2:49 a.m.
Hi,
these patches are a work in progress and apply on top of the two recent patches
from Marcelo.
Jiri Denemark (2):
Fix seclabels parsing
Format seclabels in a compatible way
src/conf/domain_conf.c | 41 +++++++++++++++++++++++++----------------
1 file changed, 25 insertions(+), 16 deletions(-)
--
1.7.12
2:49 a.m.
New subject: [libvirt] [PATCH 1/2] Fix seclabels parsing
---
src/conf/domain_conf.c | 39 ++++++++++++++++++++++++---------------
1 file changed, 24 insertions(+), 15 deletions(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 3819ed9..1394297 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -3161,27 +3161,36 @@ virSecurityLabelDefsParseXML(virDomainDefPtr def,
* defined in host's capabilities is used as model for the seclabel.
*/
if (def->nseclabels == 1 &&
- def->seclabels[0]->model == NULL &&
- def->seclabels[0]->type != VIR_DOMAIN_SECLABEL_STATIC &&
- def->seclabels[0]->baselabel == NULL &&
- (flags & VIR_DOMAIN_XML_INACTIVE) &&
+ !def->seclabels[0]->model &&
host->nsecModels > 0) {
-
- /* Copy model from host. */
- def->seclabels[0]->model = strdup(host->secModels[0].model);
- if (def->seclabels[0]->model == NULL) {
- virReportOOMError();
+ if (def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_NONE ||
+ (def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
+ !def->seclabels[0]->baselabel &&
+ (flags & VIR_DOMAIN_XML_INACTIVE))) {
+ /* Copy model from host. */
+ VIR_DEBUG("Found seclabel without a model, using '%s'",
+ host->secModels[0].model);
+ def->seclabels[0]->model = strdup(host->secModels[0].model);
+ if (!def->seclabels[0]->model) {
+ virReportOOMError();
+ goto error;
+ }
+ } else {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("missing security model in domain seclabel"));
goto error;
}
}
/* Checking missing model information */
- for(; n; n--) {
- if (def->seclabels[n - 1]->model == NULL) {
- virReportError(VIR_ERR_XML_ERROR, "%s",
- _("missing security model "
- "when using multiple labels"));
- goto error;
+ if (def->nseclabels > 1) {
+ for(; n; n--) {
+ if (def->seclabels[n - 1]->model == NULL) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("missing security model "
+ "when using multiple labels"));
+ goto error;
+ }
}
}
--
1.7.12
2:49 a.m.
New subject: [libvirt] [PATCH 2/2] Format seclabels in a compatible way
---
src/conf/domain_conf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 1394297..49327df 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -11253,7 +11253,7 @@ virSecurityLabelDefFormat(virBufferPtr buf, virSecurityLabelDefPtr
def)
virBufferAsprintf(buf, "<seclabel type='%s'",
sectype);
- if (def->model)
+ if (def->model && STRNEQ(def->model, "none"))
virBufferEscapeString(buf, " model='%s'", def->model);
if (def->type == VIR_DOMAIN_SECLABEL_NONE) {
--
1.7.12
6:20 a.m.
On Fri, Aug 31, 2012 at 09:49:40 +0200, Jiri Denemark wrote:
Hi,
these patches are a work in progress and apply on top of the two recent patches
from Marcelo.
Jiri Denemark (2):
Fix seclabels parsing
Format seclabels in a compatible way
src/conf/domain_conf.c | 41 +++++++++++++++++++++++++----------------
1 file changed, 25 insertions(+), 16 deletions(-)
Looks like testing confirms that basic functionality works, libvirtd can be
restarted without losing domains and domain can be migrated to older libvirtd.
There are still some issues with the new security driver, e.g., adding
<seclabel type='none'/> does not really disable selinux labeling if selinux
driver is enabled, but these additional issues can be fixed for the next
release after additional testing. I'll repost the Marcelo's patches with these
additional fixes squashed in.
Jirka
4469
days inactive
4469
days old
3 comments
1 participants
participants (1)
-
Jiri Denemark