Also restore the label to its original value after qemu is finished
with the file.
Prior to this patch, qemu domain restore did not function properly if
selinux was set to enforce.
---
src/qemu/qemu_driver.c | 6 +++++-
src/security/security_selinux.c | 6 +++++-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 9f4e082..9140b50 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -6208,7 +6208,6 @@ error:
return -1;
}
-/* TODO: check seclabel restore */
static int ATTRIBUTE_NONNULL(6)
qemudDomainSaveImageStartVM(virConnectPtr conn,
struct qemud_driver *driver,
@@ -6320,6 +6319,11 @@ qemudDomainSaveImageStartVM(virConnectPtr conn,
ret = 0;
out:
+ if (driver->securityDriver &&
+ driver->securityDriver->domainRestoreSavedStateLabel &&
+ driver->securityDriver->domainRestoreSavedStateLabel(vm, path) == -1)
+ VIR_WARN("failed to restore save state label on %s", path);
+
return ret;
}
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 2b43f2d..a16ede9 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -859,7 +859,7 @@ SELinuxClearSecuritySocketLabel(virSecurityDriverPtr drv,
}
static int
-SELinuxSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path ATTRIBUTE_UNUSED)
+SELinuxSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path)
{
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
int i;
@@ -890,6 +890,10 @@ SELinuxSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path ATTRIBUTE_
SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0)
return -1;
+ if (stdin_path &&
+ SELinuxSetFilecon(stdin_path, default_content_context) < 0)
+ return -1;
+
return 0;
}
--
1.7.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list