mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-11 07:17:44 +00:00
qemu: fix regression with fd labeling on migration
My earlier testing for commit 34fa0de0
was done while starting
just-built libvirt from an unconfined_t shell, where the fds happened
to work when transferring to qemu. But when installed and run under
virtd_t, failure to label the raw file (with no compression) or the
pipe (with compression) triggers SELinux failures when passing fds
over SCM_RIGHTS to svirt_t qemu.
* src/qemu/qemu_migration.c (qemuMigrationToFile): When passing
FDs, make sure they are labeled.
This commit is contained in:
parent
285e8a1769
commit
daa6aa687a
@ -1304,8 +1304,12 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm,
|
||||
if (qemuCaps && qemuCapsGet(qemuCaps, QEMU_CAPS_MIGRATE_QEMU_FD) &&
|
||||
(!compressor || pipe(pipeFD) == 0)) {
|
||||
/* All right! We can use fd migration, which means that qemu
|
||||
* doesn't have to open() the file, so we don't have to futz
|
||||
* around with granting access or revoking it later. */
|
||||
* doesn't have to open() the file, so while we still have to
|
||||
* grant SELinux access, we can do it on fd and avoid cleanup
|
||||
* later, as well as skip futzing with cgroup. */
|
||||
if (virSecurityManagerSetFDLabel(driver->securityManager, vm,
|
||||
compressor ? pipeFD[1] : fd) < 0)
|
||||
goto cleanup;
|
||||
is_reg = true;
|
||||
bypassSecurityDriver = true;
|
||||
} else {
|
||||
|
Loading…
Reference in New Issue
Block a user