Re: [PATCH 6/6] qemu: Use fd: protocol for migration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/29/2011 11:40 AM, Eric Blake wrote:
> SELinux doesn't like this.  We never label the pipe here, and
> qemuMonitorMigrateToFd doesn't label the outgoing pipe either.  Thus,
> when we hand the fd to qemu for tunneled migration, SELinux rejects the
> first write() attempt, and qemu fails with:
> 
> internal error unable to execute QEMU command 'getfd': No file
> descriptor supplied via SCM_RIGHTS
> 
> I'm still testing this, but based on how we label the incoming pipe in
> qemuProcessStart, I think this will solve the problem.

My testing is complete, this did indeed fix the problem I was seeing,
and with this patch installed, I was able to do a tunneled migration
with SELinux enforcing.

> 
> diff --git i/src/qemu/qemu_migration.c w/src/qemu/qemu_migration.c
> index a2dc97c..38b05a9 100644
> --- i/src/qemu/qemu_migration.c
> +++ w/src/qemu/qemu_migration.c
> @@ -24,6 +24,7 @@
>  #include <sys/time.h>
>  #include <gnutls/gnutls.h>
>  #include <gnutls/x509.h>
> +#include <fcntl.h>
> 
>  #include "qemu_migration.h"
>  #include "qemu_monitor.h"
> @@ -1691,13 +1692,13 @@ static int doTunnelMigrate(struct qemud_driver
> *driver,
>          spec.dest.fd.qemu = -1;
>          spec.dest.fd.local = -1;
> 
> -        if (pipe(fds) == 0) {
> +        if (pipe2(fds, O_CLOEXEC) == 0) {
>              spec.dest.fd.qemu = fds[1];
>              spec.dest.fd.local = fds[0];
>          }
>          if (spec.dest.fd.qemu == -1 ||
> -            virSetCloseExec(spec.dest.fd.qemu) < 0 ||
> -            virSetCloseExec(spec.dest.fd.local) < 0) {
> +            virSecurityManagerSetImageFDLabel(driver->securityManager, vm,
> +                                              spec.dest.fd.qemu) < 0) {
>              virReportSystemError(errno, "%s",
>                          _("cannot create pipe for tunnelled migration"));
>              goto cleanup;
> 
> 

-- 
Eric Blake   eblake@xxxxxxxxxx    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]