[libvirt] [PATCH] Fix save and restore with non-privileged guests and SELinux
Daniel Veillard
veillard at redhat.com
Wed Nov 11 13:42:23 UTC 2009
On Wed, Nov 11, 2009 at 12:14:41PM +0000, Daniel P. Berrange wrote:
> When running qemu:///system instance, libvirtd runs as root,
> but QEMU may optionally be configured to run non-root. When
> then saving a guest to a state file, the file is initially
> created as root, and thus QEMU cannot write to it. It is also
> missing labelling required to allow access via SELinux.
>
> * src/qemu/qemu_driver.c: Set ownership on save image before
> running migrate command in virDomainSave impl. Call out to
> security driver to set save image labelling
> * src/security/security_driver.h: Add driver APIs for setting
> and restoring saved state file labelling
> * src/security/security_selinux.c: Implement saved state file
> labelling for SELinux
> ---
> src/qemu/qemu_driver.c | 35 ++++++++++++++++++++++++++++++++---
> src/security/security_driver.h | 7 +++++++
> src/security/security_selinux.c | 23 +++++++++++++++++++++++
> 3 files changed, 62 insertions(+), 3 deletions(-)
>
> diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
> index 30003e6..b023902 100644
[...]
> + if (driver->privileged &&
> + chown(path, 0, 0) < 0) {
> + virReportSystemError(NULL, errno,
> + _("unable to set ownership of '%s' to user %d:%d"),
> + path, 0, 0);
> + goto endjob;
> + }
reusing qemuDomainSetFileOwnership() here would makes things a little
bit more readable I think, maybe qemuDomainSetFileOwnership error
message could be extended as provided there too,
But it's cosmetic, ACK in any case,
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel at veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
More information about the libvir-list
mailing list