[libvirt] [PATCH] Allow domain disk images on root-squash NFS to coexist with security driver.
Daniel Veillard
veillard at redhat.com
Thu Apr 1 16:28:28 UTC 2010
On Thu, Apr 01, 2010 at 12:10:38PM -0400, Laine Stump wrote:
> (suggested by Daniel Berrange, tested by Dan Kenigsberg)
>
> virStorageFileGetMetadata will fail for disk images that are stored on
> a root-squash NFS share that isn't world-readable.
> SELinuxSetSecurityImageLabel is called during the startup of every
> domain (as long as security_driver != "none"), and it will propogate
> the error from virStorageFileGetMetadata, causing the domain startup
> to fail. This is, however, a common scenario when qemu is run as a
> non-root user and the disk image is stored on NFS.
>
> Ignoring this failure (which doesn't matter in this case, since the
> next thing done by SELinuxSetSecurityImageLabel - setting the file
> context - will also fail (and that function already ignores failures
> due to root-squash NFS) will allow us to continue bringing up the
> domain. The result is that we don't need to disable the entire
> security driver just because a domain's disk image is stored on
> root-squashed NFS.
> ---
> src/security/security_selinux.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 6680e2d..3e20475 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -430,7 +430,7 @@ SELinuxSetSecurityImageLabel(virDomainObjPtr vm,
> path = NULL;
>
> if (ret < 0)
> - return -1;
> + break;
>
> if (meta.backingStore != NULL &&
> SELinuxSetFilecon(meta.backingStore,
ACK,
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel at veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
More information about the libvir-list
mailing list