rpms
/
libvirt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Rebased to version 0.10.2.4 

Fix 'Cannot parse sensitivity level in s0' error (bz #902103)
Fix updating NIC that has boot order set (bz #906446)
Fix virsh list for vmware ESX (bz #910702)
Fix libxl disk backend default (bz #912488)
remotes/origin/f18
Cole Robinson 2013-04-01 17:22:27 -04:00
parent 64e6ea2c74
commit ec17372ebc
3 changed files with 20 additions and 138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

129
0002-Support-custom-svirt_tcg_t-context-for-TCG-based-gue.patch
View File

@ -1,129 +0,0 @@
From 95ea6a38bd9a3ca8393c7d738df8bab0ca554439 Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Wed, 12 Dec 2012 11:47:19 +0000
Subject: [PATCH] Support custom 'svirt_tcg_t' context for TCG based guests
The current SELinux policy only works for KVM guests, since
TCG requires the 'execmem' privilege. There is a 'virt_use_execmem'
boolean to turn this on globally, but that is unpleasant for users.
This changes libvirt to automatically use a new 'svirt_tcg_t'
context for TCG based guests. This obsoletes the previous
boolean tunable and makes things 'just work(tm)'
Since we can't assume we run with new enough policy, I also
make us log a warning message (once only) if we find the policy
lacks support. In this case we fallback to the normal label and
expect users to set the boolean tunable
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 77d3a8097480e388f1ce3129fe530f235b05f93b)
---
src/security/security_selinux.c | 48 +++++++++++++++++++++++++++++++++++++----
1 file changed, 44 insertions(+), 4 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 2720266..b9f5a7b 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -58,6 +58,7 @@ typedef virSecuritySELinuxCallbackData *virSecuritySELinuxCallbackDataPtr;
struct _virSecuritySELinuxData {
char *domain_context;
+ char *alt_domain_context;
char *file_context;
char *content_context;
virHashTablePtr mcs;
@@ -475,8 +476,23 @@ virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr)
}
ptr = strchrnul(data->domain_context, '\n');
- if (ptr)
+ if (ptr && *ptr == '\n') {
*ptr = '\0';
+ ptr++;
+ if (*ptr != '\0') {
+ data->alt_domain_context = strdup(ptr);
+ if (!data->alt_domain_context) {
+ virReportOOMError();
+ goto error;
+ }
+ ptr = strchrnul(data->alt_domain_context, '\n');
+ if (ptr && *ptr == '\n')
+ *ptr = '\0';
+ }
+ }
+ VIR_DEBUG("Loaded domain context '%s', alt domain context '%s'",
+ data->domain_context, NULLSTR(data->alt_domain_context));
+
if (virFileReadAll(selinux_virtual_image_context_path(), 2*MAX_CONTEXT, &(data->file_context)) < 0) {
virReportSystemError(errno,
@@ -498,6 +514,9 @@ virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr)
*ptr = '\0';
}
+ VIR_DEBUG("Loaded file context '%s', content context '%s'",
+ data->file_context, data->content_context);
+
if (!(data->mcs = virHashCreate(10, NULL)))
goto error;
@@ -508,6 +527,7 @@ error:
selabel_close(data->label_handle);
#endif
VIR_FREE(data->domain_context);
+ VIR_FREE(data->alt_domain_context);
VIR_FREE(data->file_context);
VIR_FREE(data->content_context);
virHashFree(data->mcs);
@@ -538,6 +558,7 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
const char *range;
virSecurityLabelDefPtr seclabel;
virSecuritySELinuxDataPtr data;
+ const char *baselabel;
if (mgr == NULL) {
virReportError(VIR_ERR_INTERNAL_ERROR,
@@ -600,10 +621,28 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
if (virSecuritySELinuxMCSAdd(mgr, mcs) < 0)
goto cleanup;
+ baselabel = seclabel->baselabel;
+ if (!baselabel) {
+ if (def->virtType == VIR_DOMAIN_VIRT_QEMU) {
+ if (data->alt_domain_context == NULL) {
+ static bool warned = false;
+ if (!warned) {
+ VIR_WARN("SELinux policy does not define a domain type for QEMU TCG. "
+ "Guest startup may be denied due to missing 'execmem' privilege "
+ "unless the 'virt_use_execmem' policy boolean is enabled");
+ warned = true;
+ }
+ baselabel = data->domain_context;
+ } else {
+ baselabel = data->alt_domain_context;
+ }
+ } else {
+ baselabel = data->domain_context;
+ }
+ }
+
seclabel->label =
- virSecuritySELinuxGenNewContext(seclabel->baselabel ?
- seclabel->baselabel :
- data->domain_context, mcs, false);
+ virSecuritySELinuxGenNewContext(baselabel, mcs, false);
if (!seclabel->label) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot generate selinux context for %s"), mcs);
@@ -758,6 +797,7 @@ virSecuritySELinuxSecurityDriverClose(virSecurityManagerPtr mgr)
virHashFree(data->mcs);
VIR_FREE(data->domain_context);
+ VIR_FREE(data->alt_domain_context);
VIR_FREE(data->file_context);
VIR_FREE(data->content_context);
--
1.8.1

27
libvirt.spec
View File

@ -334,7 +334,7 @@
Summary: Library providing a simple virtualization API Summary: Library providing a simple virtualization API
Name: libvirt Name: libvirt
Version: 0.10.2.3 Version: 0.10.2.4
Release: 1%{?dist}%{?extra_release} Release: 1%{?dist}%{?extra_release}
License: LGPLv2+ License: LGPLv2+
Group: Development/Libraries Group: Development/Libraries
@ -345,18 +345,16 @@ URL: http://libvirt.org/
%define mainturl stable_updates/ %define mainturl stable_updates/
%endif %endif
Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.gz Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.gz
# Fix qemu -> qemu-system-i386 (RHBZ#857026).
# Fix qemu -> qemu-system-i386 (bz #857026).
# keep: This patch is Fedora-specific and not upstream. # keep: This patch is Fedora-specific and not upstream.
Patch1: 0001-Use-qemu-system-i386-as-binary-instead-of-qemu.patch Patch1: 0001-Use-qemu-system-i386-as-binary-instead-of-qemu.patch
# Cleanly save session VMs on logout/shutdown (bz 872254) # Cleanly save session VMs on logout/shutdown (bz #872254)
# keep: Fixed upstream, but using patches not suitable for stable # keep: Fixed upstream, but using patches not suitable for stable
Patch2: libvirt-dbus.patch Patch2: libvirt-dbus.patch
# Cleanly save session VMs on logout/shutdown (bz 872254) # Cleanly save session VMs on logout/shutdown (bz #872254)
# keep: Fixed upstream, but using patches not suitable for stable # keep: Fixed upstream, but using patches not suitable for stable
Patch3: libvirt-save-with-session.patch Patch3: libvirt-save-with-session.patch
# Fix selinux denials when launching non-kvm qemu guests (bz 885837)
# keep: missed stable release
Patch4: 0002-Support-custom-svirt_tcg_t-context-for-TCG-based-gue.patch
%if %{with_libvirtd} %if %{with_libvirtd}
@ -1075,10 +1073,16 @@ of recent versions of Linux (and other OSes).
%prep %prep
%setup -q %setup -q
# Fix qemu -> qemu-system-i386 (bz #857026).
# keep: This patch is Fedora-specific and not upstream.
%patch1 -p1 %patch1 -p1
# Cleanly save session VMs on logout/shutdown (bz #872254)
# keep: Fixed upstream, but using patches not suitable for stable
%patch2 -p1 %patch2 -p1
# Cleanly save session VMs on logout/shutdown (bz #872254)
# keep: Fixed upstream, but using patches not suitable for stable
%patch3 -p1 %patch3 -p1
%patch4 -p1
%build %build
%if ! %{with_xen} %if ! %{with_xen}
@ -1954,6 +1958,13 @@ fi
%endif %endif
%changelog %changelog
* Mon Apr 01 2013 Cole Robinson <crobinso@redhat.com> - 0.10.2.4-1
- Rebased to version 0.10.2.4
- Fix 'Cannot parse sensitivity level in s0' error (bz #902103)
- Fix updating NIC that has boot order set (bz #906446)
- Fix virsh list for vmware ESX (bz #910702)
- Fix libxl disk backend default (bz #912488)
* Mon Jan 28 2013 Cole Robinson <crobinso@redhat.com> - 0.10.2.3-1 * Mon Jan 28 2013 Cole Robinson <crobinso@redhat.com> - 0.10.2.3-1
- Rebased to version 0.10.2.3 - Rebased to version 0.10.2.3
- Fix libxl driver to build against xen 4.2 (bz #870689) - Fix libxl driver to build against xen 4.2 (bz #870689)

2
sources
View File

@ -1 +1 @@
8ffff74a7e6674c782fec06c94c3381b libvirt-0.10.2.3.tar.gz 11d9f42c831751bec5ef8e5d87dc2bba libvirt-0.10.2.4.tar.gz