Re: [libvirt] [PATCH 2/3] Set SELinux context label of pipes used for qemu migration

On Tue, Jan 25, 2011 at 03:54:12PM -0500, Laine Stump wrote: > On 01/25/2011 12:49 PM, Daniel P. Berrange wrote: >> On Tue, Jan 25, 2011 at 04:24:19AM -0500, Laine Stump wrote: >>> This patch is a partial resolution to the following bug: >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=667756 >>> >>> (to complete the fix, an updated selinux-policy package is required, >>> to add the policy that allows libvirt to set the context of a fifo, >>> which was previously not allowed). >>> >>> Explanation : When an incoming migration is over a pipe (for example, >>> if the image was compressed and is being fed through gzip, or was on a >>> root-squash nfs server, so needed to be opened by a child process >>> running as a different uid), qemu cannot read it unless the selinux >>> context label for the pipe has been set properly. >>> >>> The solution is to check the fd used as the source of the migration >>> just before passing it to qemu; if it's a fifo (implying that it's a >>> pipe), we call the newly added virSecurityManagerSetFDLabel() function >>> to set the context properly. >>> --- >>> src/qemu/qemu_driver.c | 18 ++++++++++++++++++ >>> 1 files changed, 18 insertions(+), 0 deletions(-) > Ok, I see what you mean here. ACK to the original patch