[Libguestfs] [PATCH v2 4/5] add-domain: Pass SELinux label from guest to appliance (RHBZ#912499).
Richard W.M. Jones
rjones at redhat.com
Fri Mar 1 12:49:42 UTC 2013
On Fri, Mar 01, 2013 at 12:33:49PM +0000, Matthew Booth wrote:
> On Thu, 2013-02-28 at 16:02 +0000, Richard W.M. Jones wrote:
> > + /* Find and pass the SELinux security label to the libvirt back end. */
> > + if (libvirt_selinux_label (g, doc, &label, &imagelabel) == -1)
> > + return -1;
> > + if (label && imagelabel) {
> > + guestfs_internal_set_libvirt_selinux_label (g, label, imagelabel);
> > + guestfs_internal_set_libvirt_selinux_norelabel_disks (g, 1);
>
> Do we need both internal apis? 1 seems to imply the other.
They're congruent, but I think it makes the code clearer not to
overload one API.
> > + bool gotlabel = 0, gotimagelabel = 0;
>
> gotlabel and gotimagelabel appear to be unused apart from assignment.
They are used later to ensure that we don't assign to the label_rtn /
imagelabel_rtn parameters twice (which would be a memory leak).
eg. If the XML had two <image/> elements.
> > + if (nr_nodes == 0 || nr_nodes > 1)
> > + return 0;
>
> Not terribly important, but I wouldn't silently bomb out here if
> nr_nodes > 1. If you're going to catch it at all I'd add a warning and
> continue.
[...]
It's possible to supply multiple <seclabel/> elements, ie. libvirt
will parse that, but at the moment it wouldn't generate it. We should
also probably check that any seclabel element we do use has the
model=selinux property.
I'll have a look at whether it's possible to use xpath exprs to do all
of the above.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/
More information about the Libguestfs
mailing list