Fix readonly/shared disk image labelling (rhbz #493692)

Daniel

libvirt-0.6.3-shared-readonly-label.patch

@@ -0,0 +1,76 @@
+diff -rup libvirt-0.6.2/src/security_selinux.c libvirt-0.6.2.new/src/security_selinux.c
+--- libvirt-0.6.2/src/security_selinux.c	2009-04-03 15:36:56.000000000 +0100
++++ libvirt-0.6.2.new/src/security_selinux.c	2009-05-05 13:39:42.000000000 +0100
+@@ -24,11 +24,12 @@
+ #include "virterror_internal.h"
+ #include "util.h"
+ #include "memory.h"
+-
++#include "logging.h"
+ 
+ #define VIR_FROM_THIS VIR_FROM_SECURITY
+ 
+ static char default_domain_context[1024];
++static char default_content_context[1024];
+ static char default_image_context[1024];
+ #define SECURITY_SELINUX_VOID_DOI       "0"
+ #define SECURITY_SELINUX_NAME "selinux"
+@@ -148,8 +149,13 @@ SELinuxInitialize(virConnectPtr conn)
+     close(fd);
+ 
+     ptr = strchrnul(default_image_context, '\n');
+-    *ptr = '\0';
+-
++    if (*ptr == '\n') {
++        *ptr = '\0';
++        strcpy(default_content_context, ptr+1);
++        ptr = strchrnul(default_content_context, '\n');
++        if (*ptr == '\n')
++            *ptr = '\0';
++    }
+     return 0;
+ }
+ 
+@@ -275,6 +281,8 @@ SELinuxSetFilecon(virConnectPtr conn, co
+ {
+     char ebuf[1024];
+ 
++    VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);
++
+     if(setfilecon(path, tcon) < 0) {
+         virSecurityReportError(conn, VIR_ERR_ERROR,
+                                _("%s: unable to set security context "
+@@ -299,6 +307,8 @@ SELinuxRestoreSecurityImageLabel(virConn
+     char *newpath = NULL;
+     const char *path = disk->src;
+ 
++    /* Don't restore labels on readoly/shared disks, because
++     * other VMs may still be accessing these */
+     if (disk->readonly || disk->shared)
+         return 0;
+ 
+@@ -328,8 +338,13 @@ SELinuxSetSecurityImageLabel(virConnectP
+ {
+     const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ 
+-    if (secdef->imagelabel)
++    if (disk->shared) {
++        return SELinuxSetFilecon(conn, disk->src, default_image_context);
++    } else if (disk->readonly) {
++        return SELinuxSetFilecon(conn, disk->src, default_content_context);
++    } else if (secdef->imagelabel) {
+         return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel);
++    }
+ 
+     return 0;
+ }
+@@ -403,9 +418,6 @@ SELinuxSetSecurityLabel(virConnectPtr co
+ 
+     if (secdef->imagelabel) {
+         for (i = 0 ; i < vm->def->ndisks ; i++) {
+-            if (vm->def->disks[i]->readonly ||
+-                vm->def->disks[i]->shared) continue;
+-
+             if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0)
+                 return -1;
+         }

libvirt.spec

@@ -55,13 +55,14 @@
 Summary: Library providing a simple API virtualization
 Name: libvirt
 Version: 0.6.3
-Release: 1%{?dist}%{?extra_release}
+Release: 4%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 Source: libvirt-%{version}.tar.gz
 
 # Patches cherry-picked from upstream
 # N/A
+Patch1: libvirt-0.6.3-shared-readonly-label.patch
 
 # Not for upstream. Temporary hack till PulseAudio autostart
 # problems are sorted out when SELinux enforcing
@@ -215,6 +216,7 @@ of recent versions of Linux (and other OSes).
 
 %prep
 %setup -q
+%patch1 -p1
 
 %patch200 -p0
 
@@ -335,6 +337,8 @@ install -d -m 0755 $RPM_BUILD_ROOT%{_localstatedir}/run/libvirt/
 install -d -m 0755 $RPM_BUILD_ROOT%{_localstatedir}/lib/libvirt/images/
 # Default dir for kernel+initrd images defined in SELinux policy
 install -d -m 0755 $RPM_BUILD_ROOT%{_localstatedir}/lib/libvirt/boot/
+# used for virDomainMemoryPeek
+install -d -m 0700 $RPM_BUILD_ROOT%{_localstatedir}/cache/libvirt/
 
 %if %{with_qemu}
 # We don't want to install /etc/libvirt/qemu/networks in the main %files list
@@ -455,6 +459,7 @@ fi
 %dir %{_localstatedir}/lib/libvirt/
 %dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/images/
 %dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/boot/
+%dir %attr(0700, root, root) %{_localstatedir}/cache/libvirt/
 
 %if %{with_qemu}
 %dir %{_localstatedir}/run/libvirt/qemu/
@@ -517,6 +522,7 @@ fi
 %dir %{_includedir}/libvirt
 %{_includedir}/libvirt/*.h
 %{_libdir}/pkgconfig/libvirt.pc
+%dir %{_datadir}/gtk-doc/html/libvirt
 %doc %{_datadir}/gtk-doc/html/libvirt/*.devhelp
 %doc %{_datadir}/gtk-doc/html/libvirt/*.html
 %doc %{_datadir}/gtk-doc/html/libvirt/*.png
@@ -541,6 +547,15 @@ fi
 %endif
 
 %changelog
+* Tue May  5 2009 Daniel Berrange <berrange@redhat.com> - 0.6.3-4.fc12
+- Fix readonly/shared disk image labelling (rhbz #493692)
+
+* Tue Apr 28 2009 Daniel Veillard <veillard@redhat.com> - 0.6.3-3.fc12
+- was also missing /usr/share/gtk-doc/html/libvirt in -devel
+
+* Tue Apr 28 2009 Daniel Veillard <veillard@redhat.com> - 0.6.3-2.fc12
+- fix packaging bug #496945 libvirt should own /var/cache/libvirt
+
 * Fri Apr 24 2009 Daniel Veillard <veillard@redhat.com> - 0.6.3-1.fc12
 - release of 0.6.3
 - VirtualBox driver