101 lines
3.0 KiB
Diff
101 lines
3.0 KiB
Diff
From 36cf92efa2b22f275bdc56411d9704e530cdb3fa Mon Sep 17 00:00:00 2001
|
|
From: Mark McLoughlin <markmc@redhat.com>
|
|
Date: Fri, 3 Jul 2009 10:26:37 +0000
|
|
Subject: [PATCH] Re-label shared and readonly images
|
|
|
|
This patch was posted ages ago here:
|
|
|
|
https://bugzilla.redhat.com/493692
|
|
|
|
But was never posted upstream AFAICT.
|
|
|
|
Patch from Dan Berrange
|
|
|
|
(cherry picked from commit 547147084d03ebf30d09d242a5a721a4df664ffe)
|
|
|
|
Fedora-patch: libvirt-0.6.2-shared-readonly-label.patch
|
|
---
|
|
src/security_selinux.c | 26 +++++++++++++++++++-------
|
|
1 files changed, 19 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/src/security_selinux.c b/src/security_selinux.c
|
|
index ac317d7..95fa0a6 100644
|
|
--- a/src/security_selinux.c
|
|
+++ b/src/security_selinux.c
|
|
@@ -24,11 +24,12 @@
|
|
#include "virterror_internal.h"
|
|
#include "util.h"
|
|
#include "memory.h"
|
|
-
|
|
+#include "logging.h"
|
|
|
|
#define VIR_FROM_THIS VIR_FROM_SECURITY
|
|
|
|
static char default_domain_context[1024];
|
|
+static char default_content_context[1024];
|
|
static char default_image_context[1024];
|
|
#define SECURITY_SELINUX_VOID_DOI "0"
|
|
#define SECURITY_SELINUX_NAME "selinux"
|
|
@@ -148,8 +149,13 @@ SELinuxInitialize(virConnectPtr conn)
|
|
close(fd);
|
|
|
|
ptr = strchrnul(default_image_context, '\n');
|
|
- *ptr = '\0';
|
|
-
|
|
+ if (*ptr == '\n') {
|
|
+ *ptr = '\0';
|
|
+ strcpy(default_content_context, ptr+1);
|
|
+ ptr = strchrnul(default_content_context, '\n');
|
|
+ if (*ptr == '\n')
|
|
+ *ptr = '\0';
|
|
+ }
|
|
return 0;
|
|
}
|
|
|
|
@@ -275,6 +281,8 @@ SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon)
|
|
{
|
|
char ebuf[1024];
|
|
|
|
+ VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);
|
|
+
|
|
if(setfilecon(path, tcon) < 0) {
|
|
virSecurityReportError(conn, VIR_ERR_ERROR,
|
|
_("%s: unable to set security context "
|
|
@@ -299,6 +307,8 @@ SELinuxRestoreSecurityImageLabel(virConnectPtr conn,
|
|
char *newpath = NULL;
|
|
const char *path = disk->src;
|
|
|
|
+ /* Don't restore labels on readoly/shared disks, because
|
|
+ * other VMs may still be accessing these */
|
|
if (disk->readonly || disk->shared)
|
|
return 0;
|
|
|
|
@@ -328,8 +338,13 @@ SELinuxSetSecurityImageLabel(virConnectPtr conn,
|
|
{
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
- if (secdef->imagelabel)
|
|
+ if (disk->shared) {
|
|
+ return SELinuxSetFilecon(conn, disk->src, default_image_context);
|
|
+ } else if (disk->readonly) {
|
|
+ return SELinuxSetFilecon(conn, disk->src, default_content_context);
|
|
+ } else if (secdef->imagelabel) {
|
|
return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel);
|
|
+ }
|
|
|
|
return 0;
|
|
}
|
|
@@ -403,9 +418,6 @@ SELinuxSetSecurityLabel(virConnectPtr conn,
|
|
|
|
if (secdef->imagelabel) {
|
|
for (i = 0 ; i < vm->def->ndisks ; i++) {
|
|
- if (vm->def->disks[i]->readonly ||
|
|
- vm->def->disks[i]->shared) continue;
|
|
-
|
|
if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0)
|
|
return -1;
|
|
}
|
|
--
|
|
1.6.2.5
|
|
|