[libvirt] Fwd: [PATCH] selinux: Avoid label reservations for type = none during restart
Shivaprasad bhat
shivaprasadbhat at gmail.com
Wed Aug 13 05:19:34 UTC 2014
Hi,
Could someone please help me with review for this patch?
Thanks and Regards,
Shiva
---------- Forwarded message ----------
From: Shivaprasad G Bhat <shivaprasadbhat at gmail.com>
Date: Tue, Jun 10, 2014 at 5:12 PM
Subject: [libvirt] [PATCH] selinux: Avoid label reservations for type
= none during restart
To: libvir-list at redhat.com
The problem is libvirt kills the guests during libvirt restart if more than
guest has security type as none. This is because, libvirt as part of guest-
reconnect tries to reserve the security labels. In case of type=none, the range
of security context happen to be same for several guests. During reservation,
the second attempt to reserve the same range fails and the Guests would be
killed. The fix is to avoid reserving labels for type = none during libvirt
restart.
Signed-off-by: Shivaprasad G Bhat <sbhat at linux.vnet.ibm.com>
---
src/security/security_selinux.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 008c58c..2f8a7f2 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -739,7 +739,8 @@
virSecuritySELinuxReserveSecurityLabel(virSecurityManagerPtr mgr,
virSecurityLabelDefPtr seclabel;
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (!seclabel || seclabel->type == VIR_DOMAIN_SECLABEL_STATIC)
+ if (!seclabel || seclabel->type == VIR_DOMAIN_SECLABEL_STATIC ||
+ seclabel->type == VIR_DOMAIN_SECLABEL_NONE)
return 0;
if (getpidcon_raw(pid, &pctx) == -1) {
--
libvir-list mailing list
libvir-list at redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
More information about the libvir-list
mailing list