[libvirt] [PATCH] Allow domain disk images on root-squash NFS to coexist with security driver.

Daniel Veillard veillard at redhat.com
Thu Apr 1 16:28:28 UTC 2010


On Thu, Apr 01, 2010 at 12:10:38PM -0400, Laine Stump wrote:
> (suggested by Daniel Berrange, tested by Dan Kenigsberg)
> 
> virStorageFileGetMetadata will fail for disk images that are stored on
> a root-squash NFS share that isn't world-readable.
> SELinuxSetSecurityImageLabel is called during the startup of every
> domain (as long as security_driver != "none"), and it will propogate
> the error from virStorageFileGetMetadata, causing the domain startup
> to fail. This is, however, a common scenario when qemu is run as a
> non-root user and the disk image is stored on NFS.
> 
> Ignoring this failure (which doesn't matter in this case, since the
> next thing done by SELinuxSetSecurityImageLabel - setting the file
> context - will also fail (and that function already ignores failures
> due to root-squash NFS) will allow us to continue bringing up the
> domain. The result is that we don't need to disable the entire
> security driver just because a domain's disk image is stored on
> root-squashed NFS.
> ---
>  src/security/security_selinux.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 6680e2d..3e20475 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -430,7 +430,7 @@ SELinuxSetSecurityImageLabel(virDomainObjPtr vm,
>          path = NULL;
>  
>          if (ret < 0)
> -            return -1;
> +           break;
>  
>          if (meta.backingStore != NULL &&
>              SELinuxSetFilecon(meta.backingStore,

 ACK,

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel at veillard.com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/




More information about the libvir-list mailing list