Disable sound cards when running sVirt

libvirt-0.6.1-svirt-shared-readonly.patch

@@ -0,0 +1,143 @@
+diff -rup libvirt-0.6.1.orig/src/qemu_driver.c libvirt-0.6.1.new/src/qemu_driver.c
+--- libvirt-0.6.1.orig/src/qemu_driver.c	2009-03-17 11:57:04.000000000 +0000
++++ libvirt-0.6.1.new/src/qemu_driver.c	2009-03-17 11:57:12.000000000 +0000
+@@ -3765,7 +3765,7 @@ static int qemudDomainAttachDevice(virDo
+                 goto cleanup;
+             }
+             if (driver->securityDriver)
+-                driver->securityDriver->domainSetSecurityImageLabel(dom->conn, vm, dev);
++                driver->securityDriver->domainSetSecurityImageLabel(dom->conn, vm, dev->data.disk);
+             break;
+ 
+         default:
+@@ -3901,7 +3901,7 @@ static int qemudDomainDetachDevice(virDo
+          dev->data.disk->bus == VIR_DOMAIN_DISK_BUS_VIRTIO)) {
+         ret = qemudDomainDetachPciDiskDevice(dom->conn, vm, dev);
+         if (driver->securityDriver)
+-            driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, vm, dev);
++            driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, dev->data.disk);
+     }
+     else
+         qemudReportError(dom->conn, dom, NULL, VIR_ERR_NO_SUPPORT,
+diff -rup libvirt-0.6.1.orig/src/security.h libvirt-0.6.1.new/src/security.h
+--- libvirt-0.6.1.orig/src/security.h	2009-03-03 16:40:46.000000000 +0000
++++ libvirt-0.6.1.new/src/security.h	2009-03-17 11:57:12.000000000 +0000
+@@ -32,11 +32,10 @@ typedef virSecurityDriverStatus (*virSec
+ typedef int (*virSecurityDriverOpen) (virConnectPtr conn,
+                                       virSecurityDriverPtr drv);
+ typedef int (*virSecurityDomainRestoreImageLabel) (virConnectPtr conn,
+-                                                   virDomainObjPtr vm,
+-                                                   virDomainDeviceDefPtr dev);
++                                                   virDomainDiskDefPtr disk);
+ typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn,
+                                                virDomainObjPtr vm,
+-                                               virDomainDeviceDefPtr dev);
++                                               virDomainDiskDefPtr disk);
+ typedef int (*virSecurityDomainGenLabel) (virConnectPtr conn,
+                                           virDomainObjPtr sec);
+ typedef int (*virSecurityDomainGetLabel) (virConnectPtr conn,
+diff -rup libvirt-0.6.1.orig/src/security_selinux.c libvirt-0.6.1.new/src/security_selinux.c
+--- libvirt-0.6.1.orig/src/security_selinux.c	2009-03-03 16:40:46.000000000 +0000
++++ libvirt-0.6.1.new/src/security_selinux.c	2009-03-17 11:57:12.000000000 +0000
+@@ -269,7 +269,7 @@ SELinuxGetSecurityLabel(virConnectPtr co
+ }
+ 
+ static int
+-SELinuxSetFilecon(virConnectPtr conn, char *path, char *tcon)
++SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon)
+ {
+     char ebuf[1024];
+ 
+@@ -288,28 +288,51 @@ SELinuxSetFilecon(virConnectPtr conn, ch
+ 
+ static int
+ SELinuxRestoreSecurityImageLabel(virConnectPtr conn,
+-                                 virDomainObjPtr vm,
+-                                 virDomainDeviceDefPtr dev)
++                                 virDomainDiskDefPtr disk)
+ {
+-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
++    struct stat buf;
++    security_context_t fcon = NULL;
++    int rc = -1;
++    char *newpath = NULL;
++    const char *path = disk->src;
+ 
+-    if (secdef->imagelabel) {
+-        return SELinuxSetFilecon(conn, dev->data.disk->src, default_image_context);
++    if (disk->readonly || disk->shared)
++        return 0;
++
++    if (lstat(path, &buf) != 0)
++        return -1;
++
++    if (S_ISLNK(buf.st_mode)) {
++        if (VIR_ALLOC_N(newpath, buf.st_size + 1) < 0)
++            return -1;
++
++        if (readlink(path, newpath, buf.st_size) < 0)
++            goto err;
++        path = newpath;
++        if (stat(path, &buf) != 0)
++            goto err;
+     }
+-    return 0;
++
++    if (matchpathcon(path, buf.st_mode, &fcon) == 0)  {
++        rc = SELinuxSetFilecon(conn, path, fcon);
++    }
++err:
++    VIR_FREE(fcon);
++    VIR_FREE(newpath);
++    return rc;
+ }
+ 
+ static int
+ SELinuxSetSecurityImageLabel(virConnectPtr conn,
+                              virDomainObjPtr vm,
+-                             virDomainDeviceDefPtr dev)
++                             virDomainDiskDefPtr disk)
+ 
+ {
+     const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ 
+-    if (secdef->imagelabel) {
+-        return SELinuxSetFilecon(conn, dev->data.disk->src, secdef->imagelabel);
+-    }
++    if (secdef->imagelabel)
++        return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel);
++
+     return 0;
+ }
+ 
+@@ -322,7 +345,7 @@ SELinuxRestoreSecurityLabel(virConnectPt
+     int rc = 0;
+     if (secdef->imagelabel) {
+         for (i = 0 ; i < vm->def->ndisks ; i++) {
+-            if (SELinuxSetFilecon(conn, vm->def->disks[i]->src, default_image_context) < 0)
++            if (SELinuxRestoreSecurityImageLabel(conn, vm->def->disks[i]) < 0)
+                 rc = -1;
+         }
+         VIR_FREE(secdef->model);
+@@ -368,16 +391,11 @@ SELinuxSetSecurityLabel(virConnectPtr co
+ 
+     if (secdef->imagelabel) {
+         for (i = 0 ; i < vm->def->ndisks ; i++) {
+-            if(setfilecon(vm->def->disks[i]->src, secdef->imagelabel) < 0) {
+-                virSecurityReportError(conn, VIR_ERR_ERROR,
+-                                       _("%s: unable to set security context "
+-                                         "'\%s\' on %s: %s."), __func__,
+-                                       secdef->imagelabel,
+-                                       vm->def->disks[i]->src,
+-                                       virStrerror(errno, ebuf, sizeof ebuf));
+-                if (security_getenforce() == 1)
+-                    return -1;
+-            }
++            if (vm->def->disks[i]->readonly ||
++                vm->def->disks[i]->shared) continue;
++
++            if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0)
++                return -1;
+         }
+     }
+ 

libvirt-0.6.1-svirt-sound.patch

@@ -0,0 +1,35 @@
+diff -rup libvirt-0.6.1.orig/src/qemu_conf.c libvirt-0.6.1.new/src/qemu_conf.c
+--- libvirt-0.6.1.orig/src/qemu_conf.c	2009-03-17 11:57:04.000000000 +0000
++++ libvirt-0.6.1.new/src/qemu_conf.c	2009-03-17 15:50:08.000000000 +0000
+@@ -757,6 +757,20 @@ int qemudBuildCommandLine(virConnectPtr 
+     char uuid[VIR_UUID_STRING_BUFLEN];
+     char domid[50];
+     char *pidfile;
++    int skipSound = 0;
++
++    if (driver->securityDriver &&
++        driver->securityDriver->name &&
++        STREQ(driver->securityDriver->name, "selinux") &&
++        getuid == 0) {
++        static int soundWarned = 0; 
++        skipSound = 1;
++        if (vm->def->nsounds &&
++            !soundWarned) {
++            soundWarned = 1;
++            VIR_WARN0("Sound cards for VMs are disabled while SELinux security model is active");
++        }
++    }
+ 
+     uname_normalize(&ut);
+ 
+@@ -1364,7 +1378,8 @@ int qemudBuildCommandLine(virConnectPtr 
+     }
+ 
+     /* Add sound hardware */
+-    if (vm->def->nsounds) {
++    if (vm->def->nsounds &&
++        !skipSound) {
+         int size = 100;
+         char *modstr;
+         if (VIR_ALLOC_N(modstr, size+1) < 0)
+Only in libvirt-0.6.1.new/src: qemu_conf.c~

libvirt.spec

@@ -47,7 +47,7 @@
 Summary: Library providing a simple API virtualization
 Name: libvirt
 Version: 0.6.1
-Release: 4%{?dist}%{?extra_release}
+Release: 5%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 Source: libvirt-%{version}.tar.gz
@@ -61,10 +61,15 @@ Patch7: libvirt-0.6.1-storage-free.patch
 Patch8: libvirt-0.6.1-vcpu-deadlock.patch
 Patch9: libvirt-0.6.1-xenblock-detach.patch
 Patch10: libvirt-0.6.1-fd-leaks2.patch
+Patch11: libvirt-0.6.1-svirt-shared-readonly.patch
 
 # Not upstream yet - pending QEMU merge
 Patch100: libvirt-0.6.1-vnc-sasl-auth.patch
 
+# Not for upstream. Temporary hack till PulseAudio autostart
+# problems are sorted out when SELinux enforcing
+Patch200: libvirt-0.6.1-svirt-sound.patch
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 URL: http://libvirt.org/
 BuildRequires: python python-devel
@@ -205,8 +210,10 @@ of recent versions of Linux (and other OSes).
 %patch8 -p1
 %patch9 -p1
 %patch10 -p0
+%patch11 -p1
 
 %patch100 -p1
+%patch200 -p1
 
 mv NEWS NEWS.old
 iconv -f ISO-8859-1 -t UTF-8 < NEWS.old > NEWS
@@ -499,6 +506,10 @@ fi
 %endif
 
 %changelog
+* Tue Mar 17 2009 Daniel P. Berrange <berrange@redhat.com> - 0.6.1-5.fc11
+- Don't relabel shared/readonly disks
+- Disable sound cards when running sVirt
+
 * Tue Mar 17 2009 Daniel P. Berrange <berrange@redhat.com> - 0.6.1-4.fc11
 - Fix memory allocation for xend lookup
 - Avoid crash if storage volume deletion fails