Re: [PATCH] security_selinux: Don't relabel /dev/net/tun

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/08/2014 07:23 AM, Michal Privoznik wrote:

>>> +    if (!STRPREFIX(fd_path, "/dev/tap")) {
>>
>> Should this be "/dev/tap.", since...
>>
>>> +        VIR_DEBUG("fd=%d points to %s not setting SELinux label",
>>> +                  fd, fd_path);
>>> +        rc = 0;
>>> +        goto cleanup;
>>> +    }
>>> +
>>>       if (getContext(mgr, "/dev/tap.*", buf.st_mode, &fcon) < 0) {
>>
>> ...you require a '.' in the context lookup?  Without the '.' in the
>> filter, you would let the (unlikely) name '/dev/tapX' get through.
>>
>> ACK with that tweaked.
>>
>>
> 
> In fact, /dev/tapX is what is created. getContext should be using it too
> as it accepts shell expendable names, not regular expressions. I'm
> adjusting getContext's argument too.

I assume "shell expendable" meant "glob" :)

Oh wow - so you're saying the only reason this even worked is that
getContext was getting lucky and realizing that any file that matches
the stricter glob '/dev/tap.*' also matches the looser glob '/dev/tap*',
and that we were lucky the context rule we were trying to look up was
not written against a tighter glob such as '/dev/tap[0-9]*'.

Yes, you've convinced me that the name really is /dev/tapX and that
removing the spurious '.' in the call to getContext is correct.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]