[libvirt] [PATCH 4/7] security: Label parent directories of character devices
Daniel P. Berrange
berrange at redhat.com
Thu Aug 13 15:59:47 UTC 2015
On Thu, Aug 13, 2015 at 05:47:42PM +0200, Martin Kletzander wrote:
> We are currently unable to label parent directories for some paths.
> However, we will need to have per-domain directories that we would like
> to have labelled, but we can't label all of them. So let's add a
> boolean variable that will determine whether parent directory for such
> chardev should be labelled as well as that character device itself.
>
> Signed-off-by: Martin Kletzander <mkletzan at redhat.com>
> ---
> src/conf/domain_conf.h | 1 +
> src/security/security_dac.c | 13 ++++++++++++-
> src/security/security_selinux.c | 13 ++++++++++++-
> 3 files changed, 25 insertions(+), 2 deletions(-)
>
> diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
> index e1872bca002c..9d549a395e29 100644
> --- a/src/conf/domain_conf.h
> +++ b/src/conf/domain_conf.h
> @@ -1191,6 +1191,7 @@ struct _virDomainChrSourceDef {
> } udp;
> struct {
> char *path;
> + bool autopath;
> bool listen;
> } nix;
> int spicevmc;
I don't think we need this - it seems we can just pass a 'bool labelParent'
parameter into virSecurityManagerSetChardevLabel() when calling it for
the monitor socket.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list