From: Daniel P. Berrange <berrange@redhat.com>
Date: Tue, 12 Mar 2013 17:34:37 +0000 (+0000)
Subject: Fix query of LXC security label
X-Git-Tag: v1.0.4-rc1~114
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a08810195cad633da35d0eb653b2e24cbfe75758;p=thirdparty%2Flibvirt.git

Fix query of LXC security label

The virDomainGetSecurityLabel method is currently (mistakenly)
showing the label of the libvirt_lxc process:

...snip...
Security model: selinux
Security DOI:   0
Security label: system_u:system_r:virtd_t:s0-s0:c0.c1023 (permissive)

when it should be showing the init process label

...snip...
Security model: selinux
Security DOI:   0
Security label: system_u:system_r:svirt_t:s0:c724,c995 (permissive)
---

diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index 5d0613a5f3..8603078d1e 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -1162,8 +1162,16 @@ static int lxcDomainGetSecurityLabel(virDomainPtr dom, virSecurityLabelPtr secla
      *   LXC monitor hasn't seen SIGHUP/ERR on poll().
      */
     if (virDomainObjIsActive(vm)) {
+        virLXCDomainObjPrivatePtr priv = vm->privateData;
+
+        if (!priv->initpid) {
+            virReportError(VIR_ERR_OPERATION_INVALID, "%s",
+                           _("Init pid is not yet available"));
+            goto cleanup;
+        }
+
         if (virSecurityManagerGetProcessLabel(driver->securityManager,
-                                              vm->def, vm->pid, seclabel) < 0) {
+                                              vm->def, priv->initpid, seclabel) < 0) {
             virReportError(VIR_ERR_INTERNAL_ERROR,
                            "%s", _("Failed to get security label"));
             goto cleanup;