[libvirt] Fix labelling host devices (bz #1145968)
Cole Robinson
crobinso at fedoraproject.org
Wed Sep 24 16:15:48 UTC 2014
commit 5b1a906acef3b992e4c1de104f78c7d946165f4d
Author: Cole Robinson <crobinso at redhat.com>
Date: Wed Sep 24 12:15:49 2014 -0400
Fix labelling host devices (bz #1145968)
...ity-Fix-labelling-host-devices-bz-1145968.patch | 78 ++++++++++++++++++++
libvirt.spec | 9 ++-
2 files changed, 86 insertions(+), 1 deletions(-)
---
diff --git a/0103-security-Fix-labelling-host-devices-bz-1145968.patch b/0103-security-Fix-labelling-host-devices-bz-1145968.patch
new file mode 100644
index 0000000..b23d1b8
--- /dev/null
+++ b/0103-security-Fix-labelling-host-devices-bz-1145968.patch
@@ -0,0 +1,78 @@
+From 3a8e136e6b46174f347e088ade020c168fffafad Mon Sep 17 00:00:00 2001
+From: Cole Robinson <crobinso at redhat.com>
+Date: Wed, 24 Sep 2014 11:47:46 -0400
+Subject: [PATCH] security: Fix labelling host devices (bz 1145968)
+
+The check for ISCSI devices was missing a check of subsys type, which
+meant we could skip labelling of other host devices as well. This fixes
+USB hotplug on F21
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1145968
+---
+ src/security/security_apparmor.c | 3 ++-
+ src/security/security_dac.c | 6 ++++--
+ src/security/security_selinux.c | 6 ++++--
+ 3 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
+index 041ce65..3025284 100644
+--- a/src/security/security_apparmor.c
++++ b/src/security/security_apparmor.c
+@@ -828,7 +828,8 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
+ /* Like AppArmorRestoreSecurityImageLabel() for a networked disk,
+ * do nothing for an iSCSI hostdev
+ */
+- if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
++ if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
++ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+ return 0;
+
+ if (profile_loaded(secdef->imagelabel) < 0)
+diff --git a/src/security/security_dac.c b/src/security/security_dac.c
+index e398d2c..85253af 100644
+--- a/src/security/security_dac.c
++++ b/src/security/security_dac.c
+@@ -523,7 +523,8 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
+ /* Like virSecurityDACSetSecurityImageLabel() for a networked disk,
+ * do nothing for an iSCSI hostdev
+ */
+- if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
++ if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
++ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+ return 0;
+
+ cbdata.manager = mgr;
+@@ -657,7 +658,8 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
+ /* Like virSecurityDACRestoreSecurityImageLabelInt() for a networked disk,
+ * do nothing for an iSCSI hostdev
+ */
+- if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
++ if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
++ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+ return 0;
+
+ switch ((virDomainHostdevSubsysType) dev->source.subsys.type) {
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index b9efbc5..ea1efc9 100644
+--- a/src/security/security_selinux.c
++++ b/src/security/security_selinux.c
+@@ -1327,7 +1327,8 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
+ /* Like virSecuritySELinuxSetSecurityImageLabelInternal() for a networked
+ * disk, do nothing for an iSCSI hostdev
+ */
+- if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
++ if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
++ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+ return 0;
+
+ switch (dev->source.subsys.type) {
+@@ -1520,7 +1521,8 @@ virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
+ /* Like virSecuritySELinuxRestoreSecurityImageLabelInt() for a networked
+ * disk, do nothing for an iSCSI hostdev
+ */
+- if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
++ if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
++ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+ return 0;
+
+ switch (dev->source.subsys.type) {
diff --git a/libvirt.spec b/libvirt.spec
index 57d20f2..6ae550e 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -363,7 +363,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 1.2.8
-Release: 5%{?dist}%{?extra_release}
+Release: 6%{?dist}%{?extra_release}
License: LGPLv2+
Group: Development/Libraries
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -404,6 +404,8 @@ Patch0020: 0020-spec-Re-run-autotools-for-ovmf-patches.patch
# Fix specifying CPU for qemu aarch64
Patch0101: 0101-qemu_command-Split-qemuBuildCpuArgStr.patch
Patch0102: 0102-qemu-Don-t-compare-CPU-against-host-for-TCG.patch
+# Fix labelling host devices (bz #1145968)
+Patch0103: 0103-security-Fix-labelling-host-devices-bz-1145968.patch
%if %{with_libvirtd}
Requires: libvirt-daemon = %{version}-%{release}
@@ -1259,6 +1261,8 @@ driver
# Fix specifying CPU for qemu aarch64
%patch0101 -p1
%patch0102 -p1
+# Fix labelling host devices (bz #1145968)
+%patch0103 -p1
%build
%if ! %{with_xen}
@@ -2336,6 +2340,9 @@ exit 0
%doc examples/systemtap
%changelog
+* Wed Sep 24 2014 Cole Robinson <crobinso at redhat.com> - 1.2.8-6
+- Fix labelling host devices (bz #1145968)
+
* Tue Sep 23 2014 Cole Robinson <crobinso at redhat.com> - 1.2.8-5
- Fix specifying CPU for qemu aarch64
More information about the scm-commits
mailing list