10:02 a.m.
From: "Richard W.M. Jones" <rjones(a)redhat.com>
If set, this causes <seclabel model=selinux relabel=no> to be added to
the disk element in the libvirt XML.
It has no effect *except* on the libvirt attach method when SELinux
and sVirt is being used.
---
generator/actions.ml | 11 +++++++++++
src/guestfs-internal.h | 1 +
src/launch-libvirt.c | 30 ++++++++++++++++++++++++++++++
3 files changed, 42 insertions(+)
diff --git a/generator/actions.ml b/generator/actions.ml
index 59e667d..f685e92 100644
--- a/generator/actions.ml
+++ b/generator/actions.ml
@@ -2706,6 +2706,17 @@ reality, two labels: the process label and the image label)
used by the appliance when the libvirt attach method is selected
(it is ignored by other attach methods)." };
+ { defaults with
+ name = "internal_set_libvirt_selinux_norelabel_disks";
+ style = RErr, [Bool "norelabeldisks"], [];
+ blocking = false;
+ visibility = VInternal;
+ shortdesc = "tell libvirt attach method not to relabel disks";
+ longdesc = "\
+This internal function adds E<lt>seclabel model=selinux relabel=noE<gt>
+to all application disks. It is only used by the libvirt attach method
+and is ignored by other attach methods." };
+
]
(* daemon_functions are any functions which cause some action
diff --git a/src/guestfs-internal.h b/src/guestfs-internal.h
index 78e2bf5..c25b893 100644
--- a/src/guestfs-internal.h
+++ b/src/guestfs-internal.h
@@ -324,6 +324,7 @@ struct guestfs_h
#endif
char *virt_selinux_label;
char *virt_selinux_imagelabel;
+ bool virt_selinux_norelabel_disks;
};
/* Per-filesystem data stored for inspect_os. */
diff --git a/src/launch-libvirt.c b/src/launch-libvirt.c
index 68d875e..318847a 100644
--- a/src/launch-libvirt.c
+++ b/src/launch-libvirt.c
@@ -651,6 +651,7 @@ static int construct_libvirt_xml_lifecycle (guestfs_h *g, const struct
libvirt_x
static int construct_libvirt_xml_devices (guestfs_h *g, const struct libvirt_xml_params
*params, xmlTextWriterPtr xo);
static int construct_libvirt_xml_qemu_cmdline (guestfs_h *g, const struct
libvirt_xml_params *params, xmlTextWriterPtr xo);
static int construct_libvirt_xml_disk (guestfs_h *g, xmlTextWriterPtr xo, struct drive
*drv, size_t drv_index);
+static int construct_libvirt_xml_disk_source_seclabel (guestfs_h *g, xmlTextWriterPtr
xo);
static int construct_libvirt_xml_appliance (guestfs_h *g, const struct libvirt_xml_params
*params, xmlTextWriterPtr xo);
/* Note this macro is rather specialized: It assumes that any local
@@ -1035,6 +1036,8 @@ construct_libvirt_xml_disk (guestfs_h *g,
XMLERROR (-1,
xmlTextWriterWriteAttribute (xo, BAD_CAST "file",
BAD_CAST drv_priv->path));
+ if (construct_libvirt_xml_disk_source_seclabel (g, xo) == -1)
+ return -1;
XMLERROR (-1, xmlTextWriterEndElement (xo));
}
else {
@@ -1046,6 +1049,8 @@ construct_libvirt_xml_disk (guestfs_h *g,
XMLERROR (-1,
xmlTextWriterWriteAttribute (xo, BAD_CAST "dev",
BAD_CAST drv_priv->path));
+ if (construct_libvirt_xml_disk_source_seclabel (g, xo) == -1)
+ return -1;
XMLERROR (-1, xmlTextWriterEndElement (xo));
}
@@ -1131,6 +1136,24 @@ construct_libvirt_xml_disk (guestfs_h *g,
}
static int
+construct_libvirt_xml_disk_source_seclabel (guestfs_h *g,
+ xmlTextWriterPtr xo)
+{
+ if (g->virt_selinux_norelabel_disks) {
+ XMLERROR (-1, xmlTextWriterStartElement (xo, BAD_CAST "seclabel"));
+ XMLERROR (-1,
+ xmlTextWriterWriteAttribute (xo, BAD_CAST "model",
+ BAD_CAST "selinux"));
+ XMLERROR (-1,
+ xmlTextWriterWriteAttribute (xo, BAD_CAST "relabel",
+ BAD_CAST "no"));
+ XMLERROR (-1, xmlTextWriterEndElement (xo));
+ }
+
+ return 0;
+}
+
+static int
construct_libvirt_xml_appliance (guestfs_h *g,
const struct libvirt_xml_params *params,
xmlTextWriterPtr xo)
@@ -1639,3 +1662,10 @@ guestfs__internal_set_libvirt_selinux_label (guestfs_h *g, const
char *label,
g->virt_selinux_imagelabel = safe_strdup (g, imagelabel);
return 0;
}
+
+int
+guestfs__internal_set_libvirt_selinux_norelabel_disks (guestfs_h *g, int flag)
+{
+ g->virt_selinux_norelabel_disks = flag;
+ return 0;
+}
--
1.8.1.2