rpms/python-virtinst/devel python-virtinst.spec, 1.62, 1.63 virtinst-0.400.3-selinux-context.patch, 1.1, 1.2
Daniel P. Berrange
berrange at fedoraproject.org
Fri Apr 3 18:25:27 UTC 2009
Author: berrange
Update of /cvs/pkgs/rpms/python-virtinst/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25887
Modified Files:
python-virtinst.spec virtinst-0.400.3-selinux-context.patch
Log Message:
Attempt to fix SELinux labelling on CDROM ISOs used for installation
Index: python-virtinst.spec
===================================================================
RCS file: /cvs/pkgs/rpms/python-virtinst/devel/python-virtinst.spec,v
retrieving revision 1.62
retrieving revision 1.63
diff -u -r1.62 -r1.63
--- python-virtinst.spec 3 Apr 2009 17:17:04 -0000 1.62
+++ python-virtinst.spec 3 Apr 2009 18:24:57 -0000 1.63
@@ -17,7 +17,7 @@
Summary: Python modules and utilities for installing virtual machines
Name: python-%{appname}
Version: 0.400.3
-Release: 3%{_extra_release}
+Release: 4%{_extra_release}
Source0: http://virt-manager.org/download/sources/%{appname}/%{appname}-%{version}.tar.gz
Patch1: %{appname}-%{version}-fix-virtimage-scratch.patch
Patch2: %{appname}-%{version}-hostdev-libvirt-calls.patch
@@ -87,6 +87,9 @@
%{_bindir}/virt-convert
%changelog
+* Fri Apr 3 2009 Daniel P. Berrange <berrange at redhat.com> - 0.400.4-fc11
+- Attempt to fix SELinux labelling on CDROM ISOs used for installation
+
* Fri Apr 3 2009 Daniel P. Berrange <berrange at redhat.com> - 0.400.3-fc11
- Set SELinux context on $HOME/.virtinst to make kernel/initrd boot work (rhbz #491052)
virtinst-0.400.3-selinux-context.patch:
Index: virtinst-0.400.3-selinux-context.patch
===================================================================
RCS file: /cvs/pkgs/rpms/python-virtinst/devel/virtinst-0.400.3-selinux-context.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- virtinst-0.400.3-selinux-context.patch 3 Apr 2009 17:17:04 -0000 1.1
+++ virtinst-0.400.3-selinux-context.patch 3 Apr 2009 18:24:57 -0000 1.2
@@ -1,3 +1,46 @@
+diff -rup virtinst-0.400.3.orig/virtinst/CapabilitiesParser.py virtinst-0.400.3.new/virtinst/CapabilitiesParser.py
+--- virtinst-0.400.3.orig/virtinst/CapabilitiesParser.py 2009-03-10 03:32:15.000000000 +0000
++++ virtinst-0.400.3.new/virtinst/CapabilitiesParser.py 2009-04-03 19:15:33.000000000 +0100
+@@ -93,6 +93,7 @@ class Host(object):
+
+ self.features = CapabilityFeatures()
+ self.topology = None
++ self.secmodel = None
+
+ if not node is None:
+ self.parseXML(node)
+@@ -103,6 +104,9 @@ class Host(object):
+ if child.name == "topology":
+ self.topology = Topology(child)
+
++ if child.name == "secmodel":
++ self.secmodel = SecurityModel(child)
++
+ if child.name != "cpu":
+ child = child.next
+ continue
+@@ -252,6 +256,21 @@ class TopologyCPU(object):
+ self.id = int(node.prop("id"))
+
+
++class SecurityModel(object):
++ def __init__(self, node = None):
++ self.model = None
++ self.doi = None
++
++ if not node is None:
++ self.parseXML(node)
++
++ def parseXML(self, node):
++ child = node.children
++ if child.name == "model":
++ self.model = child.content
++ elif cihld.name == "doi":
++ self.doi == child.content
++
+ class Capabilities(object):
+ def __init__(self, node = None):
+ self.host = None
diff -rup virtinst-0.400.3.orig/virtinst/Installer.py virtinst-0.400.3.new/virtinst/Installer.py
--- virtinst-0.400.3.orig/virtinst/Installer.py 2009-03-10 03:32:15.000000000 +0000
+++ virtinst-0.400.3.new/virtinst/Installer.py 2009-04-03 18:15:10.000000000 +0100
@@ -33,3 +76,97 @@
scratchdir = property(get_scratchdir)
def get_cdrom(self):
+Only in virtinst-0.400.3.new/virtinst: virtinst-0.400.3-selinux-context.patch
+diff -rup virtinst-0.400.3.orig/virtinst/VirtualDisk.py virtinst-0.400.3.new/virtinst/VirtualDisk.py
+--- virtinst-0.400.3.orig/virtinst/VirtualDisk.py 2009-03-10 03:32:15.000000000 +0000
++++ virtinst-0.400.3.new/virtinst/VirtualDisk.py 2009-04-03 19:23:49.000000000 +0100
+@@ -28,6 +28,7 @@ import _util
+ import Storage
+ from VirtualDevice import VirtualDevice
+ from virtinst import _virtinst as _
++from CapabilitiesParser import parse as parseCapabilities
+
+ def _vdisk_create(path, size, kind, sparse = True):
+ force_fixed = "raw"
+@@ -557,7 +558,6 @@ class VirtualDisk(VirtualDevice):
+ # vdisk _is_ a directory.
+ raise ValueError(_("The path '%s' must be a file or a "
+ "device, not a directory") % self.path)
+- # XXX: Any selinux validation checks should go here
+
+ self.__set_dev_type()
+ return True
+@@ -605,6 +605,8 @@ class VirtualDisk(VirtualDevice):
+ @param progresscb: progress meter
+ @type progresscb: instanceof urlgrabber.BaseMeter
+ """
++ self.setup_security_context()
++
+ if self.vol_object:
+ return
+ elif self.vol_install:
+@@ -651,7 +653,63 @@ class VirtualDisk(VirtualDevice):
+ os.close(fd)
+ if progresscb:
+ progresscb.end(size_bytes)
+- # FIXME: set selinux context?
++
++ def setup_security_context(self):
++ logging.info("Setting up security contexts")
++ if self.device != VirtualDisk.DEVICE_CDROM:
++ return
++
++ caps = parseCapabilities(self.conn.getCapabilities())
++ if caps.host.secmodel is None:
++ logging.info("No security model active")
++ return
++ if caps.host.secmodel.model != "selinux":
++ logging.info("Security model is not selinux")
++ return
++
++ wantLabel = "system_u:object_r:virt_content_t:s0"
++ changeLabel = False
++ if self.vol_object:
++ xml = self.vol_object.XMLDesc(0)
++ label = _util.get_xml_path(xml, "/volume/target/permissions/label")
++
++ if label == wantLabel:
++ logging.info("Labelling is correct")
++ return
++
++ if _util.is_uri_remote(self.conn.getURI()):
++ raise ValueError, _("Install volume %s has incorrect SELinux label %s, expecting %s" %
++ (self.path, label, wantLabel))
++ else:
++ changeLabel = True
++ elif self.path:
++ try:
++ import selinux
++ con = selinux.getfilecon(self.path)
++ if con == wantLabel:
++ logging.info("Labelling is correct")
++ return
++
++ if _util.is_remote_uri(self.conn.URI()):
++ raise ValueError, _("Install volume %s has incorrect SELinux label %s, expecting %s" %
++ (self.path, label, wantLabel))
++ else:
++ if self.path[0:4] == "/dev":
++ logging.info("Not changing context on physical device")
++ else:
++ changeLabel = True
++ except Exception, e:
++ logging.error("Failed to validate SELinux labelling: %s. Assuming its OK" % str(e))
++
++ if changeLabel:
++ try:
++ import selinux
++ selinux.setfilecon(self.path, wantLabel)
++ logging.info("Changed SELinux label to %s" % wantLabel)
++ except Exception, e:
++ raise ValueError, _(("Unable to fix install volume SELinux labelling: %s\n" % str(e)) +
++ ("Please run 'chcon %s %s' manually and retry installation" % (wantLabel, self.path)))
++
+
+ def get_xml_config(self, disknode=None):
+ """
More information about the fedora-extras-commits
mailing list