On Thu, Aug 13, 2015 at 04:59:47PM +0100, Daniel P. Berrange wrote:
On Thu, Aug 13, 2015 at 05:47:42PM +0200, Martin Kletzander wrote:
> We are currently unable to label parent directories for some paths.
> However, we will need to have per-domain directories that we would like
> to have labelled, but we can't label all of them. So let's add a
> boolean variable that will determine whether parent directory for such
> chardev should be labelled as well as that character device itself.
>
> Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
> ---
> src/conf/domain_conf.h | 1 +
> src/security/security_dac.c | 13 ++++++++++++-
> src/security/security_selinux.c | 13 ++++++++++++-
> 3 files changed, 25 insertions(+), 2 deletions(-)
>
> diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
> index e1872bca002c..9d549a395e29 100644
> --- a/src/conf/domain_conf.h
> +++ b/src/conf/domain_conf.h
> @@ -1191,6 +1191,7 @@ struct _virDomainChrSourceDef {
> } udp;
> struct {
> char *path;
> + bool autopath;
> bool listen;
> } nix;
> int spicevmc;
I don't think we need this - it seems we can just pass a 'bool labelParent'
parameter into virSecurityManagerSetChardevLabel() when calling it for
the monitor socket.
It's not used only for the monitor socket, but mainly for virtio
channel's target's unix socket as well and maybe more in the future.
But I agree it could be named 'labelParent' as well. Should I resend
it with that changed?