- Don't mount selinux fs in LXC if selinux is disabled

95c6cc34-selinux.patch bnc#814680 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=265
2013-05-20 20:57:29 +00:00
parent 8806eb20b1
commit 4800cebe0e
4 changed files with 42 additions and 4 deletions
--- a/95c6cc34-selinux.patch
+++ b/95c6cc34-selinux.patch
@@ -0,0 +1,29 @@
 commit 95c6cc344bec8405636d2a59fc0c34e0581001ab
 Author: Daniel P. Berrange <berrange@redhat.com>
 Date:   Wed May 15 16:26:59 2013 +0100
    Don't mount selinux fs in LXC if selinux is disabled
    Before trying to mount the selinux filesystem in a container
    use is_selinux_enabled() to check if the machine actually
    has selinux support (eg not booted with selinux=0)
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
 Index: libvirt-1.0.5/src/lxc/lxc_container.c
 ===================================================================
 --- libvirt-1.0.5.orig/src/lxc/lxc_container.c
 +++ libvirt-1.0.5/src/lxc/lxc_container.c
@@ -701,6 +701,12 @@ static int lxcContainerMountBasicFS(bool
             (access(srcpath, R_OK) < 0))
             continue;
 +#if WITH_SELINUX
 +        if (STREQ(mnts[i].src, SELINUX_MOUNT) &&
 +            !is_selinux_enabled())
 +            continue;
 +#endif
 +
         if (virFileMakePath(mnts[i].dst) < 0) {
             virReportSystemError(errno,
                                  _("Failed to mkdir %s"),
--- a/clone.patch
+++ b/clone.patch
@@ -34,7 +34,7 @@ Index: src/lxc/lxc_container.c
     VIR_FREE(stack);
     if (cpid < 0) {
         virReportSystemError(errno, "%s",
-@@ -2116,6 +2124,9 @@ int lxcContainerStart(virDomainDefPtr de
+@@ -2122,6 +2130,9 @@ int lxcContainerStart(virDomainDefPtr de
                               ttyPaths, nttyPaths, handshakefd};
     /* allocate a stack for the container */
@@ -44,7 +44,7 @@ Index: src/lxc/lxc_container.c
     if (VIR_ALLOC_N(stack, stacksize) < 0) {
         virReportOOMError();
         return -1;
-@@ -2134,7 +2145,11 @@ int lxcContainerStart(virDomainDefPtr de
+@@ -2140,7 +2151,11 @@ int lxcContainerStart(virDomainDefPtr de
         cflags |= CLONE_NEWNET;
     }
@@ -56,7 +56,7 @@ Index: src/lxc/lxc_container.c
     VIR_FREE(stack);
     VIR_DEBUG("clone() completed, new container PID is %d", pid);
-@@ -2160,6 +2175,7 @@ int lxcContainerAvailable(int features)
+@@ -2166,6 +2181,7 @@ int lxcContainerAvailable(int features)
     int cpid;
     char *childStack;
     char *stack;
@@ -64,7 +64,7 @@ Index: src/lxc/lxc_container.c
     if (features & LXC_CONTAINER_FEATURE_USER)
         flags |= CLONE_NEWUSER;
-@@ -2167,14 +2183,21 @@ int lxcContainerAvailable(int features)
+@@ -2173,14 +2189,21 @@ int lxcContainerAvailable(int features)
     if (features & LXC_CONTAINER_FEATURE_NET)
         flags |= CLONE_NEWNET;
--- a/libvirt.changes
+++ b/libvirt.changes
@@ -1,3 +1,10 @@
 -------------------------------------------------------------------
 Mon May 20 14:41:16 MDT 2013 - jfehlig@suse.com
 - Don't mount selinux fs in LXC if selinux is disabled
  95c6cc34-selinux.patch
  bnc#814680
 -------------------------------------------------------------------
 Sat May 18 09:15:00 MDT 2013 - jfehlig@suse.com
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -431,6 +431,7 @@ Patch4:         0471637d-cgroups-vcpu-bw.patch
 Patch5:         c2cf5f1c-no-cgroups-fix.patch
 Patch6:         a2214c52-iohelper.patch
 Patch7:         ca697e90-CVE-2013-1962.patch
 Patch8:         95c6cc34-selinux.patch
 # Need to go upstream
 Patch100:       xen-name-for-devid.patch
 Patch101:       clone.patch
@@ -579,6 +580,7 @@ Authors:
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %patch100 -p1
 %patch101
 %patch102 -p1