On Fri, Jul 03, 2009 at 10:35:56AM +0100, Mark McLoughlin wrote: > From: Daniel P. Berrange <berrange@xxxxxxxxxx> > > This patch was posted ages ago here: > > https://bugzilla.redhat.com/493692 > > But was never posted upstream AFAICT. > > Signed-off-by: Mark McLoughlin <markmc@xxxxxxxxxx> Doh, I dropped the ball on that one. ACK Daniel > --- > src/security_selinux.c | 27 +++++++++++++++++---------- > 1 files changed, 17 insertions(+), 10 deletions(-) > > diff --git a/src/security_selinux.c b/src/security_selinux.c > index 4fb7c86..87073d2 100644 > --- a/src/security_selinux.c > +++ b/src/security_selinux.c > @@ -24,11 +24,12 @@ > #include "virterror_internal.h" > #include "util.h" > #include "memory.h" > - > +#include "logging.h" > > #define VIR_FROM_THIS VIR_FROM_SECURITY > > static char default_domain_context[1024]; > +static char default_content_context[1024]; > static char default_image_context[1024]; > #define SECURITY_SELINUX_VOID_DOI "0" > #define SECURITY_SELINUX_NAME "selinux" > @@ -148,8 +149,13 @@ SELinuxInitialize(virConnectPtr conn) > close(fd); > > ptr = strchrnul(default_image_context, '\n'); > - *ptr = '\0'; > - > + if (*ptr == '\n') { > + *ptr = '\0'; > + strcpy(default_content_context, ptr+1); > + ptr = strchrnul(default_content_context, '\n'); > + if (*ptr == '\n') > + *ptr = '\0'; > + } > return 0; > } > > @@ -313,6 +319,8 @@ SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon) > { > char ebuf[1024]; > > + VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon); > + > if(setfilecon(path, tcon) < 0) { > virSecurityReportError(conn, VIR_ERR_ERROR, > _("%s: unable to set security context " > @@ -337,9 +345,6 @@ SELinuxRestoreSecurityImageLabel(virConnectPtr conn, > char *newpath = NULL; > const char *path = disk->src; > > - if (disk->readonly || disk->shared) > - return 0; > - > if ((err = virFileResolveLink(path, &newpath)) < 0) { > virReportSystemError(conn, err, > _("cannot resolve symlink %s"), path); > @@ -366,8 +371,13 @@ SELinuxSetSecurityImageLabel(virConnectPtr conn, > { > const virSecurityLabelDefPtr secdef = &vm->def->seclabel; > > - if (secdef->imagelabel) > + if (disk->shared) { > + return SELinuxSetFilecon(conn, disk->src, default_image_context); > + } else if (disk->readonly) { > + return SELinuxSetFilecon(conn, disk->src, default_content_context); > + } else if (secdef->imagelabel) { > return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel); > + } > > return 0; > } > @@ -441,9 +451,6 @@ SELinuxSetSecurityLabel(virConnectPtr conn, > > if (secdef->imagelabel) { > for (i = 0 ; i < vm->def->ndisks ; i++) { > - if (vm->def->disks[i]->readonly || > - vm->def->disks[i]->shared) continue; > - > if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0) > return -1; > } > -- > 1.6.2.5 > -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list