|
 |
10436e |
From 54b63460b7602ac5c68d6e58ab60e7f85877cefc Mon Sep 17 00:00:00 2001
|
|
|
1b21a6 |
From: Martin Kletzander <mkletzan@redhat.com>
|
|
|
1b21a6 |
Date: Mon, 27 May 2019 13:30:05 +0200
|
|
|
1b21a6 |
Subject: [PATCH] Use proper label for nbdkit sockets
|
|
|
1b21a6 |
|
|
|
1b21a6 |
While svirt_t can be used for sockets it does not always guarantee that it will
|
|
|
1b21a6 |
be accessible from a virtual machine. The VM might be running under svirt_tcg_t
|
|
|
1b21a6 |
context which will need a svirt_tcg_t label on the socket in order to access it.
|
|
|
1b21a6 |
|
|
|
1b21a6 |
There is, however, another label, svirt_socket_t, which is accessible from
|
|
|
1b21a6 |
virt_domain:
|
|
|
1b21a6 |
|
|
|
1b21a6 |
# sesearch -A -s svirt_t -c unix_stream_socket -p connectto
|
|
|
1b21a6 |
...
|
|
|
1b21a6 |
allow virt_domain svirt_socket_t:unix_stream_socket { ... connectto ... };
|
|
|
1b21a6 |
...
|
|
|
1b21a6 |
|
|
|
1b21a6 |
And virt_domain is a type attribute of both svirt_t and svirt_tcg_t:
|
|
|
1b21a6 |
|
|
|
1b21a6 |
# seinfo -x -a virt_domain
|
|
|
1b21a6 |
Type Attributes: 1
|
|
|
1b21a6 |
attribute virt_domain;
|
|
|
1b21a6 |
svirt_t
|
|
|
1b21a6 |
svirt_tcg_t
|
|
|
1b21a6 |
|
|
|
1b21a6 |
Resolves: https://bugzilla.redhat.com/1698437
|
|
|
1b21a6 |
|
|
|
1b21a6 |
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
|
|
|
1b21a6 |
(cherry picked from commit c2918b8b74506523a723b804d452816a059c5e50)
|
|
|
1b21a6 |
---
|
|
|
1b21a6 |
v2v/input_libvirt_vddk.ml | 2 +-
|
|
|
1b21a6 |
v2v/output_rhv_upload.ml | 2 +-
|
|
|
1b21a6 |
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
1b21a6 |
|
|
|
1b21a6 |
diff --git a/v2v/input_libvirt_vddk.ml b/v2v/input_libvirt_vddk.ml
|
|
|
10436e |
index 97c7cb532..567233d58 100644
|
|
|
1b21a6 |
--- a/v2v/input_libvirt_vddk.ml
|
|
|
1b21a6 |
+++ b/v2v/input_libvirt_vddk.ml
|
|
|
10436e |
@@ -290,7 +290,7 @@ object
|
|
|
1b21a6 |
add_arg "--newstyle"; (* use newstyle NBD protocol *)
|
|
|
1b21a6 |
add_arg "--exportname"; add_arg "/";
|
|
|
1b21a6 |
if have_selinux then ( (* label the socket so qemu can open it *)
|
|
|
1b21a6 |
- add_arg "--selinux-label"; add_arg "system_u:object_r:svirt_t:s0"
|
|
|
1b21a6 |
+ add_arg "--selinux-label"; add_arg "system_u:object_r:svirt_socket_t:s0"
|
|
|
1b21a6 |
);
|
|
|
1b21a6 |
|
|
|
1b21a6 |
(* Name of the plugin. Everything following is a plugin parameter. *)
|
|
|
1b21a6 |
diff --git a/v2v/output_rhv_upload.ml b/v2v/output_rhv_upload.ml
|
|
|
10436e |
index 77c39107e..c2a5c72c7 100644
|
|
|
1b21a6 |
--- a/v2v/output_rhv_upload.ml
|
|
|
1b21a6 |
+++ b/v2v/output_rhv_upload.ml
|
|
|
10436e |
@@ -217,7 +217,7 @@ See also the virt-v2v-output-rhv(1) manual.")
|
|
|
1b21a6 |
let args =
|
|
|
1b21a6 |
(* label the socket so qemu can open it *)
|
|
|
1b21a6 |
if have_selinux then
|
|
|
1b21a6 |
- args @ ["--selinux-label"; "system_u:object_r:svirt_t:s0"]
|
|
|
1b21a6 |
+ args @ ["--selinux-label"; "system_u:object_r:svirt_socket_t:s0"]
|
|
|
1b21a6 |
else args in
|
|
|
1b21a6 |
args in
|
|
|
1b21a6 |
|
|
|
1b21a6 |
--
|
|
|
10436e |
2.26.2
|
|
|
1b21a6 |
|