mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-10-30 01:43:23 +00:00
Re-label shared and readonly images
This patch was posted ages ago here: https://bugzilla.redhat.com/493692 But was never posted upstream AFAICT. Patch from Dan Berrange Signed-off-by: Mark McLoughlin <markmc@redhat.com>
This commit is contained in:
parent
1e4434d652
commit
547147084d
@ -1,3 +1,9 @@
|
|||||||
|
Thu Jul 3 11:24:44 GMT 2009 Mark McLoughlin <markmc@redhat.com>
|
||||||
|
|
||||||
|
Patch from Dan Berrange in https://bugzilla.redhat.com/493692
|
||||||
|
|
||||||
|
* src/security_selinux.c: Re-label shared and readonly images
|
||||||
|
|
||||||
Thu Jul 2 15:58:09 CEST 2009 Daniel Veillard <veillard@redhat.com>
|
Thu Jul 2 15:58:09 CEST 2009 Daniel Veillard <veillard@redhat.com>
|
||||||
|
|
||||||
* docs/schemas/network.rng: fix the network schemas to match
|
* docs/schemas/network.rng: fix the network schemas to match
|
||||||
|
@ -24,11 +24,12 @@
|
|||||||
#include "virterror_internal.h"
|
#include "virterror_internal.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "memory.h"
|
#include "memory.h"
|
||||||
|
#include "logging.h"
|
||||||
|
|
||||||
#define VIR_FROM_THIS VIR_FROM_SECURITY
|
#define VIR_FROM_THIS VIR_FROM_SECURITY
|
||||||
|
|
||||||
static char default_domain_context[1024];
|
static char default_domain_context[1024];
|
||||||
|
static char default_content_context[1024];
|
||||||
static char default_image_context[1024];
|
static char default_image_context[1024];
|
||||||
#define SECURITY_SELINUX_VOID_DOI "0"
|
#define SECURITY_SELINUX_VOID_DOI "0"
|
||||||
#define SECURITY_SELINUX_NAME "selinux"
|
#define SECURITY_SELINUX_NAME "selinux"
|
||||||
@ -148,8 +149,13 @@ SELinuxInitialize(virConnectPtr conn)
|
|||||||
close(fd);
|
close(fd);
|
||||||
|
|
||||||
ptr = strchrnul(default_image_context, '\n');
|
ptr = strchrnul(default_image_context, '\n');
|
||||||
*ptr = '\0';
|
if (*ptr == '\n') {
|
||||||
|
*ptr = '\0';
|
||||||
|
strcpy(default_content_context, ptr+1);
|
||||||
|
ptr = strchrnul(default_content_context, '\n');
|
||||||
|
if (*ptr == '\n')
|
||||||
|
*ptr = '\0';
|
||||||
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -313,6 +319,8 @@ SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon)
|
|||||||
{
|
{
|
||||||
char ebuf[1024];
|
char ebuf[1024];
|
||||||
|
|
||||||
|
VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);
|
||||||
|
|
||||||
if(setfilecon(path, tcon) < 0) {
|
if(setfilecon(path, tcon) < 0) {
|
||||||
virSecurityReportError(conn, VIR_ERR_ERROR,
|
virSecurityReportError(conn, VIR_ERR_ERROR,
|
||||||
_("%s: unable to set security context "
|
_("%s: unable to set security context "
|
||||||
@ -337,9 +345,6 @@ SELinuxRestoreSecurityImageLabel(virConnectPtr conn,
|
|||||||
char *newpath = NULL;
|
char *newpath = NULL;
|
||||||
const char *path = disk->src;
|
const char *path = disk->src;
|
||||||
|
|
||||||
if (disk->readonly || disk->shared)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
if ((err = virFileResolveLink(path, &newpath)) < 0) {
|
if ((err = virFileResolveLink(path, &newpath)) < 0) {
|
||||||
virReportSystemError(conn, err,
|
virReportSystemError(conn, err,
|
||||||
_("cannot resolve symlink %s"), path);
|
_("cannot resolve symlink %s"), path);
|
||||||
@ -366,8 +371,13 @@ SELinuxSetSecurityImageLabel(virConnectPtr conn,
|
|||||||
{
|
{
|
||||||
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
||||||
|
|
||||||
if (secdef->imagelabel)
|
if (disk->shared) {
|
||||||
|
return SELinuxSetFilecon(conn, disk->src, default_image_context);
|
||||||
|
} else if (disk->readonly) {
|
||||||
|
return SELinuxSetFilecon(conn, disk->src, default_content_context);
|
||||||
|
} else if (secdef->imagelabel) {
|
||||||
return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel);
|
return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel);
|
||||||
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -441,9 +451,6 @@ SELinuxSetSecurityLabel(virConnectPtr conn,
|
|||||||
|
|
||||||
if (secdef->imagelabel) {
|
if (secdef->imagelabel) {
|
||||||
for (i = 0 ; i < vm->def->ndisks ; i++) {
|
for (i = 0 ; i < vm->def->ndisks ; i++) {
|
||||||
if (vm->def->disks[i]->readonly ||
|
|
||||||
vm->def->disks[i]->shared) continue;
|
|
||||||
|
|
||||||
if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0)
|
if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user