Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 661371 Details for
Bug 853393
libvirt doesn't label console, serial sockets
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
0001-launch-libvirt-Label-sockets-with-guestfs_socket_t-R.patch
0001-launch-libvirt-Label-sockets-with-guestfs_socket_t-R.patch (text/plain), 3.82 KB, created by
Richard W.M. Jones
on 2012-12-11 11:04:47 UTC
(
hide
)
Description:
0001-launch-libvirt-Label-sockets-with-guestfs_socket_t-R.patch
Filename:
MIME Type:
Creator:
Richard W.M. Jones
Created:
2012-12-11 11:04:47 UTC
Size:
3.82 KB
patch
obsolete
>From 58a940a38b42d495dfeabab05a5e6f1ddcd3305d Mon Sep 17 00:00:00 2001 >From: "Richard W.M. Jones" <rjones@redhat.com> >Date: Tue, 11 Dec 2012 10:40:42 +0000 >Subject: [PATCH] launch: libvirt: Label sockets with guestfs_socket_t > (RHBZ#853393). > >--- > src/launch-libvirt.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 79 insertions(+) > >diff --git a/src/launch-libvirt.c b/src/launch-libvirt.c >index c8838b6..baa42de 100644 >--- a/src/launch-libvirt.c >+++ b/src/launch-libvirt.c >@@ -45,6 +45,11 @@ > #include <libxml/xmlsave.h> > #endif > >+#if HAVE_LIBSELINUX >+#include <selinux/selinux.h> >+#include <selinux/context.h> >+#endif >+ > #include "glthread/lock.h" > > #include "guestfs.h" >@@ -130,6 +135,8 @@ static void ignore_errors (void *ignore, virErrorPtr ignore2); > static char *make_qcow2_overlay (guestfs_h *g, const char *path, const char *format); > static int make_qcow2_overlay_for_drive (guestfs_h *g, struct drive *drv); > static void drive_free_priv (void *); >+static void set_socket_create_context (guestfs_h *g); >+static void clear_socket_create_context (guestfs_h *g); > > static int > launch_libvirt (guestfs_h *g, const char *libvirt_uri) >@@ -234,6 +241,8 @@ launch_libvirt (guestfs_h *g, const char *libvirt_uri) > "%s/guestfsd.sock", g->tmpdir); > unlink (params.guestfsd_sock); > >+ set_socket_create_context (g); >+ > g->sock = socket (AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0); > if (g->sock == -1) { > perrorf (g, "socket"); >@@ -282,6 +291,8 @@ launch_libvirt (guestfs_h *g, const char *libvirt_uri) > goto cleanup; > } > >+ clear_socket_create_context (g); >+ > /* libvirt, if running as root, will run the qemu process as > * qemu.qemu, which means it won't be able to access the socket. > * There are roughly three things that get in the way: >@@ -440,6 +451,8 @@ launch_libvirt (guestfs_h *g, const char *libvirt_uri) > return 0; > > cleanup: >+ clear_socket_create_context (g); >+ > if (console >= 0) > close (console); > if (g->fd[0] >= 0) { >@@ -480,6 +493,72 @@ is_custom_qemu (guestfs_h *g) > return g->qemu && STRNEQ (g->qemu, QEMU); > } > >+#if HAVE_LIBSELINUX >+ >+/* Set SELinux socket create context. For details see: >+ * https://bugzilla.redhat.com/show_bug.cgi?id=853393#c14 >+ * >+ * Note that setsockcreatecon sets the per-thread socket creation >+ * context (/proc/self/task/<tid>/attr/sockcreate) so this is >+ * thread-safe. >+ */ >+static void >+set_socket_create_context (guestfs_h *g) >+{ >+ security_context_t scon; /* this is actually a 'char *' */ >+ context_t con; >+ >+ if (getcon (&scon) == -1) { >+ debug (g, "%s: getcon failed: %m", __func__); >+ return; >+ } >+ >+ con = context_new (scon); >+ if (!con) { >+ debug (g, "%s: context_new failed: %m", __func__); >+ goto out1; >+ } >+ >+ if (context_type_set (con, "guestfs_socket_t") == -1) { >+ debug (g, "%s: context_type_set failed: %m", __func__); >+ goto out2; >+ } >+ >+ if (setsockcreatecon (context_str (con)) == -1) { >+ debug (g, "%s: setsockcreatecon (%s) failed: %m", >+ __func__, context_str (con)); >+ goto out2; >+ } >+ >+ out2: >+ context_free (con); >+ out1: >+ freecon (scon); >+} >+ >+static void >+clear_socket_create_context (guestfs_h *g) >+{ >+ if (setsockcreatecon (NULL) == -1) >+ debug (g, "%s: setsockcreatecon (NULL) failed: %m", __func__); >+} >+ >+#else /* !HAVE_LIBSELINUX */ >+ >+static void >+set_socket_create_context (guestfs_h *g) >+{ >+ /* nothing */ >+} >+ >+static void >+clear_socket_create_context (guestfs_h *g) >+{ >+ /* nothing */ >+} >+ >+#endif /* !HAVE_LIBSELINUX */ >+ > static int construct_libvirt_xml_name (guestfs_h *g, const struct libvirt_xml_params *params, xmlTextWriterPtr xo); > static int construct_libvirt_xml_cpu (guestfs_h *g, const struct libvirt_xml_params *params, xmlTextWriterPtr xo); > static int construct_libvirt_xml_boot (guestfs_h *g, const struct libvirt_xml_params *params, xmlTextWriterPtr xo); >-- >1.8.0.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=661371">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 853393
:
617530
| 661371