[PATCHv2 0/4] Fix domain restore problems when selinux is enforcing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Changes from V1:

1) Don't set context label of kernel *or* image file, set the context
   label of both.

2) Add a patch to enhance virStorageFileIsSharedFS to behave similarly to
   the ill-fated virFileIsOnNetworkShare.

3) Use virStorageFileIsSharedFS instead of virStorageFileIsSharedFS.

Prior to this patch series, restoring a domain with selinux set to
enforcing would fail, because the function that sets the label on the
file to allow qemu to read it did not have the name of the file (see
the comments in the individual patches). A patch from Jamie Stranboge
(2b57478ef0a0a983cc6a47b98300c8359f9708d0) added the filename to the
args passed down into the security driver; the first patch of this
series takes advantage of that to properly set the label.

Patches 2 - 4 solve a problem with restoring a domain from an NFS
share - in this case the selinux functions will fail (as will
functions trying to set the uid of the file, if it is a root-squashed
share). The solution to this is just ignore the failure. If the
security driver fails to set the label, and virStorageFileIsSharedFS()
tells us that the file is on a network-shared FS, we ignore the
failure, otherwise we behave as before.

qemudDomainSaveFlag previously had a bit of code that detected if a
particular path was on an NFS share; this code was replaced with a
call to virStorageFileIsSharedFS, which is now functionally equivalent
(better, even, since it detects a few other types of network
filesystems).

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]