diff --git a/libvirt-0.6.2-shared-readonly-label.patch b/libvirt-0.6.2-shared-readonly-label.patch new file mode 100644 index 0000000..e962d18 --- /dev/null +++ b/libvirt-0.6.2-shared-readonly-label.patch @@ -0,0 +1,76 @@ +diff -rup libvirt-0.6.2/src/security_selinux.c libvirt-0.6.2.new/src/security_selinux.c +--- libvirt-0.6.2/src/security_selinux.c 2009-04-03 15:36:56.000000000 +0100 ++++ libvirt-0.6.2.new/src/security_selinux.c 2009-05-05 13:39:42.000000000 +0100 +@@ -24,11 +24,12 @@ + #include "virterror_internal.h" + #include "util.h" + #include "memory.h" +- ++#include "logging.h" + + #define VIR_FROM_THIS VIR_FROM_SECURITY + + static char default_domain_context[1024]; ++static char default_content_context[1024]; + static char default_image_context[1024]; + #define SECURITY_SELINUX_VOID_DOI "0" + #define SECURITY_SELINUX_NAME "selinux" +@@ -148,8 +149,13 @@ SELinuxInitialize(virConnectPtr conn) + close(fd); + + ptr = strchrnul(default_image_context, '\n'); +- *ptr = '\0'; +- ++ if (*ptr == '\n') { ++ *ptr = '\0'; ++ strcpy(default_content_context, ptr+1); ++ ptr = strchrnul(default_content_context, '\n'); ++ if (*ptr == '\n') ++ *ptr = '\0'; ++ } + return 0; + } + +@@ -275,6 +281,8 @@ SELinuxSetFilecon(virConnectPtr conn, co + { + char ebuf[1024]; + ++ VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon); ++ + if(setfilecon(path, tcon) < 0) { + virSecurityReportError(conn, VIR_ERR_ERROR, + _("%s: unable to set security context " +@@ -299,6 +307,8 @@ SELinuxRestoreSecurityImageLabel(virConn + char *newpath = NULL; + const char *path = disk->src; + ++ /* Don't restore labels on readoly/shared disks, because ++ * other VMs may still be accessing these */ + if (disk->readonly || disk->shared) + return 0; + +@@ -328,8 +338,13 @@ SELinuxSetSecurityImageLabel(virConnectP + { + const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + +- if (secdef->imagelabel) ++ if (disk->shared) { ++ return SELinuxSetFilecon(conn, disk->src, default_image_context); ++ } else if (disk->readonly) { ++ return SELinuxSetFilecon(conn, disk->src, default_content_context); ++ } else if (secdef->imagelabel) { + return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel); ++ } + + return 0; + } +@@ -403,9 +418,6 @@ SELinuxSetSecurityLabel(virConnectPtr co + + if (secdef->imagelabel) { + for (i = 0 ; i < vm->def->ndisks ; i++) { +- if (vm->def->disks[i]->readonly || +- vm->def->disks[i]->shared) continue; +- + if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0) + return -1; + } diff --git a/libvirt.spec b/libvirt.spec index a19ebdd..2b9482c 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -66,13 +66,15 @@ Summary: Library providing a simple API virtualization Name: libvirt Version: 0.6.2 -Release: 3%{?dist}%{?extra_release} +Release: 4%{?dist}%{?extra_release} License: LGPLv2+ Group: Development/Libraries Source: libvirt-%{version}.tar.gz # Patches cherry-picked from upstream Patch0: libvirt-0.6.2-qemu-drive-format.patch +# Fix shared/readonly disk labelling +Patch1: libvirt-0.6.2-shared-readonly-label.patch # Not for upstream. Temporary hack till PulseAudio autostart # problems are sorted out when SELinux enforcing @@ -228,6 +230,7 @@ of recent versions of Linux (and other OSes). %setup -q %patch0 -p1 +%patch1 -p1 %patch200 -p0 @@ -551,6 +554,9 @@ fi %endif %changelog +* Tue May 5 2009 Daniel P. Berrange - 0.6.2-4.fc11 +- Fix labelling of shared/readonly disks (rhbz #493692) + * Tue Apr 28 2009 Daniel Veillard - 0.6.2-3.fc11 - Fix missing directories in spec (#496945 and gtk-doc)