[libvirt] [PATCH] Qemu fails to restore when guest has selinux static context
The file handle passed from libvirt to qemu is not set to the context of the guest. So, set the selinux context of fd before passing it to qemu Signed-off-by: Shivaprasad G Bhat<sbhat@linux.vnet.ibm.com> --- src/qemu/qemu_driver.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 4bb4819..8cf3666 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -5522,6 +5522,9 @@ qemuDomainRestoreFlags(virConnectPtr conn, goto cleanup; def = NULL; + if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, fd) < 0) + goto cleanup; + if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0) goto cleanup;
On Tue, Apr 08, 2014 at 09:11:33AM -0400, Shivaprasad G Bhat wrote:
The file handle passed from libvirt to qemu is not set to the context of the guest. So, set the selinux context of fd before passing it to qemu
Signed-off-by: Shivaprasad G Bhat<sbhat@linux.vnet.ibm.com> --- src/qemu/qemu_driver.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 4bb4819..8cf3666 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -5522,6 +5522,9 @@ qemuDomainRestoreFlags(virConnectPtr conn, goto cleanup; def = NULL;
+ if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, fd) < 0) + goto cleanup; + if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0) goto cleanup;
What is the particular problem you are trying to fix, how do you reproduce the issue? Have a look at 'git log --format=oneline', for example, to see how to format commit message subject. In most cases We tend to describe the change being done, not a problem that exists (and shouldn't after the commit is applied). I'd suggest using "qemu: Properly label FDs when restoring domain with static label" for example. You are duplicating the code we have in place already, just the condition is wrong probably (see qemuProcessStart(), virSecurityManagerSetImageFDLabel() is called when there is stdin_fd (the same fd you have in qemuDomainRestore{,Flags}) and it's a pipe (that's probably the root cause). Fixing it there will make it work in qemuDomainRestore() as well as qemuDomainRestoreFlags() and any other function we will call qemuProcessStart() in. Martin
Thanks Martin. I'll send out the v2 addressing your comments. Thanks and Regards, Shiva On Thu, Apr 17, 2014 at 7:50 PM, Martin Kletzander <mkletzan@redhat.com> wrote:
On Tue, Apr 08, 2014 at 09:11:33AM -0400, Shivaprasad G Bhat wrote:
The file handle passed from libvirt to qemu is not set to the context of the guest. So, set the selinux context of fd before passing it to qemu
Signed-off-by: Shivaprasad G Bhat<sbhat@linux.vnet.ibm.com> --- src/qemu/qemu_driver.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 4bb4819..8cf3666 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -5522,6 +5522,9 @@ qemuDomainRestoreFlags(virConnectPtr conn, goto cleanup; def = NULL;
+ if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, fd) < 0) + goto cleanup; + if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0) goto cleanup;
What is the particular problem you are trying to fix, how do you reproduce the issue?
Have a look at 'git log --format=oneline', for example, to see how to format commit message subject. In most cases We tend to describe the change being done, not a problem that exists (and shouldn't after the commit is applied). I'd suggest using "qemu: Properly label FDs when restoring domain with static label" for example.
You are duplicating the code we have in place already, just the condition is wrong probably (see qemuProcessStart(), virSecurityManagerSetImageFDLabel() is called when there is stdin_fd (the same fd you have in qemuDomainRestore{,Flags}) and it's a pipe (that's probably the root cause).
Fixing it there will make it work in qemuDomainRestore() as well as qemuDomainRestoreFlags() and any other function we will call qemuProcessStart() in.
Martin
participants (3)
-
Martin Kletzander -
Shivaprasad bhat -
Shivaprasad G Bhat