UTC 2014
On 09/01/2014 03:31 PM, Martin Kletzander wrote:
> The cleanup in commit cf976d9d used secdef->label to label the tap
> FDs, but that is not possible since it's process-only label (svirt_t)
> and not a object label (e.g. svirt_image_t). Starting a domain failed
> with EPERM, but simply using secdef->label instead fixes it.
s/label/imagelabel/
>
> Signed-off-by: Martin Kletzander <mkletzan at redhat.com>
> ---
> src/security/security_selinux.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 5d18493..e8c13db 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -2340,7 +2340,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> if (!secdef || !secdef->label)
> return 0;
>
> - return virSecuritySELinuxFSetFilecon(fd, secdef->label);
> + return virSecuritySELinuxFSetFilecon(fd, secdef->imagelabel);
> }
>
> static char *
>
ACK with that change
Pavel
More information about the libvir-list
mailing list