diff --git a/95c6cc34-selinux.patch b/95c6cc34-selinux.patch new file mode 100644 index 0000000..52ca769 --- /dev/null +++ b/95c6cc34-selinux.patch @@ -0,0 +1,29 @@ +commit 95c6cc344bec8405636d2a59fc0c34e0581001ab +Author: Daniel P. Berrange +Date: Wed May 15 16:26:59 2013 +0100 + + Don't mount selinux fs in LXC if selinux is disabled + + Before trying to mount the selinux filesystem in a container + use is_selinux_enabled() to check if the machine actually + has selinux support (eg not booted with selinux=0) + + Signed-off-by: Daniel P. Berrange + +Index: libvirt-1.0.5/src/lxc/lxc_container.c +=================================================================== +--- libvirt-1.0.5.orig/src/lxc/lxc_container.c ++++ libvirt-1.0.5/src/lxc/lxc_container.c +@@ -701,6 +701,12 @@ static int lxcContainerMountBasicFS(bool + (access(srcpath, R_OK) < 0)) + continue; + ++#if WITH_SELINUX ++ if (STREQ(mnts[i].src, SELINUX_MOUNT) && ++ !is_selinux_enabled()) ++ continue; ++#endif ++ + if (virFileMakePath(mnts[i].dst) < 0) { + virReportSystemError(errno, + _("Failed to mkdir %s"), diff --git a/clone.patch b/clone.patch index 81c862c..b78b059 100644 --- a/clone.patch +++ b/clone.patch @@ -34,7 +34,7 @@ Index: src/lxc/lxc_container.c VIR_FREE(stack); if (cpid < 0) { virReportSystemError(errno, "%s", -@@ -2116,6 +2124,9 @@ int lxcContainerStart(virDomainDefPtr de +@@ -2122,6 +2130,9 @@ int lxcContainerStart(virDomainDefPtr de ttyPaths, nttyPaths, handshakefd}; /* allocate a stack for the container */ @@ -44,7 +44,7 @@ Index: src/lxc/lxc_container.c if (VIR_ALLOC_N(stack, stacksize) < 0) { virReportOOMError(); return -1; -@@ -2134,7 +2145,11 @@ int lxcContainerStart(virDomainDefPtr de +@@ -2140,7 +2151,11 @@ int lxcContainerStart(virDomainDefPtr de cflags |= CLONE_NEWNET; } @@ -56,7 +56,7 @@ Index: src/lxc/lxc_container.c VIR_FREE(stack); VIR_DEBUG("clone() completed, new container PID is %d", pid); -@@ -2160,6 +2175,7 @@ int lxcContainerAvailable(int features) +@@ -2166,6 +2181,7 @@ int lxcContainerAvailable(int features) int cpid; char *childStack; char *stack; @@ -64,7 +64,7 @@ Index: src/lxc/lxc_container.c if (features & LXC_CONTAINER_FEATURE_USER) flags |= CLONE_NEWUSER; -@@ -2167,14 +2183,21 @@ int lxcContainerAvailable(int features) +@@ -2173,14 +2189,21 @@ int lxcContainerAvailable(int features) if (features & LXC_CONTAINER_FEATURE_NET) flags |= CLONE_NEWNET; diff --git a/libvirt.changes b/libvirt.changes index cc8c1b3..330c58d 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon May 20 14:41:16 MDT 2013 - jfehlig@suse.com + +- Don't mount selinux fs in LXC if selinux is disabled + 95c6cc34-selinux.patch + bnc#814680 + ------------------------------------------------------------------- Sat May 18 09:15:00 MDT 2013 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 0c0353c..a48baf0 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -431,6 +431,7 @@ Patch4: 0471637d-cgroups-vcpu-bw.patch Patch5: c2cf5f1c-no-cgroups-fix.patch Patch6: a2214c52-iohelper.patch Patch7: ca697e90-CVE-2013-1962.patch +Patch8: 95c6cc34-selinux.patch # Need to go upstream Patch100: xen-name-for-devid.patch Patch101: clone.patch @@ -579,6 +580,7 @@ Authors: %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 %patch100 -p1 %patch101 %patch102 -p1