Re: [Libguestfs] [PATCH v2 3/5] launch: libvirt: Allow the SELinux label to be set on qcow2 overlay files.

On Thu, 2013-02-28 at 16:02 +0000, Richard W.M. Jones wrote: > From: "Richard W.M. Jones" <rjones(a)redhat.com&gt; > > When a disk is opened readonly, the libvirt attach-method privately > creates a qcow2 overlay on top. > > This commit lets that overlay get an SELinux label, and sets it to the > imagelabel specified by guestfs_internal_set_libvirt_selinux_label. > > The above only applies to the libvirt attach-method. > --- > src/launch-libvirt.c | 28 ++++++++++++++++++++-------- > 1 file changed, 20 insertions(+), 8 deletions(-) > > diff --git a/src/launch-libvirt.c b/src/launch-libvirt.c > index 318847a..b692fd6 100644 > --- a/src/launch-libvirt.c > +++ b/src/launch-libvirt.c > @@ -133,8 +133,8 @@ static int is_custom_qemu (guestfs_h *g); > static int is_blk (const char *path); > static int random_chars (char *ret, size_t len); > static void ignore_errors (void *ignore, virErrorPtr ignore2); > -static char *make_qcow2_overlay (guestfs_h *g, const char *path, const char *format); > -static int make_qcow2_overlay_for_drive (guestfs_h *g, struct drive *drv); > +static char *make_qcow2_overlay (guestfs_h *g, const char *path, const char *format, const char *selinux_imagelabel); > +static int make_qcow2_overlay_for_drive (guestfs_h *g, struct drive *drv, const char *selinux_imagelabel); > static void drive_free_priv (void *); > static void set_socket_create_context (guestfs_h *g); > static void clear_socket_create_context (guestfs_h *g); > @@ -235,13 +235,13 @@ launch_libvirt (guestfs_h *g, const char *libvirt_uri) > * Note that appliance can be NULL if using the old-style appliance. > */ > if (appliance) { > - params.appliance_overlay = make_qcow2_overlay (g, appliance, "raw"); > + params.appliance_overlay = make_qcow2_overlay (g, appliance, "raw", NULL); > if (!params.appliance_overlay) > goto cleanup; > } I remain convinced that this is going to bite us at some point in the future. The fact that it works now is essentially a quirk of the default SELinux policy. I still don't understand at all how the confined guest can access the underlying appliance image, which libvirt presumably doesn't relabel.