On 07/30/2015 06:00 PM, Daniel P. Berrange wrote:
On Thu, Jul 23, 2015 at 06:13:47PM +0800, Luyao Huang wrote:
A new api to help set/restore the shmem deivce dac/selinux label.
Signed-off-by: Luyao Huang <lhuang@redhat.com> --- src/libvirt_private.syms | 2 ++ src/security/security_dac.c | 67 +++++++++++++++++++++++++++++++++++++++ src/security/security_driver.h | 11 +++++++ src/security/security_manager.c | 38 ++++++++++++++++++++++ src/security/security_manager.h | 8 +++++ src/security/security_selinux.c | 70 +++++++++++++++++++++++++++++++++++++++++ src/security/security_stack.c | 41 ++++++++++++++++++++++++ 7 files changed, 237 insertions(+)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c index deb6980..f954aa5 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1433,4 +1497,7 @@ virSecurityDriver virSecurityDriverDAC = { .domainGetSecurityMountOptions = virSecurityDACGetMountOptions,
.getBaseLabel = virSecurityDACGetBaseLabel, + + .domainSetSecurityShmemLabel = virSecurityDACSetShmemLabel, + .domainRestoreSecurityShmemLabel = virSecurityDACRestoreShmemLabel, NB, you should also be modifying the virSecurityDACRestoreSecurityAllLabel and virSecurityDACSetSecurityAllLabel methods to call this code during
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 6e67a86..cbf89ee 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2549,4 +2616,7 @@ virSecurityDriver virSecurityDriverSELinux = {
.domainGetSecurityMountOptions = virSecuritySELinuxGetSecurityMountOptions, .getBaseLabel = virSecuritySELinuxGetBaseLabel, + + .domainSetSecurityShmemLabel = virSecuritySELinuxSetShmemLabel, + .domainRestoreSecurityShmemLabel = virSecuritySELinuxRestoreShmemLabel, }; Likewise virSecuritySELinuxRestoreSecurityAllLabel and virSecuritySELinuxSetSecurityAllLabel
Doing this avoids the need to manually call these shmem specific security methods during general guest startup/shutdown. They only need to be called manually during hotplug/unplug.
Okay, i see, i move these function in virSecuritySELinuxRestoreSecurityAllLabel and virSecuritySELinuxSetSecurityAllLabel. Thanks a lot for your review and advise.
Regards, Daniel
Luyao