[libvirt] [PATCH] security: Set permissions for kernel/initrd
Daniel P. Berrange
berrange at redhat.com
Mon Mar 15 15:33:44 UTC 2010
On Fri, Mar 12, 2010 at 02:01:44PM -0500, Cole Robinson wrote:
> Fixes URL installs when running virt-install as root on Fedora.
>
> Signed-off-by: Cole Robinson <crobinso at redhat.com>
> ---
> src/qemu/qemu_security_dac.c | 21 +++++++++++++++++++++
> src/security/security_selinux.c | 16 ++++++++++++++++
> 2 files changed, 37 insertions(+), 0 deletions(-)
>
> diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c
> index 6911f48..1883fbe 100644
> --- a/src/qemu/qemu_security_dac.c
> +++ b/src/qemu/qemu_security_dac.c
> @@ -332,6 +332,15 @@ qemuSecurityDACRestoreSecurityAllLabel(virDomainObjPtr vm)
> vm->def->disks[i]) < 0)
> rc = -1;
> }
> +
> + if (vm->def->os.kernel &&
> + qemuSecurityDACRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
> + rc = -1;
> +
> + if (vm->def->os.initrd &&
> + qemuSecurityDACRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
> + rc = -1;
> +
> return rc;
> }
>
> @@ -356,6 +365,18 @@ qemuSecurityDACSetSecurityAllLabel(virDomainObjPtr vm)
> return -1;
> }
>
> + if (vm->def->os.kernel &&
> + qemuSecurityDACSetOwnership(vm->def->os.kernel,
> + driver->user,
> + driver->group) < 0)
> + return -1;
> +
> + if (vm->def->os.initrd &&
> + qemuSecurityDACSetOwnership(vm->def->os.initrd,
> + driver->user,
> + driver->group) < 0)
> + return -1;
> +
> return 0;
> }
>
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index b2c8581..975b315 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -616,6 +616,14 @@ SELinuxRestoreSecurityAllLabel(virDomainObjPtr vm)
> rc = -1;
> }
>
> + if (vm->def->os.kernel &&
> + SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
> + rc = -1;
> +
> + if (vm->def->os.initrd &&
> + SELinuxRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
> + rc = -1;
> +
> return rc;
> }
>
> @@ -736,6 +744,14 @@ SELinuxSetSecurityAllLabel(virDomainObjPtr vm)
> return -1;
> }
>
> + if (vm->def->os.kernel &&
> + SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0)
> + return -1;
> +
> + if (vm->def->os.initrd &&
> + SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0)
> + return -1;
> +
> return 0;
> }
>
ACK
NB, the restore step will almost certainly fail in the common case of
virt-manager/virt-install since the files are unlinked. We treat
restore as non-fatal though, so shouldn't cause any serious problems
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list