On 08/29/2011 11:40 AM, Eric Blake wrote:
> SELinux doesn't like this. We never label the pipe here, and
> qemuMonitorMigrateToFd doesn't label the outgoing pipe either. Thus,
> when we hand the fd to qemu for tunneled migration, SELinux rejects the
> first write() attempt, and qemu fails with:
>
> internal error unable to execute QEMU command 'getfd': No file
> descriptor supplied via SCM_RIGHTS
>
> I'm still testing this, but based on how we label the incoming pipe in
> qemuProcessStart, I think this will solve the problem.
My testing is complete, this did indeed fix the problem I was seeing,
and with this patch installed, I was able to do a tunneled migration
with SELinux enforcing.
>
> diff --git i/src/qemu/qemu_migration.c w/src/qemu/qemu_migration.c
> index a2dc97c..38b05a9 100644
> --- i/src/qemu/qemu_migration.c
> +++ w/src/qemu/qemu_migration.c
> @@ -24,6 +24,7 @@
> #include <sys/time.h>
> #include <gnutls/gnutls.h>
> #include <gnutls/x509.h>
> +#include <fcntl.h>
>
> #include "qemu_migration.h"
> #include "qemu_monitor.h"
> @@ -1691,13 +1692,13 @@ static int doTunnelMigrate(struct qemud_driver
> *driver,
> spec.dest.fd.qemu = -1;
> spec.dest.fd.local = -1;
>
> - if (pipe(fds) == 0) {
> + if (pipe2(fds, O_CLOEXEC) == 0) {
> spec.dest.fd.qemu = fds[1];
> spec.dest.fd.local = fds[0];
> }
> if (spec.dest.fd.qemu == -1 ||
> - virSetCloseExec(spec.dest.fd.qemu) < 0 ||
> - virSetCloseExec(spec.dest.fd.local) < 0) {
> + virSecurityManagerSetImageFDLabel(driver->securityManager, vm,
> + spec.dest.fd.qemu) < 0) {
> virReportSystemError(errno, "%s",
> _("cannot create pipe for tunnelled migration"));
> goto cleanup;
>
>
--
Eric Blake eblake@xxxxxxxxxx +1-801-349-2682
Libvirt virtualization library http://libvirt.org
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list