From: "Richard W.M. Jones" <rjones@xxxxxxxxxx>
libvirt skips labelling these, for unknown reasons. This breaks
libguestfs. Adding this and some SELinux rules (RHBZ#857453) fixes
everything for me.
---
src/security/security_selinux.c | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index a7e2420..c3b33f8 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1230,6 +1230,7 @@ virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
switch (dev->type) {
case VIR_DOMAIN_CHR_TYPE_DEV:
case VIR_DOMAIN_CHR_TYPE_FILE:
+ case VIR_DOMAIN_CHR_TYPE_UNIX:
ret = virSecuritySELinuxSetFilecon(dev->data.file.path, secdef->imagelabel);
break;
@@ -1280,6 +1281,7 @@ virSecuritySELinuxRestoreSecurityChardevLabel(virDomainDefPtr def,
switch (dev->type) {
case VIR_DOMAIN_CHR_TYPE_DEV:
case VIR_DOMAIN_CHR_TYPE_FILE:
+ case VIR_DOMAIN_CHR_TYPE_UNIX:
if (virSecuritySELinuxRestoreSecurityFileLabel(dev->data.file.path) < 0)
goto done;
ret = 0;
@@ -1318,11 +1320,6 @@ virSecuritySELinuxRestoreSecurityChardevCallback(virDomainDefPtr def,
virDomainChrDefPtr dev,
void *opaque ATTRIBUTE_UNUSED)
{
- /* This is taken care of by processing of def->serials */
- if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE &&
- dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
- return 0;
-
return virSecuritySELinuxRestoreSecurityChardevLabel(def, &dev->source);
}
@@ -1698,11 +1695,6 @@ virSecuritySELinuxSetSecurityChardevCallback(virDomainDefPtr def,
virDomainChrDefPtr dev,
void *opaque ATTRIBUTE_UNUSED)
{
- /* This is taken care of by processing of def->serials */
- if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE &&
- dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
- return 0;
-
return virSecuritySELinuxSetSecurityChardevLabel(def, &dev->source);
}
--
1.7.10.4
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list