4:57 a.m.
From: "Richard W.M. Jones" <rjones(a)redhat.com>
If set, this causes <seclabel model=selinux relabel=no> to be added to
the disk element in the libvirt XML.
It has no effect *except* on the libvirt attach method when SELinux
and sVirt is being used.
---
generator/actions.ml | 8 +++++++-
src/guestfs-internal.h | 1 +
src/launch-libvirt.c | 20 ++++++++++++++++++++
src/launch.c | 21 ++++++++++++++-------
4 files changed, 42 insertions(+), 8 deletions(-)
diff --git a/generator/actions.ml b/generator/actions.ml
index 59e667d..ececa7b 100644
--- a/generator/actions.ml
+++ b/generator/actions.ml
@@ -1247,7 +1247,7 @@ not all belong to a single logical operating system
{ defaults with
name = "add_drive";
- style = RErr, [String "filename"], [OBool "readonly"; OString
"format"; OString "iface"; OString "name"; OString
"label"];
+ style = RErr, [String "filename"], [OBool "readonly"; OString
"format"; OString "iface"; OString "name"; OString
"label"; OBool "selinuxnorelabel"];
once_had_no_optargs = true;
blocking = false;
fish_alias = ["add"];
@@ -1319,6 +1319,12 @@ the drive will also be named
C</dev/disk/guestfs/I<label>>.
See L<guestfs(3)/DISK LABELS>.
+=item C<selinuxnorelabel>
+
+If set, this option (only applicable when using the libvirt
+attach-method with SELinux and sVirt) causes libvirt to I<not>
+relabel the disk.
+
=back" };
{ defaults with
diff --git a/src/guestfs-internal.h b/src/guestfs-internal.h
index 78e2bf5..9a468dc 100644
--- a/src/guestfs-internal.h
+++ b/src/guestfs-internal.h
@@ -119,6 +119,7 @@ struct drive {
char *name;
char *disk_label;
bool use_cache_none;
+ int selinuxnorelabel;
void *priv; /* Data used by attach method. */
void (*free_priv) (void *);
diff --git a/src/launch-libvirt.c b/src/launch-libvirt.c
index 0a59cb6..45950e2 100644
--- a/src/launch-libvirt.c
+++ b/src/launch-libvirt.c
@@ -1035,6 +1035,16 @@ construct_libvirt_xml_disk (guestfs_h *g,
XMLERROR (-1,
xmlTextWriterWriteAttribute (xo, BAD_CAST "file",
BAD_CAST drv_priv->path));
+ if (drv->selinuxnorelabel) {
+ XMLERROR (-1, xmlTextWriterStartElement (xo, BAD_CAST "seclabel"));
+ XMLERROR (-1,
+ xmlTextWriterWriteAttribute (xo, BAD_CAST "model",
+ BAD_CAST "selinux"));
+ XMLERROR (-1,
+ xmlTextWriterWriteAttribute (xo, BAD_CAST "relabel",
+ BAD_CAST "no"));
+ XMLERROR (-1, xmlTextWriterEndElement (xo));
+ }
XMLERROR (-1, xmlTextWriterEndElement (xo));
}
else {
@@ -1046,6 +1056,16 @@ construct_libvirt_xml_disk (guestfs_h *g,
XMLERROR (-1,
xmlTextWriterWriteAttribute (xo, BAD_CAST "dev",
BAD_CAST drv_priv->path));
+ if (drv->selinuxnorelabel) {
+ XMLERROR (-1, xmlTextWriterStartElement (xo, BAD_CAST "seclabel"));
+ XMLERROR (-1,
+ xmlTextWriterWriteAttribute (xo, BAD_CAST "model",
+ BAD_CAST "selinux"));
+ XMLERROR (-1,
+ xmlTextWriterWriteAttribute (xo, BAD_CAST "relabel",
+ BAD_CAST "no"));
+ XMLERROR (-1, xmlTextWriterEndElement (xo));
+ }
XMLERROR (-1, xmlTextWriterEndElement (xo));
}
diff --git a/src/launch.c b/src/launch.c
index 7c37667..518ecd7 100644
--- a/src/launch.c
+++ b/src/launch.c
@@ -88,7 +88,7 @@ static struct drive *
create_drive_struct (guestfs_h *g, const char *path,
int readonly, const char *format,
const char *iface, const char *name,
- const char *disk_label,
+ const char *disk_label, int selinuxnorelabel,
int use_cache_none)
{
struct drive *drv = safe_malloc (g, sizeof (struct drive));
@@ -100,6 +100,7 @@ create_drive_struct (guestfs_h *g, const char *path,
drv->name = name ? safe_strdup (g, name) : NULL;
drv->disk_label = disk_label ? safe_strdup (g, disk_label) : NULL;
drv->use_cache_none = use_cache_none;
+ drv->selinuxnorelabel = selinuxnorelabel;
drv->priv = drv->free_priv = NULL;
return drv;
@@ -111,7 +112,7 @@ guestfs___add_dummy_appliance_drive (guestfs_h *g)
{
struct drive *drv;
- drv = create_drive_struct (g, "", 0, NULL, NULL, NULL, NULL, 0);
+ drv = create_drive_struct (g, "", 0, NULL, NULL, NULL, NULL, 0, 0);
add_drive_to_handle (g, drv);
}
@@ -276,7 +277,8 @@ add_drive (guestfs_h *g, struct drive *drv)
*/
static int
add_null_drive (guestfs_h *g, int readonly, const char *format,
- const char *iface, const char *name, const char *disk_label)
+ const char *iface, const char *name, const char *disk_label,
+ int selinuxnorelabel)
{
char *tmpfile = NULL;
int fd = -1, r;
@@ -310,7 +312,8 @@ add_null_drive (guestfs_h *g, int readonly, const char *format,
goto err;
}
- drv = create_drive_struct (g, tmpfile, readonly, format, iface, name, disk_label, 0);
+ drv = create_drive_struct (g, tmpfile, readonly, format, iface, name,
+ disk_label, selinuxnorelabel, 0);
r = add_drive (g, drv);
free (tmpfile);
if (r == -1) {
@@ -337,6 +340,7 @@ guestfs__add_drive_opts (guestfs_h *g, const char *filename,
const char *name;
const char *disk_label;
int use_cache_none;
+ int selinuxnorelabel;
struct drive *drv;
if (strchr (filename, ':') != NULL) {
@@ -355,6 +359,8 @@ guestfs__add_drive_opts (guestfs_h *g, const char *filename,
? optargs->name : NULL;
disk_label = optargs->bitmask & GUESTFS_ADD_DRIVE_OPTS_LABEL_BITMASK
? optargs->label : NULL;
+ selinuxnorelabel = optargs->bitmask &
GUESTFS_ADD_DRIVE_OPTS_SELINUXNORELABEL_BITMASK
+ ? optargs->selinuxnorelabel : 0;
if (format && !valid_format_iface (format)) {
error (g, _("%s parameter is empty or contains disallowed characters"),
@@ -372,7 +378,8 @@ guestfs__add_drive_opts (guestfs_h *g, const char *filename,
}
if (STREQ (filename, "/dev/null"))
- return add_null_drive (g, readonly, format, iface, name, disk_label);
+ return add_null_drive (g, readonly, format, iface, name, disk_label,
+ selinuxnorelabel);
/* For writable files, see if we can use cache=none. This also
* checks for the existence of the file. For readonly we have
@@ -389,8 +396,8 @@ guestfs__add_drive_opts (guestfs_h *g, const char *filename,
}
}
- drv = create_drive_struct (g, filename, readonly, format, iface, name, disk_label,
- use_cache_none);
+ drv = create_drive_struct (g, filename, readonly, format, iface, name,
+ disk_label, selinuxnorelabel, use_cache_none);
if (add_drive (g, drv) == -1) {
free_drive_struct (drv);
return -1;
--
1.8.1.2