On Thu, Nov 18, 2010 at 03:37:07PM +0000, Daniel P. Berrange wrote:
> On Thu, Nov 18, 2010 at 04:26:55PM +0100, Daniel Veillard wrote:
> > The code in SELinuxRestoreSecurityChardevLabel() was trying to
> > use SELinuxSetFilecon directly for devices or file types while
> > it should really use SELinuxRestoreSecurityFileLabel encapsulating
> > routine, which avoid various problems like resolving symlinks,
> > making sure he file exists and work around NFS problems
> >
> > Daniel
> >
> > diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> > index 936a1a6..996177a 100644
> > --- a/src/security/security_selinux.c
> > +++ b/src/security/security_selinux.c
> > @@ -694,9 +694,10 @@ SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm,
> > switch (dev->type) {
> > case VIR_DOMAIN_CHR_TYPE_DEV:
> > case VIR_DOMAIN_CHR_TYPE_FILE:
> > - ret = SELinuxSetFilecon(dev->data.file.path, secdef->imagelabel);
> > + if (SELinuxRestoreSecurityFileLabel(dev->data.file.path) < 0)
> > + goto done;
> > + ret = 0;
> > break;
> > -
> > case VIR_DOMAIN_CHR_TYPE_PIPE:
> > if ((virAsprintf(&out, "%s.out", dev->data.file.path) < 0) ||
> > (virAsprintf(&in, "%s.in", dev->data.file.path) < 0)) {
>
> ACK
okay, thanks, pushed !
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel@xxxxxxxxxxxx | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list