Set proper selinux label on image file during qemu domain restore

Also restore the label to its original value after qemu is finished
with the file.

Prior to this patch, qemu domain restore did not function properly if
selinux was set to enforce.

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 6ae4e8c68815038ed6c71a0d0c1976737b166f56..acbec7a52556762a55e05d7806a95deced7259dd 100644 (file)
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -6268,7 +6268,6 @@ error:
     return -1;
 }
 
-/* TODO: check seclabel restore */
 static int ATTRIBUTE_NONNULL(6)
 qemudDomainSaveImageStartVM(virConnectPtr conn,
                             struct qemud_driver *driver,
@@ -6380,6 +6379,11 @@ qemudDomainSaveImageStartVM(virConnectPtr conn,
     ret = 0;
 
 out:
+    if (driver->securityDriver &&
+        driver->securityDriver->domainRestoreSavedStateLabel &&
+        driver->securityDriver->domainRestoreSavedStateLabel(vm, path) == -1)
+        VIR_WARN("failed to restore save state label on %s", path);
+
     return ret;
 }
 

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index d4e2edbe1fa75d17a0a20481c3b1194fed23fe9b..e5eef196d1bc25fc4212a969034a47ef6ac14e9c 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -972,7 +972,7 @@ SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
 
 
 static int
-SELinuxSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path ATTRIBUTE_UNUSED)
+SELinuxSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path)
 {
     const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
     int i;
@@ -1009,6 +1009,10 @@ SELinuxSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path ATTRIBUTE_
         SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0)
         return -1;
 
+    if (stdin_path &&
+        SELinuxSetFilecon(stdin_path, default_content_context) < 0)
+        return -1;
+
     return 0;
 }