]> xenbits.xensource.com Git - libvirt.git/commit
projects / libvirt.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 8e3c6fb) | patch
Ensure sanlock socket is labelled with the VM process label
authorDaniel P. Berrange <berrange@redhat.com>
Fri, 24 Jun 2011 14:14:41 +0000 (15:14 +0100)
committerDaniel P. Berrange <berrange@redhat.com>
Tue, 28 Jun 2011 15:41:46 +0000 (16:41 +0100)
commit5247b0695a1914e16d1b6333aff6038c0bd578dc
tree28d0783556a2a624bd7ffc30fc0179e538733ee2tree
parent8e3c6fbbe610ddc6401734cc3230b48785f25df0commit | diff
Ensure sanlock socket is labelled with the VM process label

The libvirt sanlock plugin is intentionally leaking a file
descriptor to QEMU. To enable QEMU to use this FD under
SELinux, it must be labelled correctly. We dont want to use
the svirt_image_t for this, since QEMU must not be allowed
to actually use the FD. So instead we label it with svirt_t
using virSecurityManagerSetProcessFDLabel

* src/locking/domain_lock.c, src/locking/domain_lock.h,
  src/locking/lock_driver.h, src/locking/lock_driver_nop.c,
  src/locking/lock_driver_sanlock.c, src/locking/lock_manager.c,
  src/locking/lock_manager.h: Optionally pass an FD back to
  the hypervisor for security driver labelling
* src/qemu/qemu_process.c: label the lock manager plugin
  FD with the process label
src/locking/domain_lock.c diff | blob | blame | history
src/locking/domain_lock.h diff | blob | blame | history
src/locking/lock_driver.h diff | blob | blame | history
src/locking/lock_driver_nop.c diff | blob | blame | history
src/locking/lock_driver_sanlock.c diff | blob | blame | history
src/locking/lock_manager.c diff | blob | blame | history
src/locking/lock_manager.h diff | blob | blame | history
src/qemu/qemu_process.c diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.