- Don't mount selinux fs in LXC if selinux is disabled

95c6cc34-selinux.patch bnc#814680 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=265
2013-05-20 20:57:29 +00:00 · 2013-05-20 20:57:29 +00:00 · 4800cebe0e
commit 4800cebe0e
parent 8806eb20b1
4 changed files with 42 additions and 4 deletions
--- a/95c6cc34-selinux.patch
+++ b/95c6cc34-selinux.patch
@ -0,0 +1,29 @@
+commit 95c6cc344bec8405636d2a59fc0c34e0581001ab
+Author: Daniel P. Berrange <berrange@redhat.com>
+Date:   Wed May 15 16:26:59 2013 +0100
+
+    Don't mount selinux fs in LXC if selinux is disabled
+    
+    Before trying to mount the selinux filesystem in a container
+    use is_selinux_enabled() to check if the machine actually
+    has selinux support (eg not booted with selinux=0)
+    
+    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+
+Index: libvirt-1.0.5/src/lxc/lxc_container.c
+===================================================================
+--- libvirt-1.0.5.orig/src/lxc/lxc_container.c
+++ libvirt-1.0.5/src/lxc/lxc_container.c
+@@ -701,6 +701,12 @@ static int lxcContainerMountBasicFS(bool
+             (access(srcpath, R_OK) < 0))
+             continue;
+ 
+#if WITH_SELINUX
+        if (STREQ(mnts[i].src, SELINUX_MOUNT) &&
+            !is_selinux_enabled())
+            continue;
+#endif
+
+         if (virFileMakePath(mnts[i].dst) < 0) {
+             virReportSystemError(errno,
+                                  _("Failed to mkdir %s"),
--- a/clone.patch
+++ b/clone.patch
@ -34,7 +34,7 @@ Index: src/lxc/lxc_container.c
     VIR_FREE(stack);
     if (cpid < 0) {
         virReportSystemError(errno, "%s",
-@@ -2116,6 +2124,9 @@ int lxcContainerStart(virDomainDefPtr de
+@@ -2122,6 +2130,9 @@ int lxcContainerStart(virDomainDefPtr de
                               ttyPaths, nttyPaths, handshakefd};
 
     /* allocate a stack for the container */
@ -44,7 +44,7 @@ Index: src/lxc/lxc_container.c
     if (VIR_ALLOC_N(stack, stacksize) < 0) {
         virReportOOMError();
         return -1;
-@@ -2134,7 +2145,11 @@ int lxcContainerStart(virDomainDefPtr de
+@@ -2140,7 +2151,11 @@ int lxcContainerStart(virDomainDefPtr de
         cflags |= CLONE_NEWNET;
     }
 
@ -56,7 +56,7 @@ Index: src/lxc/lxc_container.c
     VIR_FREE(stack);
     VIR_DEBUG("clone() completed, new container PID is %d", pid);
 
-@@ -2160,6 +2175,7 @@ int lxcContainerAvailable(int features)
+@@ -2166,6 +2181,7 @@ int lxcContainerAvailable(int features)
     int cpid;
     char *childStack;
     char *stack;
@ -64,7 +64,7 @@ Index: src/lxc/lxc_container.c
 
     if (features & LXC_CONTAINER_FEATURE_USER)
         flags |= CLONE_NEWUSER;
-@@ -2167,14 +2183,21 @@ int lxcContainerAvailable(int features)
+@@ -2173,14 +2189,21 @@ int lxcContainerAvailable(int features)
     if (features & LXC_CONTAINER_FEATURE_NET)
         flags |= CLONE_NEWNET;
 
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon May 20 14:41:16 MDT 2013 - jfehlig@suse.com
+
+- Don't mount selinux fs in LXC if selinux is disabled
+  95c6cc34-selinux.patch
+  bnc#814680
+
 -------------------------------------------------------------------
 Sat May 18 09:15:00 MDT 2013 - jfehlig@suse.com

--- a/libvirt.spec
+++ b/libvirt.spec
@ -431,6 +431,7 @@ Patch4:         0471637d-cgroups-vcpu-bw.patch
 Patch5:         c2cf5f1c-no-cgroups-fix.patch
 Patch6:         a2214c52-iohelper.patch
 Patch7:         ca697e90-CVE-2013-1962.patch
+Patch8:         95c6cc34-selinux.patch
 # Need to go upstream
 Patch100:       xen-name-for-devid.patch
 Patch101:       clone.patch
@ -579,6 +580,7 @@ Authors:
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
 %patch100 -p1
 %patch101
 %patch102 -p1