mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 13:45:38 +00:00
security: selinux: handle qcow2 data-file on image label set/restore
Signed-off-by: Nikolai Barybin <nikolai.barybin@virtuozzo.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
This commit is contained in:
Nikolai Barybin
Peter Krempa
parent
724a4c6dc4
commit
8fcc6c8025
@ -1934,8 +1934,16 @@ virSecuritySELinuxRestoreImageLabel(virSecurityManager *mgr,
|
|||||||
virStorageSource *src,
|
virStorageSource *src,
|
||||||
virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
|
virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
|
||||||
{
|
{
|
||||||
return virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
|
if (virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
|
||||||
def, src, false);
|
def, src, false) < 0)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
if (src->dataFileStore &&
|
||||||
|
virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
|
||||||
|
def, src->dataFileStore, false) < 0)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -1997,7 +2005,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManager *mgr,
|
|||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
use_label = parent_seclabel->label;
|
use_label = parent_seclabel->label;
|
||||||
} else if (parent == src) {
|
} else if (parent == src || parent->dataFileStore == src) {
|
||||||
if (src->shared) {
|
if (src->shared) {
|
||||||
use_label = data->file_context;
|
use_label = data->file_context;
|
||||||
} else if (src->readonly) {
|
} else if (src->readonly) {
|
||||||
@ -2067,6 +2075,14 @@ virSecuritySELinuxSetImageLabel(virSecurityManager *mgr,
|
|||||||
isChainTop) < 0)
|
isChainTop) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
|
/* Unlike backing images, data files are not designed to be shared by
|
||||||
|
* anyone. Thus, we always consider them as chain top. */
|
||||||
|
if (n->dataFileStore &&
|
||||||
|
virSecuritySELinuxSetImageLabelInternal(mgr, sharedFilesystems,
|
||||||
|
def, n->dataFileStore, parent,
|
||||||
|
true) < 0)
|
||||||
|
return -1;
|
||||||
|
|
||||||
if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
|
if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
|
||||||
break;
|
break;
|
||||||
|
|
||||||
@ -2929,6 +2945,13 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager *mgr,
|
|||||||
def, disk->src,
|
def, disk->src,
|
||||||
migrated) < 0)
|
migrated) < 0)
|
||||||
rc = -1;
|
rc = -1;
|
||||||
|
|
||||||
|
if (disk->src->dataFileStore &&
|
||||||
|
virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
|
||||||
|
def, disk->src->dataFileStore,
|
||||||
|
migrated) < 0)
|
||||||
|
rc = -1;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < def->nhostdevs; i++) {
|
for (i = 0; i < def->nhostdevs; i++) {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user