[libvirt] [PATCH] storage: qemu: Fix security labelling of new image chain elements
Peter Krempa
pkrempa at redhat.com
Fri Nov 21 08:31:12 UTC 2014
On 11/21/14 00:15, Eric Blake wrote:
> On 11/20/2014 08:23 AM, Peter Krempa wrote:
>> When creating a disk image snapshot the libvirt code would blindly copy
>> the parents label to the newly created image. This runs into problems
>> when you start a VM from an image hosted on NFS (or other storage system
>> that doesn't support selinux labels) and the snapshot destination is on
>> a storage system that does support selinux labels. Libvirt's code in
>> that case generates a different security label for the image hosted on
>> NFS. This label is valid only for NFS images and doesn't allow access in
>> case of a locally stored image.
>>
>> To fix this issue libvirt needs to refrain from copying security
>> information in cases where the default domain seclabel is a better
>> choice.
>>
>> This patch repurposes the now unused @force argument of
>> virStorageSourceInitChainElement to denote whether a copy of the
>> security labelling stuff should be attempted or not. This allows to
>> fine-control the copy operation for cases where we need to keep the
>> label of the old disk vs. the cases where we need to keep the label
>> unset to use the default domain imagelabel.
>>
>> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1151718
>> ---
>
>> + * If @transferLabels is true, security labels from the existing disk are copied
>> + * to the new disk. Otherwise the default domain imagelabel label will be used.
>> *
>> * Returns 0 on success, -1 on error.
>> */
>> int
>> virStorageSourceInitChainElement(virStorageSourcePtr newelem,
>> virStorageSourcePtr old,
>> - bool force)
>> + bool transferLables)
>
> Comment was right, code is not. s/transferLables/transferLabels/
>
> ACK with that fix.
>
Fixed && pushed;
Thanks.
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20141121/dd3e1cb9/attachment-0001.sig>
More information about the libvir-list
mailing list