rpms/python-virtinst/devel python-virtinst.spec, 1.62, 1.63 virtinst-0.400.3-selinux-context.patch, 1.1, 1.2

Daniel P. Berrange berrange at fedoraproject.org
Fri Apr 3 18:25:27 UTC 2009 

Author: berrange

Update of /cvs/pkgs/rpms/python-virtinst/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25887

Modified Files:
	python-virtinst.spec virtinst-0.400.3-selinux-context.patch 
Log Message:
Attempt to fix SELinux labelling on CDROM ISOs used for installation


Index: python-virtinst.spec
===================================================================
RCS file: /cvs/pkgs/rpms/python-virtinst/devel/python-virtinst.spec,v
retrieving revision 1.62
retrieving revision 1.63
diff -u -r1.62 -r1.63
--- python-virtinst.spec	3 Apr 2009 17:17:04 -0000	1.62
+++ python-virtinst.spec	3 Apr 2009 18:24:57 -0000	1.63
@@ -17,7 +17,7 @@
 Summary: Python modules and utilities for installing virtual machines
 Name: python-%{appname}
 Version: 0.400.3
-Release: 3%{_extra_release}
+Release: 4%{_extra_release}
 Source0: http://virt-manager.org/download/sources/%{appname}/%{appname}-%{version}.tar.gz
 Patch1: %{appname}-%{version}-fix-virtimage-scratch.patch
 Patch2: %{appname}-%{version}-hostdev-libvirt-calls.patch
@@ -87,6 +87,9 @@
 %{_bindir}/virt-convert
 
 %changelog
+* Fri Apr  3 2009 Daniel P. Berrange <berrange at redhat.com> - 0.400.4-fc11
+- Attempt to fix SELinux labelling on CDROM ISOs used for installation
+
 * Fri Apr  3 2009 Daniel P. Berrange <berrange at redhat.com> - 0.400.3-fc11
 - Set SELinux context on $HOME/.virtinst to make kernel/initrd boot work (rhbz #491052)
 

virtinst-0.400.3-selinux-context.patch:

Index: virtinst-0.400.3-selinux-context.patch
===================================================================
RCS file: /cvs/pkgs/rpms/python-virtinst/devel/virtinst-0.400.3-selinux-context.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- virtinst-0.400.3-selinux-context.patch	3 Apr 2009 17:17:04 -0000	1.1
+++ virtinst-0.400.3-selinux-context.patch	3 Apr 2009 18:24:57 -0000	1.2
@@ -1,3 +1,46 @@
+diff -rup virtinst-0.400.3.orig/virtinst/CapabilitiesParser.py virtinst-0.400.3.new/virtinst/CapabilitiesParser.py
+--- virtinst-0.400.3.orig/virtinst/CapabilitiesParser.py	2009-03-10 03:32:15.000000000 +0000
++++ virtinst-0.400.3.new/virtinst/CapabilitiesParser.py	2009-04-03 19:15:33.000000000 +0100
+@@ -93,6 +93,7 @@ class Host(object):
+ 
+         self.features = CapabilityFeatures()
+         self.topology = None
++        self.secmodel = None
+ 
+         if not node is None:
+             self.parseXML(node)
+@@ -103,6 +104,9 @@ class Host(object):
+             if child.name == "topology":
+                 self.topology = Topology(child)
+ 
++            if child.name == "secmodel":
++                self.secmodel = SecurityModel(child)
++
+             if child.name != "cpu":
+                 child = child.next
+                 continue
+@@ -252,6 +256,21 @@ class TopologyCPU(object):
+         self.id = int(node.prop("id"))
+ 
+ 
++class SecurityModel(object):
++    def __init__(self, node = None):
++        self.model = None
++        self.doi = None
++
++        if not node is None:
++            self.parseXML(node)
++
++    def parseXML(self, node):
++        child = node.children
++        if child.name == "model":
++            self.model = child.content
++        elif cihld.name == "doi":
++            self.doi == child.content
++
+ class Capabilities(object):
+     def __init__(self, node = None):
+         self.host = None
 diff -rup virtinst-0.400.3.orig/virtinst/Installer.py virtinst-0.400.3.new/virtinst/Installer.py
 --- virtinst-0.400.3.orig/virtinst/Installer.py	2009-03-10 03:32:15.000000000 +0000
 +++ virtinst-0.400.3.new/virtinst/Installer.py	2009-04-03 18:15:10.000000000 +0100
@@ -33,3 +76,97 @@
      scratchdir = property(get_scratchdir)
  
      def get_cdrom(self):
+Only in virtinst-0.400.3.new/virtinst: virtinst-0.400.3-selinux-context.patch
+diff -rup virtinst-0.400.3.orig/virtinst/VirtualDisk.py virtinst-0.400.3.new/virtinst/VirtualDisk.py
+--- virtinst-0.400.3.orig/virtinst/VirtualDisk.py	2009-03-10 03:32:15.000000000 +0000
++++ virtinst-0.400.3.new/virtinst/VirtualDisk.py	2009-04-03 19:23:49.000000000 +0100
+@@ -28,6 +28,7 @@ import _util
+ import Storage
+ from VirtualDevice import VirtualDevice
+ from virtinst import _virtinst as _
++from CapabilitiesParser import parse as parseCapabilities
+ 
+ def _vdisk_create(path, size, kind, sparse = True):
+     force_fixed = "raw"
+@@ -557,7 +558,6 @@ class VirtualDisk(VirtualDevice):
+                     # vdisk _is_ a directory.
+                     raise ValueError(_("The path '%s' must be a file or a "
+                                        "device, not a directory") % self.path)
+-                # XXX: Any selinux validation checks should go here
+ 
+             self.__set_dev_type()
+             return True
+@@ -605,6 +605,8 @@ class VirtualDisk(VirtualDevice):
+         @param progresscb: progress meter
+         @type progresscb: instanceof urlgrabber.BaseMeter
+         """
++        self.setup_security_context()
++
+         if self.vol_object:
+             return
+         elif self.vol_install:
+@@ -651,7 +653,63 @@ class VirtualDisk(VirtualDevice):
+                     os.close(fd)
+                 if progresscb:
+                     progresscb.end(size_bytes)
+-        # FIXME: set selinux context?
++
++    def setup_security_context(self):
++        logging.info("Setting up security contexts")
++        if self.device != VirtualDisk.DEVICE_CDROM:
++            return
++
++        caps = parseCapabilities(self.conn.getCapabilities())
++        if caps.host.secmodel is None:
++            logging.info("No security model active")
++            return
++        if caps.host.secmodel.model != "selinux":
++            logging.info("Security model is not selinux")
++            return
++
++        wantLabel = "system_u:object_r:virt_content_t:s0"
++        changeLabel = False
++        if self.vol_object:
++            xml = self.vol_object.XMLDesc(0)
++            label = _util.get_xml_path(xml, "/volume/target/permissions/label")
++
++            if label == wantLabel:
++                logging.info("Labelling is correct")
++                return
++
++            if _util.is_uri_remote(self.conn.getURI()):
++                raise ValueError, _("Install volume %s has incorrect SELinux label %s, expecting %s" %
++                                    (self.path, label, wantLabel))
++            else:
++                changeLabel = True
++        elif self.path:
++            try:
++                import selinux
++                con = selinux.getfilecon(self.path)
++                if con == wantLabel:
++                    logging.info("Labelling is correct")
++                    return
++
++                if _util.is_remote_uri(self.conn.URI()):
++                    raise ValueError, _("Install volume %s has incorrect SELinux label %s, expecting %s" %
++                                        (self.path, label, wantLabel))
++                else:
++                    if self.path[0:4] == "/dev":
++                        logging.info("Not changing context on physical device")
++                    else:
++                        changeLabel = True
++            except Exception, e:
++                logging.error("Failed to validate SELinux labelling: %s. Assuming its OK" % str(e))
++
++        if changeLabel:
++            try:
++                import selinux
++                selinux.setfilecon(self.path, wantLabel)
++                logging.info("Changed SELinux label to %s" % wantLabel)
++            except Exception, e:
++                raise ValueError, _(("Unable to fix install volume SELinux labelling: %s\n" % str(e)) +
++                                    ("Please run 'chcon %s %s' manually and retry installation" % (wantLabel, self.path)))
++
+ 
+     def get_xml_config(self, disknode=None):
+         """

More information about the fedora-extras-commits mailing list