[PATCH 3/3] qemu: Label restore path outside of secdriver transactions
Erik Skultety
eskultet at redhat.com
Fri Apr 17 10:59:46 UTC 2020
On Fri, Apr 03, 2020 at 05:58:03PM +0200, Michal Privoznik wrote:
> As explained in the previous commit, we need to relabel the file
> we are restoring the domain from. That is the FD that is passed
> to QEMU. If the file is not under /dev then the file inside the
> namespace is the very same as the one in the host. And regardless
> of using transactions, the file will be relabeled. But, if the
> file is under /dev then when using transactions only the copy
> inside the namespace is relabeled and the one in the host is not.
> But QEMU is reading from the one in the host, actually.
>
> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1772838
>
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
...
>
> /*
> * virSecuritySELinuxSetFileLabels:
> @@ -3596,6 +3606,7 @@ virSecurityDriver virSecurityDriverSELinux = {
> .getBaseLabel = virSecuritySELinuxGetBaseLabel,
>
> .domainSetPathLabel = virSecuritySELinuxDomainSetPathLabel,
> + .domainSetIncomingPathLabel = virSecuritySELinuxDomainSetIncomingPathLabel,
"HostPath" would IMO feel better than "IncomingPath" in this patch as well.
Reviewed-by: Erik Skultety <eskultet at redhat.com>
More information about the libvir-list
mailing list