From e6b8bc812af254f2ec6321b3cb7e9210b519deb0 Mon Sep 17 00:00:00 2001
From: Eric Blake <eblake@redhat.com>
Date: Mon, 29 Aug 2011 17:31:42 -0600
Subject: [PATCH] qemu: properly label outgoing pipe for tunneled migration

Commit 3261761 made it possible to use pipes instead of sockets
for outgoing tunneled migration; however, it caused a regression
because the pipe was never given a SELinux label.

* src/qemu/qemu_migration.c (doTunnelMigrate): Label outgoing pipe.
---
 src/qemu/qemu_migration.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index a2dc97cc37..38b05a9bff 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -24,6 +24,7 @@
 #include <sys/time.h>
 #include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
+#include <fcntl.h>
 
 #include "qemu_migration.h"
 #include "qemu_monitor.h"
@@ -1691,13 +1692,13 @@ static int doTunnelMigrate(struct qemud_driver *driver,
         spec.dest.fd.qemu = -1;
         spec.dest.fd.local = -1;
 
-        if (pipe(fds) == 0) {
+        if (pipe2(fds, O_CLOEXEC) == 0) {
             spec.dest.fd.qemu = fds[1];
             spec.dest.fd.local = fds[0];
         }
         if (spec.dest.fd.qemu == -1 ||
-            virSetCloseExec(spec.dest.fd.qemu) < 0 ||
-            virSetCloseExec(spec.dest.fd.local) < 0) {
+            virSecurityManagerSetImageFDLabel(driver->securityManager, vm,
+                                              spec.dest.fd.qemu) < 0) {
             virReportSystemError(errno, "%s",
                         _("cannot create pipe for tunnelled migration"));
             goto cleanup;