[libvirt] Problem with the current svirt patch
The current svirt patch relabels all disk to the image_t:MCS, which is incorrect. Read Only Disks and Sharable Disks should not be labeled. Also when libvirt is completed running the image it needs to relabel the image back to something sane. Right now it is labeling everything imagelabel:s0, including phisical disk partitions. I considered two ways of labeling the "disk" back. We can either grab the label when libvirt starts and change it back to this label when ever an image completes or we can ask the system what the label should be. (matcpathcon). I originally coded up the first, but quickly realized if anything went wrong with libvirt labeling like a crash, the labels on disk could be wrong. And libvirt would continuously set them to this wrong label. With matchpathcon, libvirt will at least set them to something sane. So this patch Removes labeling of readonly and shared disks and restores the images label to the system default when the image completes. I would really like to get this in ASAP. Since currently libvirt is relabeing the cdrom to virt_image_t when it is complete as well as physical disks.
On Fri, Mar 13, 2009 at 11:03:26AM -0400, Daniel J Walsh wrote:
The current svirt patch relabels all disk to the image_t:MCS, which is incorrect. Read Only Disks and Sharable Disks should not be labeled.
Also when libvirt is completed running the image it needs to relabel the image back to something sane. Right now it is labeling everything imagelabel:s0, including phisical disk partitions. I considered two ways of labeling the "disk" back. We can either grab the label when libvirt starts and change it back to this label when ever an image completes or we can ask the system what the label should be. (matcpathcon). I originally coded up the first, but quickly realized if anything went wrong with libvirt labeling like a crash, the labels on disk could be wrong. And libvirt would continuously set them to this wrong label. With matchpathcon, libvirt will at least set them to something sane.
So this patch Removes labeling of readonly and shared disks and restores the images label to the system default when the image completes.
I would really like to get this in ASAP. Since currently libvirt is relabeing the cdrom to virt_image_t when it is complete as well as physical disks.
ACK this all looks sane to me. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
On 03/13/2009 11:45 AM, Daniel P. Berrange wrote:
On Fri, Mar 13, 2009 at 11:03:26AM -0400, Daniel J Walsh wrote:
The current svirt patch relabels all disk to the image_t:MCS, which is incorrect. Read Only Disks and Sharable Disks should not be labeled.
Also when libvirt is completed running the image it needs to relabel the image back to something sane. Right now it is labeling everything imagelabel:s0, including phisical disk partitions. I considered two ways of labeling the "disk" back. We can either grab the label when libvirt starts and change it back to this label when ever an image completes or we can ask the system what the label should be. (matcpathcon). I originally coded up the first, but quickly realized if anything went wrong with libvirt labeling like a crash, the labels on disk could be wrong. And libvirt would continuously set them to this wrong label. With matchpathcon, libvirt will at least set them to something sane.
So this patch Removes labeling of readonly and shared disks and restores the images label to the system default when the image completes.
I would really like to get this in ASAP. Since currently libvirt is relabeing the cdrom to virt_image_t when it is complete as well as physical disks.
ACK this all looks sane to me.
Daniel Is this going to be merged in?
On Mon, Mar 16, 2009 at 02:30:24PM -0400, Daniel J Walsh wrote:
On 03/13/2009 11:45 AM, Daniel P. Berrange wrote:
On Fri, Mar 13, 2009 at 11:03:26AM -0400, Daniel J Walsh wrote:
The current svirt patch relabels all disk to the image_t:MCS, which is incorrect. Read Only Disks and Sharable Disks should not be labeled.
Also when libvirt is completed running the image it needs to relabel the image back to something sane. Right now it is labeling everything imagelabel:s0, including phisical disk partitions. I considered two ways of labeling the "disk" back. We can either grab the label when libvirt starts and change it back to this label when ever an image completes or we can ask the system what the label should be. (matcpathcon). I originally coded up the first, but quickly realized if anything went wrong with libvirt labeling like a crash, the labels on disk could be wrong. And libvirt would continuously set them to this wrong label. With matchpathcon, libvirt will at least set them to something sane.
So this patch Removes labeling of readonly and shared disks and restores the images label to the system default when the image completes.
I would really like to get this in ASAP. Since currently libvirt is relabeing the cdrom to virt_image_t when it is complete as well as physical disks.
ACK this all looks sane to me.
Is this going to be merged in?
Yep, its on my todo list to test & merge it- should get to it tommorrow Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
On Mon, Mar 16, 2009 at 08:05:26PM +0000, Daniel P. Berrange wrote:
On Mon, Mar 16, 2009 at 02:30:24PM -0400, Daniel J Walsh wrote:
On 03/13/2009 11:45 AM, Daniel P. Berrange wrote:
On Fri, Mar 13, 2009 at 11:03:26AM -0400, Daniel J Walsh wrote:
The current svirt patch relabels all disk to the image_t:MCS, which is incorrect. Read Only Disks and Sharable Disks should not be labeled.
Also when libvirt is completed running the image it needs to relabel the image back to something sane. Right now it is labeling everything imagelabel:s0, including phisical disk partitions. I considered two ways of labeling the "disk" back. We can either grab the label when libvirt starts and change it back to this label when ever an image completes or we can ask the system what the label should be. (matcpathcon). I originally coded up the first, but quickly realized if anything went wrong with libvirt labeling like a crash, the labels on disk could be wrong. And libvirt would continuously set them to this wrong label. With matchpathcon, libvirt will at least set them to something sane.
So this patch Removes labeling of readonly and shared disks and restores the images label to the system default when the image completes.
I would really like to get this in ASAP. Since currently libvirt is relabeing the cdrom to virt_image_t when it is complete as well as physical disks.
ACK this all looks sane to me.
Is this going to be merged in?
Yep, its on my todo list to test & merge it- should get to it tommorrow
Ok, I've committed this now with just one small change to use VIR_ALLOC and VIR_FREE, instead of calloc/free. Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
participants (2)
-
Daniel J Walsh -
Daniel P. Berrange