Hi ALL:
There is a confusing issue in svirt. If sec_type is dynamic or relabel is yes in VM,
when VM stopped, the label of image will be restored to a default label on the path,
but not my expected label what it was before VM is started.
Example:
#virsh dumpxml virt-tests-vm1
...
<disk type='file' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source file='/libvirt_autotest_root/images/fedora17.img'/>
<target dev='hda' bus='ide'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
...
<seclabel type='dynamic' model='selinux' relabel='yes'/>
...
# ll /libvirt_autotest_root/images/fedora17.img -Z
-rwxr-xr-x. root root *system_u:object_r:svirt_image_t:s0* /libvirt_autotest_root/images/fedora17.img
# virsh start virt-tests-vm1
Domain virt-tests-vm1 started
# virsh destroy virt-tests-vm1
Domain virt-tests-vm1 destroyed
# ll /libvirt_autotest_root/images/fedora17.img -Z
-rwxr-xr-x. root root *system_u:object_r:default_t:s0* /libvirt_autotest_root/images/fedora17.img
Label is changed from svirt_image_t to default_t. And the svirt_image_t is accessable for svirt_t process
but default_t is not.
This patch instroduce a struct named _virSecuritySELinuxBackupContext to
save the path and the label before libvirt changing them. And labels will
be restored to path in VM being stopped.
yangdongsheng (2):
util: Introduce virStrcmp into virstring.
security: Save contexts of resources for restoring it.
src/security/security_selinux.c | 229 +++++++++++++++++++++++++++++++++++++--
src/util/virstring.c | 14 +++
src/util/virstring.h | 2 +
3 files changed, 238 insertions(+), 7 deletions(-)
--
1.7.10.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list