Nir Soffer has uploaded a new change for review. Change subject: lvm: Fix wrong selinux label for readonly images ......................................................................
lvm: Fix wrong selinux label for readonly images Libvirt readonly images are labeled as "virt_content_t", but vdsm-chcon script was checking for "svirt_content_t". This would cause an image using a correct label to use the less secure "svirt_image_t", which allows writing, compared with "virt_content_t", which allows only reading. This check was meant to keep good selinux labels when running with a fixed udev that does not changed selinux labels to the defaults, and a logical volume is manually refreshed (vdsm does not refresh internal volumes). Since we do not have such udev version, and are unlikely to get one (udev developers refused to fix udev) this error is unlikely but it should be fixed. The name of the label is documented incorrectly in libvirt qemu driver documentation (http://libvirt.org/drvqemu.html) but checking the file system reveal the correct label. Change-Id: Id548a12f1c0b98d9f3bfb5255846dac56a443e75 Relates-To: https://bugzilla.redhat.com/1127460 Relates-To: https://bugzilla.redhat.com/1147910 Signed-off-by: Nir Soffer <[email protected]> --- M configure.ac 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/73/33873/1 diff --git a/configure.ac b/configure.ac index 238e519..e2b4d42 100644 --- a/configure.ac +++ b/configure.ac @@ -125,7 +125,7 @@ # Selinux image label AC_SUBST([SVIRT_IMAGE_LABEL], ['svirt_image_t']) -AC_SUBST([SVIRT_CONTENT_LABEL], ['svirt_content_t']) +AC_SUBST([SVIRT_CONTENT_LABEL], ['virt_content_t']) # Users and groups -- To view, visit http://gerrit.ovirt.org/33873 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Id548a12f1c0b98d9f3bfb5255846dac56a443e75 Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Nir Soffer <[email protected]> _______________________________________________ vdsm-patches mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
