Re: [PATCH] Follow up fix of commit a58e1cb4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Feb 06, 2015 at 02:28:15PM +0100, Cédric Bosdonnat wrote:
> commit a58e1cb4 didn't fix the bug if the security_default_confined is
> not set to 1. We now clean up even if there is no seclabel defined or
> the default one.
> ---
>  src/lxc/lxc_process.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 

The commit summary is too vague, it would look better to me
describing what the commit does, e.g.:
Clear dynamic seclabels on LXCProcessStart failure

ACK if you use a more specific commit summary.

Jan

> diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
> index b385423..19ea7f3 100644
> --- a/src/lxc/lxc_process.c
> +++ b/src/lxc/lxc_process.c
> @@ -1022,6 +1022,7 @@ int virLXCProcessStart(virConnectPtr conn,
>      virCgroupPtr selfcgroup;
>      int status;
>      char *pidfile = NULL;
> +    bool clearSeclabel = false;
>  
>      if (virCgroupNewSelf(&selfcgroup) < 0)
>          return -1;
> @@ -1126,6 +1127,10 @@ int virLXCProcessStart(virConnectPtr conn,
>      /* If you are using a SecurityDriver with dynamic labelling,
>         then generate a security label for isolation */
>      VIR_DEBUG("Generating domain security label (if required)");
> +
> +    clearSeclabel = vm->def->nseclabels == 0 ||
> +                    vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DEFAULT;
> +
>      if (vm->def->nseclabels &&
>          vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DEFAULT)
>          vm->def->seclabels[0]->type = VIR_DOMAIN_SECLABEL_NONE;
> @@ -1387,7 +1392,8 @@ int virLXCProcessStart(virConnectPtr conn,
>          virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
>          /* Clear out dynamically assigned labels */
>          if (vm->def->nseclabels &&
> -            vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
> +            (vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC ||
> +            clearSeclabel)) {
>              VIR_FREE(vm->def->seclabels[0]->model);
>              VIR_FREE(vm->def->seclabels[0]->label);
>              VIR_FREE(vm->def->seclabels[0]->imagelabel);
> -- 
> 2.1.4
> 
> --
> libvir-list mailing list
> libvir-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libvir-list

Attachment: signature.asc
Description: Digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]