From 52ee0500d374893a9b26bcc56b16990b5e411102 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 23 Nov 2021 14:37:47 +0000 Subject: [PATCH] lib/qemuNBD.ml: Use new qemu-nbd --selinux-label option When we are using SELinux and the qemu-nbd --selinux-label option (added in qemu 6.2) is available, use it to properly label the socket. This copies what we do for nbdkit. --- lib/qemuNBD.ml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/lib/qemuNBD.ml b/lib/qemuNBD.ml index 177a010e6..013ca3cd9 100644 --- a/lib/qemuNBD.ml +++ b/lib/qemuNBD.ml @@ -32,6 +32,10 @@ let is_installed = let test = lazy (Sys.command "qemu-nbd --version >/dev/null 2>&1" = 0) in fun () -> Lazy.force test +let qemu_nbd_has_selinux_label_option = + let test = lazy (Sys.command "qemu-nbd --help |& grep -sq selinux" = 0) in + fun () -> Lazy.force test + type version = int * int * int let version = @@ -94,6 +98,11 @@ let run_unix ?socket { disk; snapshot; format } = (* -s adds a protective overlay. *) if snapshot then List.push_back args "-s"; + if have_selinux && qemu_nbd_has_selinux_label_option () then ( + List.push_back args "--selinux-label"; + List.push_back args "system_u:object_r:svirt_socket_t:s0" + ); + Option.may ( fun format -> List.push_back args "--format"; @@ -126,8 +135,12 @@ let run_unix ?socket { disk; snapshot; format } = If the messages above are not sufficient to diagnose the problem then add the ‘virt-v2v -v -x’ options and examine the debugging output carefully.") ); - (* We must label the socket so qemu can open it. *) if have_selinux then ( + (* Note that Unix domain sockets have both a file label and + * a socket/process label. Using --selinux-label above + * only set the socket label, but we must also set the file + * label. + *) ignore (run_command ["chcon"; "system_u:object_r:svirt_image_t:s0"; socket]); );