[libvirt] [PATCHv2 1/4] Set proper selinux label on image file during qemu domain restore

Mon Jun 28 15:43:06 UTC 2010

On Fri, Jun 25, 2010 at 01:22:14PM -0400, Laine Stump wrote:
> Also restore the label to its original value after qemu is finished
> with the file.
> 
> Prior to this patch, qemu domain restore did not function properly if
> selinux was set to enforce.
> ---
>  src/qemu/qemu_driver.c          |    6 +++++-
>  src/security/security_selinux.c |    6 +++++-
>  2 files changed, 10 insertions(+), 2 deletions(-)
> 
> diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
> index 9f4e082..9140b50 100644
> --- a/src/qemu/qemu_driver.c
> +++ b/src/qemu/qemu_driver.c
> @@ -6208,7 +6208,6 @@ error:
>      return -1;
>  }
>  
> -/* TODO: check seclabel restore */
>  static int ATTRIBUTE_NONNULL(6)
>  qemudDomainSaveImageStartVM(virConnectPtr conn,
>                              struct qemud_driver *driver,
> @@ -6320,6 +6319,11 @@ qemudDomainSaveImageStartVM(virConnectPtr conn,
>      ret = 0;
>  
>  out:
> +    if (driver->securityDriver &&
> +        driver->securityDriver->domainRestoreSavedStateLabel &&
> +        driver->securityDriver->domainRestoreSavedStateLabel(vm, path) == -1)
> +        VIR_WARN("failed to restore save state label on %s", path);
> +
>      return ret;
>  }
>  
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 2b43f2d..a16ede9 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -859,7 +859,7 @@ SELinuxClearSecuritySocketLabel(virSecurityDriverPtr drv,
>  }
>  
>  static int
> -SELinuxSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path ATTRIBUTE_UNUSED)
> +SELinuxSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path)
>  {
>      const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
>      int i;
> @@ -890,6 +890,10 @@ SELinuxSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path ATTRIBUTE_
>          SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0)
>          return -1;
>  
> +    if (stdin_path &&
> +        SELinuxSetFilecon(stdin_path, default_content_context) < 0)
> +        return -1;
> +
>      return 0;
>  }

ACK

Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|