Hello community, here is the log from the commit of package virt-sandbox for openSUSE:Factory checked in at 2014-06-06 14:36:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/virt-sandbox (Old) and /work/SRC/openSUSE:Factory/.virt-sandbox.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "virt-sandbox" Changes: -------- --- /work/SRC/openSUSE:Factory/virt-sandbox/virt-sandbox.changes 2014-05-13 20:48:57.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.virt-sandbox.new/virt-sandbox.changes 2014-06-06 14:36:36.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Jun 4 10:12:56 UTC 2014 - [email protected] + +- selinux-only-if-supported.patch: only set the selinux security + label if selinux is supported by the host. bnc#878048 + +------------------------------------------------------------------- New: ---- selinux-only-if-supported.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ virt-sandbox.spec ++++++ --- /var/tmp/diff_new_pack.tAZdZA/_old 2014-06-06 14:36:38.000000000 +0200 +++ /var/tmp/diff_new_pack.tAZdZA/_new 2014-06-06 14:36:38.000000000 +0200 @@ -30,6 +30,7 @@ # Pending upstream Patch0: lib-prefix-fix.patch +Patch1: selinux-only-if-supported.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: glib2-devel >= 2.32.0 @@ -38,7 +39,7 @@ BuildRequires: intltool BuildRequires: libselinux-devel BuildRequires: libtool -BuildRequires: libvirt-glib-devel >= 0.1.7 +BuildRequires: libvirt-glib-devel >= 0.1.8 BuildRequires: perl Requires: rpm-python # For virsh lxc-enter-namespace command @@ -84,6 +85,7 @@ %prep %setup -q -n libvirt-sandbox-%{version} %patch0 -p1 +%patch1 -p1 %build ++++++ selinux-only-if-supported.patch ++++++ >From 42315dfc7322e2af63e0a2b7417b8672cc48840a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <[email protected]> Date: Wed, 4 Jun 2014 09:38:59 +0200 Subject: [PATCH] Only set SELinux seclabel if supported by the host. This code depends on new API in libvirt-gconfig to extract the secmodels handled by the host. --- libvirt-sandbox/libvirt-sandbox-builder.c | 68 ++++++++++++++++++++----------- 1 file changed, 45 insertions(+), 23 deletions(-) diff --git a/libvirt-sandbox/libvirt-sandbox-builder.c b/libvirt-sandbox/libvirt-sandbox-builder.c index 48b3acc..547b1c7 100644 --- a/libvirt-sandbox/libvirt-sandbox-builder.c +++ b/libvirt-sandbox/libvirt-sandbox-builder.c @@ -323,38 +323,60 @@ static gboolean gvir_sandbox_builder_construct_devices(GVirSandboxBuilder *build } -static gboolean gvir_sandbox_builder_construct_security(GVirSandboxBuilder *builder G_GNUC_UNUSED, +static gboolean gvir_sandbox_builder_construct_security(GVirSandboxBuilder *builder, GVirSandboxConfig *config G_GNUC_UNUSED, const gchar *statedir G_GNUC_UNUSED, GVirConfigDomain *domain, - GError **error G_GNUC_UNUSED) + GError **error) { GVirConfigDomainSeclabel *sec = gvir_config_domain_seclabel_new(); const char *label = gvir_sandbox_config_get_security_label(config); + GVirConnection *connection = gvir_sandbox_builder_get_connection(builder); + GVirConfigCapabilities *configCapabilities; + GVirConfigCapabilitiesHost *hostCapabilities; + GList *secmodels, *iter; + gboolean supportsSelinux = FALSE; + + /* What security models are available on the host? */ + if (!(configCapabilities = gvir_connection_get_capabilities(connection, error))) { + g_object_unref(sec); + return FALSE; + } + + hostCapabilities = gvir_config_capabilities_get_host(configCapabilities); - gvir_config_domain_seclabel_set_model(sec, "selinux"); - if (gvir_sandbox_config_get_security_dynamic(config)) { - gvir_config_domain_seclabel_set_type(sec, - GVIR_CONFIG_DOMAIN_SECLABEL_DYNAMIC); - if (label) - gvir_config_domain_seclabel_set_baselabel(sec, label); - else if (gvir_config_domain_get_virt_type(domain) == - GVIR_CONFIG_DOMAIN_VIRT_LXC) - gvir_config_domain_seclabel_set_baselabel(sec, "system_u:system_r:svirt_lxc_net_t:s0"); - else if (gvir_config_domain_get_virt_type(domain) == - GVIR_CONFIG_DOMAIN_VIRT_QEMU) - gvir_config_domain_seclabel_set_baselabel(sec, "system_u:system_r:svirt_tcg_t:s0"); - else if (gvir_config_domain_get_virt_type(domain) == - GVIR_CONFIG_DOMAIN_VIRT_KVM) - gvir_config_domain_seclabel_set_baselabel(sec, "system_u:system_r:svirt_t:s0"); - } else { - gvir_config_domain_seclabel_set_type(sec, - GVIR_CONFIG_DOMAIN_SECLABEL_STATIC); - if (label) - gvir_config_domain_seclabel_set_label(sec, label); + secmodels = gvir_config_capabilities_host_get_secmodels(hostCapabilities); + for (iter = secmodels; iter != NULL; iter = iter->next) { + supportsSelinux = g_str_equal(gvir_config_capabilities_secmodel_get_model( + GVIR_CONFIG_CAPABILITIES_SECMODEL(iter->data)), "selinux"); + g_object_unref(iter->data); } - gvir_config_domain_set_seclabel(domain, sec); + if (supportsSelinux) { + gvir_config_domain_seclabel_set_model(sec, "selinux"); + if (gvir_sandbox_config_get_security_dynamic(config)) { + gvir_config_domain_seclabel_set_type(sec, + GVIR_CONFIG_DOMAIN_SECLABEL_DYNAMIC); + if (label) + gvir_config_domain_seclabel_set_baselabel(sec, label); + else if (gvir_config_domain_get_virt_type(domain) == + GVIR_CONFIG_DOMAIN_VIRT_LXC) + gvir_config_domain_seclabel_set_baselabel(sec, "system_u:system_r:svirt_lxc_net_t:s0"); + else if (gvir_config_domain_get_virt_type(domain) == + GVIR_CONFIG_DOMAIN_VIRT_QEMU) + gvir_config_domain_seclabel_set_baselabel(sec, "system_u:system_r:svirt_tcg_t:s0"); + else if (gvir_config_domain_get_virt_type(domain) == + GVIR_CONFIG_DOMAIN_VIRT_KVM) + gvir_config_domain_seclabel_set_baselabel(sec, "system_u:system_r:svirt_t:s0"); + } else { + gvir_config_domain_seclabel_set_type(sec, + GVIR_CONFIG_DOMAIN_SECLABEL_STATIC); + if (label) + gvir_config_domain_seclabel_set_label(sec, label); + } + + gvir_config_domain_set_seclabel(domain, sec); + } g_object_unref(sec); return TRUE; -- 1.8.4.5 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
