rpms / libguestfs

Clone
Source Code
GIT

Blame SOURCES/0063-Use-proper-label-for-nbdkit-sockets.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-rhel c8-stream-rhel c8s-stream-rhel c9 c9-beta
  1.   df3bb2ae40bb01ce44d5c9d9b7e3207171e58531
  2.   SOURCES
  3.   0063-Use-proper-label-for-nbdkit-sockets.patch
Blob History Raw
df3bb2 
From c7942097bff8cbbfbee34e1750223c308f32f8a4 Mon Sep 17 00:00:00 2001
df3bb2 
From: Martin Kletzander <mkletzan@redhat.com>
df3bb2 
Date: Mon, 27 May 2019 13:30:05 +0200
df3bb2 
Subject: [PATCH] Use proper label for nbdkit sockets
df3bb2
df3bb2 
While svirt_t can be used for sockets it does not always guarantee that it will
df3bb2 
be accessible from a virtual machine.  The VM might be running under svirt_tcg_t
df3bb2 
context which will need a svirt_tcg_t label on the socket in order to access it.
df3bb2
df3bb2 
There is, however, another label, svirt_socket_t, which is accessible from
df3bb2 
virt_domain:
df3bb2
df3bb2 
  # sesearch -A -s svirt_t -c unix_stream_socket -p connectto
df3bb2 
  ...
df3bb2 
  allow virt_domain svirt_socket_t:unix_stream_socket { ... connectto ... };
df3bb2 
  ...
df3bb2
df3bb2 
And virt_domain is a type attribute of both svirt_t and svirt_tcg_t:
df3bb2
df3bb2 
  # seinfo -x -a virt_domain
df3bb2 
  Type Attributes: 1
df3bb2 
     attribute virt_domain;
df3bb2 
          svirt_t
df3bb2 
          svirt_tcg_t
df3bb2
df3bb2 
Resolves: https://bugzilla.redhat.com/1698437
df3bb2
df3bb2 
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
df3bb2 
(cherry picked from commit c2918b8b74506523a723b804d452816a059c5e50)
df3bb2 
---
df3bb2 
 v2v/input_libvirt_vddk.ml | 2 +-
df3bb2 
 v2v/output_rhv_upload.ml  | 2 +-
df3bb2 
 2 files changed, 2 insertions(+), 2 deletions(-)
df3bb2
df3bb2 
diff --git a/v2v/input_libvirt_vddk.ml b/v2v/input_libvirt_vddk.ml
df3bb2 
index 0b3ed7af9..5e8e60bd2 100644
df3bb2 
--- a/v2v/input_libvirt_vddk.ml
df3bb2 
+++ b/v2v/input_libvirt_vddk.ml
df3bb2 
@@ -292,7 +292,7 @@ object
df3bb2 
       add_arg "--newstyle";         (* use newstyle NBD protocol *)
df3bb2 
       add_arg "--exportname"; add_arg "/";
df3bb2 
       if have_selinux then (        (* label the socket so qemu can open it *)
df3bb2 
-        add_arg "--selinux-label"; add_arg "system_u:object_r:svirt_t:s0"
df3bb2 
+        add_arg "--selinux-label"; add_arg "system_u:object_r:svirt_socket_t:s0"
df3bb2 
       );
df3bb2
df3bb2 
       (* Name of the plugin.  Everything following is a plugin parameter. *)
df3bb2 
diff --git a/v2v/output_rhv_upload.ml b/v2v/output_rhv_upload.ml
df3bb2 
index 79a2fc8fd..fc33e5033 100644
df3bb2 
--- a/v2v/output_rhv_upload.ml
df3bb2 
+++ b/v2v/output_rhv_upload.ml
df3bb2 
@@ -230,7 +230,7 @@ See also \"OUTPUT TO RHV\" in the virt-v2v(1) manual.")
df3bb2 
     let args =
df3bb2 
       (* label the socket so qemu can open it *)
df3bb2 
       if have_selinux then
df3bb2 
-        args @ ["--selinux-label"; "system_u:object_r:svirt_t:s0"]
df3bb2 
+        args @ ["--selinux-label"; "system_u:object_r:svirt_socket_t:s0"]
df3bb2 
       else args in
df3bb2 
     args in
df3bb2
df3bb2 
--
df3bb2 
2.21.0
df3bb2

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation