[libvirt] [PATCH 1/3] Set proper selinux label on image file during qemu domain restore
Daniel P. Berrange
berrange at redhat.com
Fri Jun 25 13:52:20 UTC 2010
On Fri, Jun 25, 2010 at 09:41:36AM -0400, Laine Stump wrote:
> On 06/25/2010 07:57 AM, Daniel P. Berrange wrote:
> >On Fri, Jun 25, 2010 at 07:42:13AM -0400, Laine Stump wrote:
> >
> >>- if (vm->def->os.kernel&&
> >>- SELinuxSetFilecon(vm->def->os.kernel, default_content_context)<
> >>0)
> >>- return -1;
> >>+ if (vm->def->os.kernel) {
> >>+ if (SELinuxSetFilecon(vm->def->os.kernel,
> >>default_content_context)< 0)
> >>+ return -1;
> >>+ } else if (stdin_path) {
> >>+ if (SELinuxSetFilecon(stdin_path, default_content_context)< 0)
> >>+ return -1;
> >>+ }
> >>
> >This doesn't make sense to me. Labelling of the kernel and labeling of
> >stdin_path are completely separate tasks, so shouldn't be in an if/elseif
> >arrangement.
> >
>
> Heh. The name didn't really make sense to me either, but my slight
> misunderstanding of the scope of the problem made me think that in some
> cases the filename would be in vm->def, and in others not, and that
> seemed the only place already being used.
>
> Now that I've looked back over the code, I see that this function is
> only called in one place, and the filename is *never* available in
> vm->def; it all makes much more sense now.
>
> I'm preparing a v2. The proper thing is to just add:
>
> if (stdin_path &&
> SELinuxSetFilecon(stdin_path, default_content_context) < 0))
> return -1;
>
> correct? Or is there a different context that would be better suited?
> (default content_context certainly works).
This is good. QEMU only needs to be able to read from the file, never
write to it during restore, so default_content_context is the right
one.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list