On 03/12/2013 11:28 AM, Daniel P. Berrange wrote: > From: "Daniel P. Berrange" <berrange@xxxxxxxxxx> > > Add a new virDomainLxcEnterSecurityLabel() function as a > counterpart to virDomainLxcEnterNamespaces(), which can > change the current calling process to have a new security > context. This call runs client side, not in libvirtd > so we can't use the security driver infrastructure. > > When entering a namespace, the process spawned from virsh > will default to running with the security label of virsh. > The actual desired behaviour is to run with the security > label of the container most of the time. So this changes > virsh lxc-enter-namespace command to invoke the > virDomainLxcEnterSecurityLabel method. > > include/libvirt/libvirt-lxc.h | 4 ++ > python/generator.py | 1 + > src/libvirt-lxc.c | 96 +++++++++++++++++++++++++++++++++++++++++++ > tools/virsh-domain.c | 32 +++++++++++++++ > 4 files changed, 133 insertions(+) Missing an entry in src/libvirt_lxc.syms to actually expose the new function in the .so. > +++ b/src/libvirt-lxc.c > @@ -29,6 +29,9 @@ > #include "virlog.h" > #include "virprocess.h" > #include "datatypes.h" > +#ifdef WITH_SELINUX > +#include <selinux/selinux.h> > +#endif Will fail 'make syntax-check' if cppi is installed. > @@ -8029,12 +8036,35 @@ cmdLxcEnterNamespace(vshControl *ctl, const vshCmd *cmd) > if ((nfdlist = virDomainLxcOpenNamespace(dom, &fdlist, 0)) < 0) > goto cleanup; > > + if (setlabel) { > + fprintf(stderr, "Getr sec\n"); Spurious debug message? ACK with those things addressed. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list