On Thu, Nov 18, 2010 at 03:37:07PM +0000, Daniel P. Berrange wrote:
On Thu, Nov 18, 2010 at 04:26:55PM +0100, Daniel Veillard wrote:
The code in SELinuxRestoreSecurityChardevLabel() was trying to use SELinuxSetFilecon directly for devices or file types while it should really use SELinuxRestoreSecurityFileLabel encapsulating routine, which avoid various problems like resolving symlinks, making sure he file exists and work around NFS problems
Daniel
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 936a1a6..996177a 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -694,9 +694,10 @@ SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm, switch (dev->type) { case VIR_DOMAIN_CHR_TYPE_DEV: case VIR_DOMAIN_CHR_TYPE_FILE: - ret = SELinuxSetFilecon(dev->data.file.path, secdef->imagelabel); + if (SELinuxRestoreSecurityFileLabel(dev->data.file.path) < 0) + goto done; + ret = 0; break; - case VIR_DOMAIN_CHR_TYPE_PIPE: if ((virAsprintf(&out, "%s.out", dev->data.file.path) < 0) || (virAsprintf(&in, "%s.in", dev->data.file.path) < 0)) {
ACK
okay, thanks, pushed ! Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/