Re: [libvirt] [PATCH] security: Set permissions for kernel/initrd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Mar 12, 2010 at 02:01:44PM -0500, Cole Robinson wrote:
> Fixes URL installs when running virt-install as root on Fedora.
> 
> Signed-off-by: Cole Robinson <crobinso@xxxxxxxxxx>
> ---
>  src/qemu/qemu_security_dac.c    |   21 +++++++++++++++++++++
>  src/security/security_selinux.c |   16 ++++++++++++++++
>  2 files changed, 37 insertions(+), 0 deletions(-)
> 
> diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c
> index 6911f48..1883fbe 100644
> --- a/src/qemu/qemu_security_dac.c
> +++ b/src/qemu/qemu_security_dac.c
> @@ -332,6 +332,15 @@ qemuSecurityDACRestoreSecurityAllLabel(virDomainObjPtr vm)
>                                                       vm->def->disks[i]) < 0)
>              rc = -1;
>      }
> +
> +    if (vm->def->os.kernel &&
> +        qemuSecurityDACRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
> +        rc = -1;
> +
> +    if (vm->def->os.initrd &&
> +        qemuSecurityDACRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
> +        rc = -1;
> +
>      return rc;
>  }
>  
> @@ -356,6 +365,18 @@ qemuSecurityDACSetSecurityAllLabel(virDomainObjPtr vm)
>              return -1;
>      }
>  
> +    if (vm->def->os.kernel &&
> +        qemuSecurityDACSetOwnership(vm->def->os.kernel,
> +                                    driver->user,
> +                                    driver->group) < 0)
> +        return -1;
> +
> +    if (vm->def->os.initrd &&
> +        qemuSecurityDACSetOwnership(vm->def->os.initrd,
> +                                    driver->user,
> +                                    driver->group) < 0)
> +        return -1;
> +
>      return 0;
>  }
>  
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index b2c8581..975b315 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -616,6 +616,14 @@ SELinuxRestoreSecurityAllLabel(virDomainObjPtr vm)
>              rc = -1;
>      }
>  
> +    if (vm->def->os.kernel &&
> +        SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
> +        rc = -1;
> +
> +    if (vm->def->os.initrd &&
> +        SELinuxRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
> +        rc = -1;
> +
>      return rc;
>  }
>  
> @@ -736,6 +744,14 @@ SELinuxSetSecurityAllLabel(virDomainObjPtr vm)
>              return -1;
>      }
>  
> +    if (vm->def->os.kernel &&
> +        SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0)
> +        return -1;
> +
> +    if (vm->def->os.initrd &&
> +        SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0)
> +        return -1;
> +
>      return 0;
>  }
>  

ACK

NB, the restore step will almost certainly fail in the common case of
virt-manager/virt-install since the files  are unlinked. We treat
restore as non-fatal though, so shouldn't cause any serious problems


Daniel
--
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]