On 06/24/2011 09:09 AM, Daniel P. Berrange wrote:
> The libvirt sanlock plugin is intentionally leaking a file
> descriptor to QEMU. To enable QEMU to use this FD under
> SELinux, it must be labelled correctly. We dont want to use
> the svirt_image_t for this, since QEMU must not be allowed
> to actually use the FD. So instead we label it with svirt_t
> using virSecurityManagerSetProcessFDLabel
>
> * src/locking/domain_lock.c, src/locking/domain_lock.h,
> src/locking/lock_driver.h, src/locking/lock_driver_nop.c,
> src/locking/lock_driver_sanlock.c, src/locking/lock_manager.c,
> src/locking/lock_manager.h: Optionally pass an FD back to
> the hypervisor for security driver labelling
> * src/qemu/qemu_process.c: label the lock manager plugin
> FD with the process label
> @@ -2149,10 +2151,16 @@ static int qemuProcessHook(void *data)
> if (qemuProcessInitNumaMemoryPolicy(h->vm) < 0)
> return -1;
>
> - VIR_DEBUG("Setting up security labeling");
> + VIR_DEBUG("Setting up security labelling");
Why the spelling change? Both spellings are valid, but I see 'labeling'
in more places than labelling:
http://www.googlefight.com/index.php?lang=en_GB&word1=labeling&word2=labelling
ACK.
--
Eric Blake eblake@xxxxxxxxxx +1-801-349-2682
Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list