So, you may be familiar with this already. Well, I've tried to get these patches in like a year ago (or even more). Point is, these ones are new, written from scratch. However, still based on idea, that virtlockd will keep the track of the original seclabels. So far only DAC driver is fixed, but the infrastructure I'm proposing here is easily extensible to other drivers too. Even if there's some disagreement on the design, the first few patches fix some bugs, so they should make it in. Michal Privoznik (23): virtlockd: Don't SIGSEGV on SIGUSR1 security_dac: Fix TODO marks virSecurityDACSetOwnershipInternal: Don't chown so often security_dac: Introduce remember/recall stubs virSecurityDACSetOwnership: Pass virSecurityDACDataPtr virSecurityDACRestoreSecurityFileLabel: Pass virSecurityDACDataPtr security_dac: Limit usage of virSecurityDACSetOwnershipInternal security_dac: Plug in remember/recall APIs lock_protocol: Add two new remote procedures lock_daemon: Switch to wrapper locking functions locking: Introduce virSeclabelSpace virtlockd: Work virSeclabelSpace in virLockDriver: Introduce virLockDriverRemember and virLockDriverRecall lock_driver_nop: Implement remember and recall APIs lock_driver_lockd: Implement remember and recall APIs lock_manager: Implement remember & recall APIs locking: Favour enum type over int lock_driver: Introduce VIR_LOCK_MANAGER_OBJECT_TYPE_SECLABEL virSecurityManagerNewDAC: Pass locking plugin in security_dac: Remember security labels security_dac: Restore original owner more often security: Introduce virSecurityManagerDomainRestoreDirLabel qemuProcessStop: Restore seclabels on dirs too cfg.mk | 2 +- po/POTFILES.in | 1 + src/Makefile.am | 3 + src/libvirt_private.syms | 3 + src/lock_protocol-structs | 15 + src/locking/lock_daemon.c | 69 ++++- src/locking/lock_daemon.h | 8 + src/locking/lock_daemon_dispatch.c | 68 +++++ src/locking/lock_daemon_seclabels.c | 545 ++++++++++++++++++++++++++++++++++++ src/locking/lock_daemon_seclabels.h | 43 +++ src/locking/lock_driver.h | 42 ++- src/locking/lock_driver_lockd.c | 103 ++++++- src/locking/lock_driver_nop.c | 28 +- src/locking/lock_driver_sanlock.c | 4 +- src/locking/lock_manager.c | 36 ++- src/locking/lock_manager.h | 13 +- src/locking/lock_protocol.x | 29 +- src/qemu/qemu_driver.c | 3 +- src/qemu/qemu_process.c | 22 +- src/security/security_dac.c | 288 +++++++++++++++---- src/security/security_dac.h | 2 + src/security/security_driver.h | 5 +- src/security/security_manager.c | 20 +- src/security/security_manager.h | 7 +- src/security/security_selinux.c | 16 ++ src/security/security_stack.c | 20 ++ 26 files changed, 1310 insertions(+), 85 deletions(-) create mode 100644 src/locking/lock_daemon_seclabels.c create mode 100644 src/locking/lock_daemon_seclabels.h -- 2.4.9 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list