Really fix restore file labelling this time

- Avoid compressing small log files (#531030)

.cvsignore

@@ -1,19 +1,14 @@
-libvirt-0.0.3.tar.gz
-libvirt-0.0.4.tar.gz
-libvirt-0.0.5.tar.gz
-libvirt-0.0.6.tar.gz
-libvirt-0.1.0.tar.gz
-libvirt-0.1.2.tar.gz
-libvirt-0.1.1.tar.gz
-libvirt-0.1.3.tar.gz
-libvirt-0.1.4.tar.gz
-libvirt-0.1.5.tar.gz
-libvirt-0.1.6.tar.gz
-libvirt-0.1.7.tar.gz
-libvirt-0.1.8.tar.gz
-libvirt-0.1.9.tar.gz
-libvirt-0.1.10.tar.gz
-libvirt-0.1.11.tar.gz
-libvirt-0.2.0.tar.gz
-libvirt-0.2.1.tar.gz
-libvirt-0.2.2.tar.gz
+.build*.log
+*.rpm
+i686
+x86_64
+libvirt-*.tar.gz
+libvirt-0.6.0.tar.gz
+libvirt-0.6.1.tar.gz
+libvirt-0.6.2.tar.gz
+libvirt-0.6.3.tar.gz
+libvirt-0.6.4.tar.gz
+libvirt-0.6.5.tar.gz
+libvirt-0.7.0.tar.gz
+libvirt-0.7.1.tar.gz
+libvirt-0.7.2.tar.gz

Makefile

@@ -3,4 +3,19 @@
 NAME := libvirt
 SPECFILE = $(firstword $(wildcard *.spec))
 
-include ../common/Makefile.common
+define find-makefile-common
+for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
+endef
+
+MAKEFILE_COMMON := $(shell $(find-makefile-common))
+
+ifeq ($(MAKEFILE_COMMON),)
+# attempt a checkout
+define checkout-makefile-common
+test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
+endef
+
+MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
+endif
+
+include $(MAKEFILE_COMMON)

libvirt-0.2.2-disable-xm.patch

@@ -1,15 +0,0 @@
-diff -rup libvirt-0.2.2/src/xen_unified.c libvirt-0.2.2.new/src/xen_unified.c
---- libvirt-0.2.2/src/xen_unified.c	2007-04-17 04:38:52.000000000 -0400
-+++ libvirt-0.2.2.new/src/xen_unified.c	2007-05-01 16:49:54.000000000 -0400
-@@ -112,6 +112,11 @@ xenUnifiedOpen (virConnectPtr conn, cons
-     for (i = 0; i < nb_drivers; ++i) {
-         int failed_to_open = 1;
- 
-+        /* Only use XM driver for Xen <= 3.0.3 (ie xendConfigVersion <= 2) */
-+        if (drivers[i] == &xenXMDriver &&
-+            priv->xendConfigVersion > 2)
-+            continue;
-+
-         /* Ignore proxy for root */
-         if (i == proxy_offset && getuid() == 0)
-             continue;

libvirt-0.2.2-dnsmasq-order.patch

@@ -1,23 +0,0 @@
-diff -rup libvirt-0.2.2/qemud/qemud.c libvirt-0.2.2.new/qemud/qemud.c
---- libvirt-0.2.2/qemud/qemud.c	2007-04-11 10:13:36.000000000 -0400
-+++ libvirt-0.2.2.new/qemud/qemud.c	2007-05-01 16:51:15.000000000 -0400
-@@ -1110,6 +1110,7 @@ qemudBuildDnsmasqArgv(struct qemud_serve
-     len =
-         1 + /* dnsmasq */
-         1 + /* --keep-in-foreground */
-+        1 + /* --strict-order */
-         1 + /* --bind-interfaces */
-         2 + /* --pid-file "" */
-         2 + /* --conf-file "" */
-@@ -1133,6 +1134,11 @@ qemudBuildDnsmasqArgv(struct qemud_serve
-     APPEND_ARG(*argv, i++, "dnsmasq");
- 
-     APPEND_ARG(*argv, i++, "--keep-in-foreground");
-+    /*
-+     * Needed to ensure dnsmasq uses same algorithm for processing
-+     * multiple nameserver entries in /etc/resolv.conf as GLibC.
-+     */
-+    APPEND_ARG(*argv, i++, "--strict-order");
-     APPEND_ARG(*argv, i++, "--bind-interfaces");
- 
-     APPEND_ARG(*argv, i++, "--pid-file");

libvirt-0.2.2-graphics-hvm.patch

@@ -1,70 +0,0 @@
-diff -rup libvirt-0.2.2.new/src/xend_internal.c libvirt-0.2.2/src/xend_internal.c
---- libvirt-0.2.2.new/src/xend_internal.c	2007-04-15 16:09:10.000000000 -0400
-+++ libvirt-0.2.2/src/xend_internal.c	2007-05-03 14:52:42.000000000 -0400
-@@ -1676,35 +1676,38 @@ xend_parse_sexp_desc(virConnectPtr conn,
-         }
-     }
- 
--    /* Graphics device (HVM <= 3.0.4, or PV <= 3.0.4) vnc config */
--    tmp = sexpr_fmt_node(root, "domain/image/%s/vnc", hvm ? "hvm" : "linux");
--    if (tmp != NULL) {
--        if (tmp[0] == '1') {
--            int port = xenStoreDomainGetVNCPort(conn, domid);
--            const char *listenAddr = sexpr_fmt_node(root, "domain/image/%s/vnclisten", hvm ? "hvm" : "linux");
--            const char *keymap = sexpr_fmt_node(root, "domain/image/%s/keymap", hvm ? "hvm" : "linux");
--            /* For Xen >= 3.0.3, don't generate a fixed port mapping
--             * because it will almost certainly be wrong ! Just leave
--             * it as -1 which lets caller see that the VNC server isn't
--             * present yet. Subsquent dumps of the XML will eventually
--             * find the port in XenStore once VNC server has started
--             */
--            if (port == -1 && xendConfigVersion < 2)
--                port = 5900 + domid;
--            virBufferVSprintf(&buf, "    <graphics type='vnc' port='%d'", port);
--            if (listenAddr)
--                virBufferVSprintf(&buf, " listen='%s'", listenAddr);
--            if (keymap)
--                virBufferVSprintf(&buf, " keymap='%s'", keymap);
--            virBufferAdd(&buf, "/>\n", 3);
-+    /* Graphics device (HVM <= 3.0.4, or PV <= 3.0.3) vnc config */
-+    if ((hvm && xendConfigVersion < 4) ||
-+        (!hvm && xendConfigVersion < 3)) {
-+        tmp = sexpr_fmt_node(root, "domain/image/%s/vnc", hvm ? "hvm" : "linux");
-+        if (tmp != NULL) {
-+            if (tmp[0] == '1') {
-+                int port = xenStoreDomainGetVNCPort(conn, domid);
-+                const char *listenAddr = sexpr_fmt_node(root, "domain/image/%s/vnclisten", hvm ? "hvm" : "linux");
-+                const char *keymap = sexpr_fmt_node(root, "domain/image/%s/keymap", hvm ? "hvm" : "linux");
-+                /* For Xen >= 3.0.3, don't generate a fixed port mapping
-+                 * because it will almost certainly be wrong ! Just leave
-+                 * it as -1 which lets caller see that the VNC server isn't
-+                 * present yet. Subsquent dumps of the XML will eventually
-+                 * find the port in XenStore once VNC server has started
-+                 */
-+                if (port == -1 && xendConfigVersion < 2)
-+                    port = 5900 + domid;
-+                virBufferVSprintf(&buf, "    <graphics type='vnc' port='%d'", port);
-+                if (listenAddr)
-+                    virBufferVSprintf(&buf, " listen='%s'", listenAddr);
-+                if (keymap)
-+                    virBufferVSprintf(&buf, " keymap='%s'", keymap);
-+                virBufferAdd(&buf, "/>\n", 3);
-+            }
-         }
--    }
- 
--    /* Graphics device (HVM, or old (pre-3.0.4) style PV sdl config) */
--    tmp = sexpr_fmt_node(root, "domain/image/%s/sdl", hvm ? "hvm" : "linux");
--    if (tmp != NULL) {
--        if (tmp[0] == '1')
--            virBufferAdd(&buf, "    <graphics type='sdl'/>\n", 27 );
-+        /* Graphics device (HVM, or old (pre-3.0.4) style PV sdl config) */
-+        tmp = sexpr_fmt_node(root, "domain/image/%s/sdl", hvm ? "hvm" : "linux");
-+        if (tmp != NULL) {
-+            if (tmp[0] == '1')
-+                virBufferAdd(&buf, "    <graphics type='sdl'/>\n", 27 );
-+        }
-     }
- 
-     tty = xenStoreDomainGetConsolePath(conn, domid);
-Only in libvirt-0.2.2/src: xend_internal.c.orig

libvirt-0.2.2-qemu-noreboot.patch

@@ -1,128 +0,0 @@
-diff -rup libvirt-0.2.2/qemud/conf.c libvirt-0.2.2.new/qemud/conf.c
---- libvirt-0.2.2/qemud/conf.c	2007-04-17 04:34:42.000000000 -0400
-+++ libvirt-0.2.2.new/qemud/conf.c	2007-05-01 18:16:46.000000000 -0400
-@@ -245,21 +245,25 @@ static int qemudExtractVersionInfo(const
-     cleanup1:
-         _exit(-1); /* Just in case */
-     } else { /* Parent */
--        char help[4096]; /* Ought to be enough to hold QEMU help screen */
-+        char help[8192]; /* Ought to be enough to hold QEMU help screen */
-         int got, ret = -1;
-         int major, minor, micro;
- 
-         if (close(newstdout[1]) < 0)
-             goto cleanup2;
- 
--    reread:
--        if ((got = read(newstdout[0], help, sizeof(help)-1)) < 0) {
--            if (errno == EINTR)
--                goto reread;
--            goto cleanup2;
-+        while (got < (sizeof(help)-1)) {
-+            int len;
-+            if ((len = read(newstdout[0], help+got, sizeof(help)-got-1)) <= 0) {
-+                if (!len)
-+                    break;
-+                if (errno == EINTR)
-+                    continue;
-+                goto cleanup2;
-+            }
-+            got += len;
-         }
-         help[got] = '\0';
--
-         if (sscanf(help, "QEMU PC emulator version %d.%d.%d", &major,&minor, &micro) != 3) {
-             goto cleanup2;
-         }
-@@ -267,6 +271,8 @@ static int qemudExtractVersionInfo(const
-         *version = (major * 1000 * 1000) + (minor * 1000) + micro;
-         if (strstr(help, "-no-kqemu"))
-             *flags |= QEMUD_CMD_FLAG_KQEMU;
-+        if (strstr(help, "-no-reboot"))
-+            *flags |= QEMUD_CMD_FLAG_NO_REBOOT;
-         if (*version >= 9000)
-             *flags |= QEMUD_CMD_FLAG_VNC_COLON;
-         ret = 0;
-@@ -858,6 +864,22 @@ static struct qemud_vm_def *qemudParseXM
-     }
-     xmlXPathFreeObject(obj);
- 
-+
-+    /* See if we disable reboots */
-+    obj = xmlXPathEval(BAD_CAST "string(/domain/on_reboot)", ctxt);
-+    if ((obj == NULL) || (obj->type != XPATH_STRING) ||
-+        (obj->stringval == NULL) || (obj->stringval[0] == 0)) {
-+        def->noReboot = 0;
-+    } else {
-+        if (!strcmp((char*)obj->stringval, "destroy"))
-+            def->noReboot = 1;
-+        else
-+            def->noReboot = 0;
-+    }
-+    if (obj)
-+        xmlXPathFreeObject(obj);
-+
-+
-     /* Extract OS type info */
-     obj = xmlXPathEval(BAD_CAST "string(/domain/os/type[1])", ctxt);
-     if ((obj == NULL) || (obj->type != XPATH_STRING) ||
-@@ -1220,6 +1242,8 @@ int qemudBuildCommandLine(struct qemud_s
-         2 + /* cpus */
-         2 + /* boot device */
-         2 + /* monitor */
-+        (server->qemuCmdFlags & QEMUD_CMD_FLAG_NO_REBOOT &&
-+         vm->def->noReboot ? 1 : 0) + /* no-reboot */
-         (vm->def->features & QEMUD_FEATURE_ACPI ? 0 : 1) + /* acpi */
-         (vm->def->os.kernel[0] ? 2 : 0) + /* kernel */
-         (vm->def->os.initrd[0] ? 2 : 0) + /* initrd */
-@@ -1255,6 +1279,11 @@ int qemudBuildCommandLine(struct qemud_s
-         goto no_memory;
-     if (!((*argv)[++n] = strdup("pty")))
-         goto no_memory;
-+    if (server->qemuCmdFlags & QEMUD_CMD_FLAG_NO_REBOOT &&
-+        vm->def->noReboot) {
-+        if (!((*argv)[++n] = strdup("-no-reboot")))
-+            goto no_memory;
-+    }
- 
-     if (!(vm->def->features & QEMUD_FEATURE_ACPI)) {
-         if (!((*argv)[++n] = strdup("-no-acpi")))
-@@ -2517,6 +2546,17 @@ char *qemudGenerateXML(struct qemud_serv
-             goto no_memory;
-     }
- 
-+    if (bufferAdd(buf, "  <on_poweroff>destroy</on_poweroff>\n", -1) < 0)
-+        goto no_memory;
-+    if (def->noReboot) {
-+        if (bufferAdd(buf, "  <on_reboot>destroy</on_reboot>\n", -1) < 0)
-+            goto no_memory;
-+    } else {
-+        if (bufferAdd(buf, "  <on_reboot>restart</on_reboot>\n", -1) < 0)
-+            goto no_memory;
-+    }
-+    if (bufferAdd(buf, "  <on_crash>destroy</on_crash>\n", -1) < 0)
-+        goto no_memory;
- 
-     if (bufferAdd(buf, "  <devices>\n", -1) < 0)
-         goto no_memory;
-diff -rup libvirt-0.2.2/qemud/internal.h libvirt-0.2.2.new/qemud/internal.h
---- libvirt-0.2.2/qemud/internal.h	2007-04-11 10:13:36.000000000 -0400
-+++ libvirt-0.2.2.new/qemud/internal.h	2007-05-01 17:53:42.000000000 -0400
-@@ -161,6 +161,7 @@ enum qemud_vm_grapics_type {
- enum qemud_cmd_flags {
-     QEMUD_CMD_FLAG_KQEMU = 1,
-     QEMUD_CMD_FLAG_VNC_COLON = 2,
-+    QEMUD_CMD_FLAG_NO_REBOOT = 4,
- };
- 
- 
-@@ -191,6 +192,8 @@ struct qemud_vm_def {
-     int maxmem;
-     int vcpus;
- 
-+    int noReboot;
-+
-     struct qemud_vm_os_def os;
- 
-     int features;
-Only in libvirt-0.2.2.new/qemud: libvirt-0.2.2-qemu-noreboot.patch

libvirt-0.2.2-sync-daemon-restart.patch

@@ -1,19 +0,0 @@
---- libvirt-0.2.2/ChangeLog.sync-restart	2007-05-02 13:07:21.719425000 -0400
-+++ libvirt-0.2.2/ChangeLog	2007-05-02 13:08:23.204879000 -0400
-@@ -0,0 +1,5 @@
-+Wed May  2 17:55:12 IST 2007 Mark McLoughlin <markmc@redhat.com>
-+
-+	* qemud/libvirtd.in: synchronously restart the daemon in
-+	order to avoid https://bugzilla.redhat.com/238492
-+	
---- libvirt-0.2.2/qemud/libvirtd.in.sync-restart	2007-02-23 07:50:58.000000000 -0500
-+++ libvirt-0.2.2/qemud/libvirtd.in	2007-05-02 13:08:23.209868000 -0400
-@@ -34,7 +34,7 @@
- stop() {
-     echo -n $"Stopping $SERVICE daemon: "
- 
--    killproc $PROCESS -TERM
-+    killproc $PROCESS
-     RETVAL=$?
-     echo
-     if [ $RETVAL -eq 0 ]; then

libvirt-logrotate-avoid-compressing-small-logs.patch

@@ -0,0 +1,31 @@
+From d7cca87f6c5ad2316934af8ecb95829b95b662c6 Mon Sep 17 00:00:00 2001
+From: Dan Kenigsberg <danken@redhat.com>
+Date: Wed, 21 Oct 2009 13:56:04 +0200
+Subject: [PATCH] Do not log rotate very small logs
+
+Without this, after few weeks without use, each defined domain grows a
+tail of empty gzipped logs, instead of keeping just the last log of
+interest.
+
+* daemon/libvirtd.logrotate.in: only rotate when the log is over 100 KBytes
+
+(cherry picked from commit b03fe2d0aefb57a096a102bf23375f0a167ca189)
+
+Fedora-patch: libvirt-logrotate-avoid-compressing-small-logs.patch
+---
+ daemon/libvirtd.logrotate.in |    1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/daemon/libvirtd.logrotate.in b/daemon/libvirtd.logrotate.in
+index 093651c..0c51fd3 100644
+--- a/daemon/libvirtd.logrotate.in
++++ b/daemon/libvirtd.logrotate.in
+@@ -5,4 +5,5 @@
+         compress
+         delaycompress
+         copytruncate
++        minsize 100k
+ }
+-- 
+1.6.5.2
+

libvirt-qemu-machine-type-fixes2.patch

@@ -0,0 +1,42 @@
+From b7b6a28eb9eae641762de9408a90971d849ce92e Mon Sep 17 00:00:00 2001
+From: Mark McLoughlin <markmc@redhat.com>
+Date: Thu, 15 Oct 2009 12:09:17 +0100
+Subject: [PATCH] Don't copy old machines from a domain which has none
+
+If the the qemu and kvm binaries are the same, we don't include machine
+types in the kvm domain info.
+
+However, the code which refreshes the machine types info from the
+previous capabilities structure first looks at the kvm domain's info,
+finds it matches and then copies the empty machine types list over
+for the top-level qemu domain.
+
+That doesn't make sense, we shouldn't copy an empty machin types list.
+
+* src/qemu/qemu_conf.c: qemudGetOldMachinesFromInfo(): don't copy an
+  empty machine types list.
+
+(cherry picked from commit 2210f8a3a8e2774ca4fb8b42e21899e5b85ca913)
+
+Fedora-patch: libvirt-qemu-machine-type-fixes2.patch
+---
+ src/qemu/qemu_conf.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
+index ac63570..b881f1e 100644
+--- a/src/qemu/qemu_conf.c
++++ b/src/qemu/qemu_conf.c
+@@ -505,6 +505,9 @@ qemudGetOldMachinesFromInfo(virCapsGuestDomainInfoPtr info,
+     virCapsGuestMachinePtr *list;
+     int i;
+ 
++    if (!info->nmachines)
++        return 0;
++
+     if (!info->emulator || !STREQ(emulator, info->emulator))
+         return 0;
+ 
+-- 
+1.6.5.2
+

libvirt-qemu-save-restore-2.patch

@@ -0,0 +1,118 @@
+From 096fc1216eb2654bbff376dcc5bb8177d6498f82 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrange <berrange@redhat.com>
+Date: Thu, 19 Nov 2009 12:16:30 +0000
+Subject: [PATCH] Fix labelling on QEMU restore images
+
+Even though QEMU does not directly open the saved image when
+restoring, it must be correctly labelled to allow QEMU to
+read from it because labelling is passed around with open
+file descriptors.
+
+The labelling should not allow writing to the saved image
+again, only reading.
+
+* src/qemu/qemu_driver.c: Label the save image when restoring
+* src/security/security_driver.h: Add a virSecurityDomainSetSavedStateLabelRO
+  method for labelling a saved image for restore
+* src/security/security_selinux.c: Implement labelling of RO
+  save images for restore
+
+Fedora-patch: libvirt-qemu-save-restore-2.patch
+---
+ src/qemu/qemu_driver.c          |   11 ++++++++++-
+ src/security/security_driver.h  |    5 +++++
+ src/security/security_selinux.c |   11 +++++++++++
+ 3 files changed, 26 insertions(+), 1 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 171ac8f..e6abb05 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -3266,7 +3266,7 @@ static int qemudDomainSave(virDomainPtr dom,
+ 
+     if (driver->securityDriver &&
+         driver->securityDriver->domainRestoreSavedStateLabel &&
+-        driver->securityDriver->domainRestoreSavedStateLabel(dom->conn, path) == -1)
++        driver->securityDriver->domainRestoreSavedStateLabel(dom->conn, vm, path) == -1)
+         goto cleanup;
+ 
+     ret = 0;
+@@ -3813,6 +3813,11 @@ static int qemudDomainRestore(virConnectPtr conn,
+     }
+     def = NULL;
+ 
++    if (driver->securityDriver &&
++        driver->securityDriver->domainSetSavedStateLabelRO &&
++        driver->securityDriver->domainSetSavedStateLabelRO(conn, vm, path) == -1)
++        goto cleanup;
++
+     if (header.version == 2) {
+         const char *intermediate_argv[3] = { NULL, "-dc", NULL };
+         const char *prog = qemudSaveCompressionTypeToString(header.compressed);
+@@ -3847,6 +3852,10 @@ static int qemudDomainRestore(virConnectPtr conn,
+         close(intermediatefd);
+     close(fd);
+     fd = -1;
++    if (driver->securityDriver &&
++        driver->securityDriver->domainRestoreSavedStateLabel &&
++        driver->securityDriver->domainRestoreSavedStateLabel(conn, vm, path) == -1)
++        VIR_WARN("Unable to restore labelling on %s", path);
+     if (ret < 0) {
+         if (!vm->persistent) {
+             virDomainRemoveInactive(&driver->domains,
+diff --git a/src/security/security_driver.h b/src/security/security_driver.h
+index 5514962..5144976 100644
+--- a/src/security/security_driver.h
++++ b/src/security/security_driver.h
+@@ -45,7 +45,11 @@ typedef int (*virSecurityDomainSetHostdevLabel) (virConnectPtr conn,
+ typedef int (*virSecurityDomainSetSavedStateLabel) (virConnectPtr conn,
+                                                     virDomainObjPtr vm,
+                                                     const char *savefile);
++typedef int (*virSecurityDomainSetSavedStateLabelRO) (virConnectPtr conn,
++                                                      virDomainObjPtr vm,
++                                                      const char *savefile);
+ typedef int (*virSecurityDomainRestoreSavedStateLabel) (virConnectPtr conn,
++                                                        virDomainObjPtr vm,
+                                                         const char *savefile);
+ typedef int (*virSecurityDomainGenLabel) (virConnectPtr conn,
+                                           virDomainObjPtr sec);
+@@ -77,6 +81,7 @@ struct _virSecurityDriver {
+     virSecurityDomainRestoreHostdevLabel domainRestoreSecurityHostdevLabel;
+     virSecurityDomainSetHostdevLabel domainSetSecurityHostdevLabel;
+     virSecurityDomainSetSavedStateLabel domainSetSavedStateLabel;
++    virSecurityDomainSetSavedStateLabelRO domainSetSavedStateLabelRO;
+     virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel;
+ 
+     /*
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 4f2d1d3..0c130e5 100644
+--- a/src/security/security_selinux.c
++++ b/src/security/security_selinux.c
+@@ -639,7 +639,17 @@ SELinuxSetSavedStateLabel(virConnectPtr conn,
+ 
+ 
+ static int
++SELinuxSetSavedStateLabelRO(virConnectPtr conn,
++                            virDomainObjPtr vm ATTRIBUTE_UNUSED,
++                            const char *savefile)
++{
++    return SELinuxSetFilecon(conn, savefile, default_content_context);
++}
++
++
++static int
+ SELinuxRestoreSavedStateLabel(virConnectPtr conn,
++                              virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                               const char *savefile)
+ {
+     return SELinuxRestoreSecurityFileLabel(conn, savefile);
+@@ -716,5 +726,6 @@ virSecurityDriver virSELinuxSecurityDriver = {
+     .domainSetSecurityHostdevLabel = SELinuxSetSecurityHostdevLabel,
+     .domainRestoreSecurityHostdevLabel = SELinuxRestoreSecurityHostdevLabel,
+     .domainSetSavedStateLabel = SELinuxSetSavedStateLabel,
++    .domainSetSavedStateLabelRO = SELinuxSetSavedStateLabelRO,
+     .domainRestoreSavedStateLabel = SELinuxRestoreSavedStateLabel,
+ };
+-- 
+1.6.5.2
+

libvirt-qemu-save-restore.patch

@@ -0,0 +1,168 @@
+From 1151cdcad3f4b68478b076832843338256b94644 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrange <berrange@redhat.com>
+Date: Wed, 11 Nov 2009 12:07:00 +0000
+Subject: [PATCH] Fix save and restore with non-privileged guests and SELinux
+
+When running qemu:///system instance, libvirtd runs as root,
+but QEMU may optionally be configured to run non-root. When
+then saving a guest to a state file, the file is initially
+created as root, and thus QEMU cannot write to it. It is also
+missing labelling required to allow access via SELinux.
+
+* src/qemu/qemu_driver.c: Set ownership on save image before
+  running migrate command in virDomainSave impl. Call out to
+  security driver to set save image labelling
+* src/security/security_driver.h: Add driver APIs for setting
+  and restoring saved state file labelling
+* src/security/security_selinux.c: Implement saved state file
+  labelling for SELinux
+
+(cherry picked from commit bc0010b3d149df00406b82c37eb59874d8525af4)
+
+Fedora-patch: libvirt-qemu-save-restore.patch
+---
+ src/qemu/qemu_driver.c          |   35 ++++++++++++++++++++++++++++++++---
+ src/security/security_driver.h  |    7 +++++++
+ src/security/security_selinux.c |   23 +++++++++++++++++++++++
+ 3 files changed, 62 insertions(+), 3 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index c544c4b..171ac8f 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -3146,6 +3146,7 @@ static int qemudDomainSave(virDomainPtr dom,
+     char *xml = NULL;
+     struct qemud_save_header header;
+     int ret = -1;
++    int rc;
+     virDomainEventPtr event = NULL;
+ 
+     memset(&header, 0, sizeof(header));
+@@ -3226,9 +3227,22 @@ static int qemudDomainSave(virDomainPtr dom,
+     }
+     fd = -1;
+ 
++    if (driver->privileged &&
++        chown(path, driver->user, driver->group) < 0) {
++        virReportSystemError(NULL, errno,
++                             _("unable to set ownership of '%s' to user %d:%d"),
++                             path, driver->user, driver->group);
++        goto cleanup;
++    }
++
++    if (driver->securityDriver &&
++        driver->securityDriver->domainSetSavedStateLabel &&
++        driver->securityDriver->domainSetSavedStateLabel(dom->conn, vm, path) == -1)
++        goto cleanup;
++
+     if (header.compressed == QEMUD_SAVE_FORMAT_RAW) {
+         const char *args[] = { "cat", NULL };
+-        ret = qemuMonitorMigrateToCommand(vm, 0, args, path);
++        rc = qemuMonitorMigrateToCommand(vm, 0, args, path);
+     } else {
+         const char *prog = qemudSaveCompressionTypeToString(header.compressed);
+         const char *args[] = {
+@@ -3236,12 +3250,27 @@ static int qemudDomainSave(virDomainPtr dom,
+             "-c",
+             NULL
+         };
+-        ret = qemuMonitorMigrateToCommand(vm, 0, args, path);
++        rc = qemuMonitorMigrateToCommand(vm, 0, args, path);
+     }
+ 
+-    if (ret < 0)
++    if (rc < 0)
+         goto cleanup;
+ 
++    if (driver->privileged &&
++        chown(path, 0, 0) < 0) {
++        virReportSystemError(NULL, errno,
++                             _("unable to set ownership of '%s' to user %d:%d"),
++                             path, 0, 0);
++        goto cleanup;
++    }
++
++    if (driver->securityDriver &&
++        driver->securityDriver->domainRestoreSavedStateLabel &&
++        driver->securityDriver->domainRestoreSavedStateLabel(dom->conn, path) == -1)
++        goto cleanup;
++
++    ret = 0;
++
+     /* Shut it down */
+     qemudShutdownVMDaemon(dom->conn, driver, vm);
+     event = virDomainEventNewFromObj(vm,
+diff --git a/src/security/security_driver.h b/src/security/security_driver.h
+index fde2978..5514962 100644
+--- a/src/security/security_driver.h
++++ b/src/security/security_driver.h
+@@ -42,6 +42,11 @@ typedef int (*virSecurityDomainRestoreHostdevLabel) (virConnectPtr conn,
+ typedef int (*virSecurityDomainSetHostdevLabel) (virConnectPtr conn,
+                                                  virDomainObjPtr vm,
+                                                  virDomainHostdevDefPtr dev);
++typedef int (*virSecurityDomainSetSavedStateLabel) (virConnectPtr conn,
++                                                    virDomainObjPtr vm,
++                                                    const char *savefile);
++typedef int (*virSecurityDomainRestoreSavedStateLabel) (virConnectPtr conn,
++                                                        const char *savefile);
+ typedef int (*virSecurityDomainGenLabel) (virConnectPtr conn,
+                                           virDomainObjPtr sec);
+ typedef int (*virSecurityDomainReserveLabel) (virConnectPtr conn,
+@@ -71,6 +76,8 @@ struct _virSecurityDriver {
+     virSecurityDomainRestoreLabel domainRestoreSecurityLabel;
+     virSecurityDomainRestoreHostdevLabel domainRestoreSecurityHostdevLabel;
+     virSecurityDomainSetHostdevLabel domainSetSecurityHostdevLabel;
++    virSecurityDomainSetSavedStateLabel domainSetSavedStateLabel;
++    virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel;
+ 
+     /*
+      * This is internally managed driver state and should only be accessed
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 7e0f71a..4f2d1d3 100644
+--- a/src/security/security_selinux.c
++++ b/src/security/security_selinux.c
+@@ -525,6 +525,7 @@ done:
+     return ret;
+ }
+ 
++
+ static int
+ SELinuxRestoreSecurityPCILabel(virConnectPtr conn,
+                                pciDevice *dev ATTRIBUTE_UNUSED,
+@@ -625,6 +626,26 @@ SELinuxRestoreSecurityLabel(virConnectPtr conn,
+     return rc;
+ }
+ 
++
++static int
++SELinuxSetSavedStateLabel(virConnectPtr conn,
++                          virDomainObjPtr vm,
++                          const char *savefile)
++{
++    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
++
++    return SELinuxSetFilecon(conn, savefile, secdef->imagelabel);
++}
++
++
++static int
++SELinuxRestoreSavedStateLabel(virConnectPtr conn,
++                              const char *savefile)
++{
++    return SELinuxRestoreSecurityFileLabel(conn, savefile);
++}
++
++
+ static int
+ SELinuxSecurityVerify(virConnectPtr conn, virDomainDefPtr def)
+ {
+@@ -694,4 +715,6 @@ virSecurityDriver virSELinuxSecurityDriver = {
+     .domainSetSecurityLabel     = SELinuxSetSecurityLabel,
+     .domainSetSecurityHostdevLabel = SELinuxSetSecurityHostdevLabel,
+     .domainRestoreSecurityHostdevLabel = SELinuxRestoreSecurityHostdevLabel,
++    .domainSetSavedStateLabel = SELinuxSetSavedStateLabel,
++    .domainRestoreSavedStateLabel = SELinuxRestoreSavedStateLabel,
+ };
+-- 
+1.6.5.2
+

sources

@@ -1 +1 @@
-5abe4b1fd6b57948ce259036afdc9194  libvirt-0.2.2.tar.gz
+133aead8c46c0601b6b37e024c6aa86a  libvirt-0.7.2.tar.gz