On Thu, May 29, 2014 at 10:42:37AM -0400, Shivaprasad G Bhat wrote:
The restore of a saved image file fails when the selinux context is static.
The libvirt has to set the conext of save image file handle to that of
the guest before handing off the FD to qemu.
Signed-off-by: Shivaprasad G Bhat <shivaprasadbhat@xxxxxxxxx>
---
src/qemu/qemu_process.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 124fe28..47d1f7d 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -4052,14 +4052,14 @@ int qemuProcessStart(virConnectPtr conn,
*/
struct stat stdin_sb;
- VIR_DEBUG("setting security label on pipe used for migration");
+ VIR_DEBUG("setting security label on fd used for migration or restore");
if (fstat(stdin_fd, &stdin_sb) < 0) {
virReportSystemError(errno,
_("cannot stat fd %d"), stdin_fd);
goto cleanup;
}
- if (S_ISFIFO(stdin_sb.st_mode) &&
+ if ((S_ISFIFO(stdin_sb.st_mode) || S_ISREG(stdin_sb.st_mode)) &&
virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, stdin_fd) < 0)
goto cleanup;
}
Sorry for being so uncertain, but this does not look like what needs to be done. Few lines before this code there is virSecurityManagerSetAllLabel() called. If the domain is starting with an fd that is not a fifo (thus already pointing right to the file), the file path is in stdin_path and that same path should be labeled inside virSecurityManagerSetAllLabel(). I'm not certain this needs fixing as I haven't seen that error with a scenario that should cause it. So there are few options what is wrong: a) some newer selinux keeps the label on the fd pointing to path even when path was relabelled (IIRC it does not happen with older versions), b) or we have a bug in our code that the path does not get relabelled, but it should not be relabelled here, c) even if it needs to be relabelled here in the code, the first part for the condition you created is effectively always true. Unless resuming from, I don't know, block device or something, in which case it would fail as well. I'd love to make the code fixed, but I'd like to know what is the scenario that you are trying to fix here. Maybe the code is exactly as it needs to be, but I'd like to see an explanation of that in the commit message if that's the case). In that case I don't understand why does it fail with static selinux context only. Also make sure (with dumpxml) that your machine does not have relabel="no" in the specification. Martin
Attachment:
signature.asc
Description: Digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list