Normally when a child process is started by libvirt, the SELinux label of that process is set to virtd_t (plus an MCS range). In at least one case (passt) we need for the SELinux label of a child process label to match the label that the binary would have transitioned to automatically if it had been run standalone (in the case of passt, that label is passt_t). This patch modifies virSecuritySELinuxSetChildProcessLabel() (and all the functions above it in the call chain) so that the toplevel function can set a new argument "useBinarySpecificLabel" to true. If it is true, then virSecuritySELinuxSetChildProcessLabel() will call the new function virSecuritySELinuxContextSetFromFile(), which uses the selinux library function security_compute_create() to determine what would be the label of the new process if it had been run standalone (rather than being run by libvirt) - the MCS range from the normally-used label is added to this newly derived label, and that is what is used for the new process rather than whatever is in the domain's security label (which will usually be virtd_t). In order to easily verify that nothing was broken by these changes to the call chain, all callers currently set useBinarySpecificPath = false, so all behavior should be completely unchanged. (The next patch will set it to true only for the case of running passt.) https://bugzilla.redhat.com/2172267 Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Libvirt API for virtualization
Libvirt provides a portable, long term stable C API for managing the virtualization technologies provided by many operating systems. It includes support for QEMU, KVM, Xen, LXC, bhyve, Virtuozzo, VMware vCenter and ESX, VMware Desktop, Hyper-V, VirtualBox and the POWER Hypervisor.
For some of these hypervisors, it provides a stateful management daemon which runs on the virtualization host allowing access to the API both by non-privileged local users and remote users.
Layered packages provide bindings of the libvirt C API into other languages including Python, Perl, PHP, Go, Java, OCaml, as well as mappings into object systems such as GObject, CIM and SNMP.
Further information about the libvirt project can be found on the website:
License
The libvirt C API is distributed under the terms of GNU Lesser
General Public License, version 2.1 (or later). Some parts of the code
that are not part of the C library may have the more restrictive GNU
General Public License, version 2.0 (or later). See the files
COPYING.LESSER
and COPYING
for full license
terms & conditions.
Installation
Instructions on building and installing libvirt can be found on the website:
https://libvirt.org/compiling.html
Contributing
The libvirt project welcomes contributions in many ways. For most components the best way to contribute is to send patches to the primary development mailing list. Further guidance on this can be found on the website:
https://libvirt.org/contribute.html
Contact
The libvirt project has two primary mailing lists:
- libvirt-users@redhat.com (for user discussions)
- libvir-list@redhat.com (for development only)
Further details on contacting the project are available on the website: