diff --git a/libvirt-0.6.1-svirt-shared-readonly.patch b/libvirt-0.6.1-svirt-shared-readonly.patch new file mode 100644 index 0000000..2c7b2ba --- /dev/null +++ b/libvirt-0.6.1-svirt-shared-readonly.patch @@ -0,0 +1,143 @@ +diff -rup libvirt-0.6.1.orig/src/qemu_driver.c libvirt-0.6.1.new/src/qemu_driver.c +--- libvirt-0.6.1.orig/src/qemu_driver.c 2009-03-17 11:57:04.000000000 +0000 ++++ libvirt-0.6.1.new/src/qemu_driver.c 2009-03-17 11:57:12.000000000 +0000 +@@ -3765,7 +3765,7 @@ static int qemudDomainAttachDevice(virDo + goto cleanup; + } + if (driver->securityDriver) +- driver->securityDriver->domainSetSecurityImageLabel(dom->conn, vm, dev); ++ driver->securityDriver->domainSetSecurityImageLabel(dom->conn, vm, dev->data.disk); + break; + + default: +@@ -3901,7 +3901,7 @@ static int qemudDomainDetachDevice(virDo + dev->data.disk->bus == VIR_DOMAIN_DISK_BUS_VIRTIO)) { + ret = qemudDomainDetachPciDiskDevice(dom->conn, vm, dev); + if (driver->securityDriver) +- driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, vm, dev); ++ driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, dev->data.disk); + } + else + qemudReportError(dom->conn, dom, NULL, VIR_ERR_NO_SUPPORT, +diff -rup libvirt-0.6.1.orig/src/security.h libvirt-0.6.1.new/src/security.h +--- libvirt-0.6.1.orig/src/security.h 2009-03-03 16:40:46.000000000 +0000 ++++ libvirt-0.6.1.new/src/security.h 2009-03-17 11:57:12.000000000 +0000 +@@ -32,11 +32,10 @@ typedef virSecurityDriverStatus (*virSec + typedef int (*virSecurityDriverOpen) (virConnectPtr conn, + virSecurityDriverPtr drv); + typedef int (*virSecurityDomainRestoreImageLabel) (virConnectPtr conn, +- virDomainObjPtr vm, +- virDomainDeviceDefPtr dev); ++ virDomainDiskDefPtr disk); + typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn, + virDomainObjPtr vm, +- virDomainDeviceDefPtr dev); ++ virDomainDiskDefPtr disk); + typedef int (*virSecurityDomainGenLabel) (virConnectPtr conn, + virDomainObjPtr sec); + typedef int (*virSecurityDomainGetLabel) (virConnectPtr conn, +diff -rup libvirt-0.6.1.orig/src/security_selinux.c libvirt-0.6.1.new/src/security_selinux.c +--- libvirt-0.6.1.orig/src/security_selinux.c 2009-03-03 16:40:46.000000000 +0000 ++++ libvirt-0.6.1.new/src/security_selinux.c 2009-03-17 11:57:12.000000000 +0000 +@@ -269,7 +269,7 @@ SELinuxGetSecurityLabel(virConnectPtr co + } + + static int +-SELinuxSetFilecon(virConnectPtr conn, char *path, char *tcon) ++SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon) + { + char ebuf[1024]; + +@@ -288,28 +288,51 @@ SELinuxSetFilecon(virConnectPtr conn, ch + + static int + SELinuxRestoreSecurityImageLabel(virConnectPtr conn, +- virDomainObjPtr vm, +- virDomainDeviceDefPtr dev) ++ virDomainDiskDefPtr disk) + { +- const virSecurityLabelDefPtr secdef = &vm->def->seclabel; ++ struct stat buf; ++ security_context_t fcon = NULL; ++ int rc = -1; ++ char *newpath = NULL; ++ const char *path = disk->src; + +- if (secdef->imagelabel) { +- return SELinuxSetFilecon(conn, dev->data.disk->src, default_image_context); ++ if (disk->readonly || disk->shared) ++ return 0; ++ ++ if (lstat(path, &buf) != 0) ++ return -1; ++ ++ if (S_ISLNK(buf.st_mode)) { ++ if (VIR_ALLOC_N(newpath, buf.st_size + 1) < 0) ++ return -1; ++ ++ if (readlink(path, newpath, buf.st_size) < 0) ++ goto err; ++ path = newpath; ++ if (stat(path, &buf) != 0) ++ goto err; + } +- return 0; ++ ++ if (matchpathcon(path, buf.st_mode, &fcon) == 0) { ++ rc = SELinuxSetFilecon(conn, path, fcon); ++ } ++err: ++ VIR_FREE(fcon); ++ VIR_FREE(newpath); ++ return rc; + } + + static int + SELinuxSetSecurityImageLabel(virConnectPtr conn, + virDomainObjPtr vm, +- virDomainDeviceDefPtr dev) ++ virDomainDiskDefPtr disk) + + { + const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + +- if (secdef->imagelabel) { +- return SELinuxSetFilecon(conn, dev->data.disk->src, secdef->imagelabel); +- } ++ if (secdef->imagelabel) ++ return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel); ++ + return 0; + } + +@@ -322,7 +345,7 @@ SELinuxRestoreSecurityLabel(virConnectPt + int rc = 0; + if (secdef->imagelabel) { + for (i = 0 ; i < vm->def->ndisks ; i++) { +- if (SELinuxSetFilecon(conn, vm->def->disks[i]->src, default_image_context) < 0) ++ if (SELinuxRestoreSecurityImageLabel(conn, vm->def->disks[i]) < 0) + rc = -1; + } + VIR_FREE(secdef->model); +@@ -368,16 +391,11 @@ SELinuxSetSecurityLabel(virConnectPtr co + + if (secdef->imagelabel) { + for (i = 0 ; i < vm->def->ndisks ; i++) { +- if(setfilecon(vm->def->disks[i]->src, secdef->imagelabel) < 0) { +- virSecurityReportError(conn, VIR_ERR_ERROR, +- _("%s: unable to set security context " +- "'\%s\' on %s: %s."), __func__, +- secdef->imagelabel, +- vm->def->disks[i]->src, +- virStrerror(errno, ebuf, sizeof ebuf)); +- if (security_getenforce() == 1) +- return -1; +- } ++ if (vm->def->disks[i]->readonly || ++ vm->def->disks[i]->shared) continue; ++ ++ if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0) ++ return -1; + } + } + diff --git a/libvirt.spec b/libvirt.spec index f672800..f705e3e 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -47,7 +47,7 @@ Summary: Library providing a simple API virtualization Name: libvirt Version: 0.6.1 -Release: 4%{?dist}%{?extra_release} +Release: 5%{?dist}%{?extra_release} License: LGPLv2+ Group: Development/Libraries Source: libvirt-%{version}.tar.gz @@ -61,6 +61,7 @@ Patch7: libvirt-0.6.1-storage-free.patch Patch8: libvirt-0.6.1-vcpu-deadlock.patch Patch9: libvirt-0.6.1-xenblock-detach.patch Patch10: libvirt-0.6.1-fd-leaks2.patch +Patch11: libvirt-0.6.1-svirt-shared-readonly.patch # Not upstream yet - pending QEMU merge Patch100: libvirt-0.6.1-vnc-sasl-auth.patch @@ -205,6 +206,7 @@ of recent versions of Linux (and other OSes). %patch8 -p1 %patch9 -p1 %patch10 -p0 +%patch11 -p1 %patch100 -p1 @@ -499,6 +501,9 @@ fi %endif %changelog +* Tue Mar 17 2009 Daniel P. Berrange - 0.6.1-5.fc11 +- Don't relabel shared/readonly disks + * Tue Mar 17 2009 Daniel P. Berrange - 0.6.1-4.fc11 - Fix memory allocation for xend lookup - Avoid crash if storage volume deletion fails