-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/12/2013 03:06 PM, Eric Blake wrote:
On 03/12/2013 11:28 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
Add a new virDomainLxcEnterSecurityLabel() function as a counterpart to virDomainLxcEnterNamespaces(), which can change the current calling process to have a new security context. This call runs client side, not in libvirtd so we can't use the security driver infrastructure.
When entering a namespace, the process spawned from virsh will default to running with the security label of virsh. The actual desired behaviour is to run with the security label of the container most of the time. So this changes virsh lxc-enter-namespace command to invoke the virDomainLxcEnterSecurityLabel method.
include/libvirt/libvirt-lxc.h | 4 ++ python/generator.py | 1 + src/libvirt-lxc.c | 96 +++++++++++++++++++++++++++++++++++++++++++ tools/virsh-domain.c | 32 +++++++++++++++ 4 files changed, 133 insertions(+)
Missing an entry in src/libvirt_lxc.syms to actually expose the new function in the .so.
+++ b/src/libvirt-lxc.c @@ -29,6 +29,9 @@ #include "virlog.h" #include "virprocess.h" #include "datatypes.h" +#ifdef WITH_SELINUX +#include <selinux/selinux.h> +#endif
Will fail 'make syntax-check' if cppi is installed.
@@ -8029,12 +8036,35 @@ cmdLxcEnterNamespace(vshControl *ctl, const vshCmd *cmd) if ((nfdlist = virDomainLxcOpenNamespace(dom, &fdlist, 0)) < 0) goto cleanup;
+ if (setlabel) { + fprintf(stderr, "Getr sec\n");
Spurious debug message?
ACK with those things addressed.
Here is my current patch for this, with a fix for the syms file. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlE/hLoACgkQrlYvE4MpobPImgCggDyVpwbhsy4lMd2nZmTGavCF qkIAn0gJT1xc2487N8HP081M1ydC02rn =VTUO -----END PGP SIGNATURE-----