xenbits.xensource.com Git - libvirt.git/commit

author	Eric Blake <eblake@redhat.com>
	Fri, 23 Dec 2011 15:31:51 +0000 (08:31 -0700)
committer	Daniel Veillard <veillard@redhat.com>
	Fri, 30 Dec 2011 02:57:59 +0000 (10:57 +0800)
commit	904e05a292b90de5f6b7ea74199fbea1205cd5bb
tree	4532477e4c723209fb8732130ed4f3b6159f2035	tree
parent	b43432931aef92325920953ff92beabfbe5224c8	commit \| diff

seclabel: honor device override in selinux

This wires up the XML changes in the previous patch to let SELinux
labeling honor user overrides, as well as affecting the live XML
configuration in one case where the user didn't specify anything
in the offline XML.

I noticed that the logs contained messages like this:

2011-12-05 23:32:40.382+0000: 26569: warning : SELinuxRestoreSecurityFileLabel:533 : cannot lookup default selinux label for /nfs/libvirt/images/dom.img

for all my domain images living on NFS. But if we would just remember
that on domain creation that we were unable to set a SELinux label (due to
NFSv3 lacking labels, or NFSv4 not being configured to expose attributes),
then we could avoid wasting the time trying to clear the label on
domain shutdown. This in turn is one less point of NFS failure,
especially since there have been documented cases of virDomainDestroy
hanging during an attempted operation on a failed NFS connection.

* src/security/security_selinux.c (SELinuxSetFilecon): Move guts...
(SELinuxSetFileconHelper): ...to new function.
(SELinuxSetFileconOptional): New function.
(SELinuxSetSecurityFileLabel): Honor override label, and remember
if labeling failed.
(SELinuxRestoreSecurityImageLabelInt): Skip relabeling based on
override.