On 03/12/2013 11:28 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
Add a new virDomainLxcEnterSecurityLabel() function as a counterpart to virDomainLxcEnterNamespaces(), which can change the current calling process to have a new security context. This call runs client side, not in libvirtd so we can't use the security driver infrastructure.
When entering a namespace, the process spawned from virsh will default to running with the security label of virsh. The actual desired behaviour is to run with the security label of the container most of the time. So this changes virsh lxc-enter-namespace command to invoke the virDomainLxcEnterSecurityLabel method.
include/libvirt/libvirt-lxc.h | 4 ++ python/generator.py | 1 + src/libvirt-lxc.c | 96 +++++++++++++++++++++++++++++++++++++++++++ tools/virsh-domain.c | 32 +++++++++++++++ 4 files changed, 133 insertions(+)
Missing an entry in src/libvirt_lxc.syms to actually expose the new function in the .so.
+++ b/src/libvirt-lxc.c @@ -29,6 +29,9 @@ #include "virlog.h" #include "virprocess.h" #include "datatypes.h" +#ifdef WITH_SELINUX +#include <selinux/selinux.h> +#endif
Will fail 'make syntax-check' if cppi is installed.
@@ -8029,12 +8036,35 @@ cmdLxcEnterNamespace(vshControl *ctl, const vshCmd *cmd) if ((nfdlist = virDomainLxcOpenNamespace(dom, &fdlist, 0)) < 0) goto cleanup;
+ if (setlabel) { + fprintf(stderr, "Getr sec\n");
Spurious debug message? ACK with those things addressed. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org