Re: [libvirt] [PATCH 4/7] security: Label parent directories of character devices
On Thu, Aug 13, 2015 at 05:47:42PM +0200, Martin Kletzander wrote:
We are currently unable to label parent directories for some paths.
However, we will need to have per-domain directories that we would like
to have labelled, but we can't label all of them. So let's add a
boolean variable that will determine whether parent directory for such
chardev should be labelled as well as that character device itself.
Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
---
src/conf/domain_conf.h | 1 +
src/security/security_dac.c | 13 ++++++++++++-
src/security/security_selinux.c | 13 ++++++++++++-
3 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index e1872bca002c..9d549a395e29 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -1191,6 +1191,7 @@ struct _virDomainChrSourceDef {
} udp;
struct {
char *path;
+ bool autopath;
bool listen;
} nix;
int spicevmc;
I don't think we need this - it seems we can just pass a 'bool labelParent'
parameter into virSecurityManagerSetChardevLabel() when calling it for
the monitor socket.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|