From afdaf5d3545416228caad90dcbe8809b837fedf4 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Tue, 5 May 2009 13:38:26 +0000 Subject: [PATCH] Fix readonly/shared disk image labelling (rhbz #493692) --- libvirt-0.6.3-shared-readonly-label.patch | 76 +++++++++++++++++++++++ libvirt.spec | 7 ++- 2 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 libvirt-0.6.3-shared-readonly-label.patch diff --git a/libvirt-0.6.3-shared-readonly-label.patch b/libvirt-0.6.3-shared-readonly-label.patch new file mode 100644 index 0000000..e962d18 --- /dev/null +++ b/libvirt-0.6.3-shared-readonly-label.patch @@ -0,0 +1,76 @@ +diff -rup libvirt-0.6.2/src/security_selinux.c libvirt-0.6.2.new/src/security_selinux.c +--- libvirt-0.6.2/src/security_selinux.c 2009-04-03 15:36:56.000000000 +0100 ++++ libvirt-0.6.2.new/src/security_selinux.c 2009-05-05 13:39:42.000000000 +0100 +@@ -24,11 +24,12 @@ + #include "virterror_internal.h" + #include "util.h" + #include "memory.h" +- ++#include "logging.h" + + #define VIR_FROM_THIS VIR_FROM_SECURITY + + static char default_domain_context[1024]; ++static char default_content_context[1024]; + static char default_image_context[1024]; + #define SECURITY_SELINUX_VOID_DOI "0" + #define SECURITY_SELINUX_NAME "selinux" +@@ -148,8 +149,13 @@ SELinuxInitialize(virConnectPtr conn) + close(fd); + + ptr = strchrnul(default_image_context, '\n'); +- *ptr = '\0'; +- ++ if (*ptr == '\n') { ++ *ptr = '\0'; ++ strcpy(default_content_context, ptr+1); ++ ptr = strchrnul(default_content_context, '\n'); ++ if (*ptr == '\n') ++ *ptr = '\0'; ++ } + return 0; + } + +@@ -275,6 +281,8 @@ SELinuxSetFilecon(virConnectPtr conn, co + { + char ebuf[1024]; + ++ VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon); ++ + if(setfilecon(path, tcon) < 0) { + virSecurityReportError(conn, VIR_ERR_ERROR, + _("%s: unable to set security context " +@@ -299,6 +307,8 @@ SELinuxRestoreSecurityImageLabel(virConn + char *newpath = NULL; + const char *path = disk->src; + ++ /* Don't restore labels on readoly/shared disks, because ++ * other VMs may still be accessing these */ + if (disk->readonly || disk->shared) + return 0; + +@@ -328,8 +338,13 @@ SELinuxSetSecurityImageLabel(virConnectP + { + const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + +- if (secdef->imagelabel) ++ if (disk->shared) { ++ return SELinuxSetFilecon(conn, disk->src, default_image_context); ++ } else if (disk->readonly) { ++ return SELinuxSetFilecon(conn, disk->src, default_content_context); ++ } else if (secdef->imagelabel) { + return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel); ++ } + + return 0; + } +@@ -403,9 +418,6 @@ SELinuxSetSecurityLabel(virConnectPtr co + + if (secdef->imagelabel) { + for (i = 0 ; i < vm->def->ndisks ; i++) { +- if (vm->def->disks[i]->readonly || +- vm->def->disks[i]->shared) continue; +- + if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0) + return -1; + } diff --git a/libvirt.spec b/libvirt.spec index 3ff4257..bdf3cf2 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -55,13 +55,14 @@ Summary: Library providing a simple API virtualization Name: libvirt Version: 0.6.3 -Release: 3%{?dist}%{?extra_release} +Release: 4%{?dist}%{?extra_release} License: LGPLv2+ Group: Development/Libraries Source: libvirt-%{version}.tar.gz # Patches cherry-picked from upstream # N/A +Patch1: libvirt-0.6.3-shared-readonly-label.patch # Not for upstream. Temporary hack till PulseAudio autostart # problems are sorted out when SELinux enforcing @@ -215,6 +216,7 @@ of recent versions of Linux (and other OSes). %prep %setup -q +%patch1 -p1 %patch200 -p0 @@ -545,6 +547,9 @@ fi %endif %changelog +* Tue May 5 2009 Daniel Berrange - 0.6.3-4.fc12 +- Fix readonly/shared disk image labelling (rhbz #493692) + * Tue Apr 28 2009 Daniel Veillard - 0.6.3-3.fc12 - was also missing /usr/share/gtk-doc/html/libvirt in -devel