[libvirt] [PATCH] storage: qemu: Fix security labelling of new image chain elements

Peter Krempa pkrempa at redhat.com
Fri Nov 21 08:31:12 UTC 2014 

On 11/21/14 00:15, Eric Blake wrote:
> On 11/20/2014 08:23 AM, Peter Krempa wrote:
>> When creating a disk image snapshot the libvirt code would blindly copy
>> the parents label to the newly created image. This runs into problems
>> when you start a VM from an image hosted on NFS (or other storage system
>> that doesn't support selinux labels) and the snapshot destination is on
>> a storage system that does support selinux labels. Libvirt's code in
>> that case generates a different security label for the image hosted on
>> NFS. This label is valid only for NFS images and doesn't allow access in
>> case of a locally stored image.
>>
>> To fix this issue libvirt needs to refrain from copying security
>> information in cases where the default domain seclabel is a better
>> choice.
>>
>> This patch repurposes the now unused @force argument of
>> virStorageSourceInitChainElement to denote whether a copy of the
>> security labelling stuff should be attempted or not. This allows to
>> fine-control the copy operation for cases where we need to keep the
>> label of the old disk vs. the cases where we need to keep the label
>> unset to use the default domain imagelabel.
>>
>> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1151718
>> ---
> 
>> + * If @transferLabels is true, security labels from the existing disk are copied
>> + * to the new disk. Otherwise the default domain imagelabel label will be used.
>>   *
>>   * Returns 0 on success, -1 on error.
>>   */
>>  int
>>  virStorageSourceInitChainElement(virStorageSourcePtr newelem,
>>                                   virStorageSourcePtr old,
>> -                                 bool force)
>> +                                 bool transferLables)
> 
> Comment was right, code is not.  s/transferLables/transferLabels/
> 
> ACK with that fix.
> 

Fixed && pushed;

Thanks.

Peter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20141121/dd3e1cb9/attachment-0001.sig>

More information about the libvir-list mailing list