Re: [libvirt] [PATCH] Apply security label when entering LXC namespaces

On 03/12/2013 11:28 AM, Daniel P. Berrange wrote: > From: "Daniel P. Berrange" <berrange(a)redhat.com&gt; > > Add a new virDomainLxcEnterSecurityLabel() function as a counterpart to > virDomainLxcEnterNamespaces(), which can change the current calling > process to have a new security context. This call runs client side, not > in libvirtd so we can't use the security driver infrastructure. > > When entering a namespace, the process spawned from virsh will default to > running with the security label of virsh. The actual desired behaviour is > to run with the security label of the container most of the time. So this > changes virsh lxc-enter-namespace command to invoke the > virDomainLxcEnterSecurityLabel method. > > include/libvirt/libvirt-lxc.h | 4 ++ python/generator.py | 1 > + src/libvirt-lxc.c | 96 > +++++++++++++++++++++++++++++++++++++++++++ tools/virsh-domain.c > | 32 +++++++++++++++ 4 files changed, 133 insertions(+) Missing an entry in src/libvirt_lxc.syms to actually expose the new function in the .so. > +++ b/src/libvirt-lxc.c @@ -29,6 +29,9 @@ #include "virlog.h" #include > "virprocess.h" #include "datatypes.h" +#ifdef WITH_SELINUX +#include > <selinux/selinux.h> +#endif Will fail 'make syntax-check' if cppi is installed. > @@ -8029,12 +8036,35 @@ cmdLxcEnterNamespace(vshControl *ctl, const > vshCmd *cmd) if ((nfdlist = virDomainLxcOpenNamespace(dom, &fdlist, 0)) < > 0) goto cleanup; > > + if (setlabel) { + fprintf(stderr, "Getr sec\n"); Spurious debug message? ACK with those things addressed.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlE/hLoACgkQrlYvE4MpobPImgCggDyVpwbhsy4lMd2nZmTGavCF qkIAn0gJT1xc2487N8HP081M1ydC02rn =VTUO -----END PGP SIGNATURE-----