On 10/08/2014 07:23 AM, Michal Privoznik wrote: >>> + if (!STRPREFIX(fd_path, "/dev/tap")) { >> >> Should this be "/dev/tap.", since... >> >>> + VIR_DEBUG("fd=%d points to %s not setting SELinux label", >>> + fd, fd_path); >>> + rc = 0; >>> + goto cleanup; >>> + } >>> + >>> if (getContext(mgr, "/dev/tap.*", buf.st_mode, &fcon) < 0) { >> >> ...you require a '.' in the context lookup? Without the '.' in the >> filter, you would let the (unlikely) name '/dev/tapX' get through. >> >> ACK with that tweaked. >> >> > > In fact, /dev/tapX is what is created. getContext should be using it too > as it accepts shell expendable names, not regular expressions. I'm > adjusting getContext's argument too. I assume "shell expendable" meant "glob" :) Oh wow - so you're saying the only reason this even worked is that getContext was getting lucky and realizing that any file that matches the stricter glob '/dev/tap.*' also matches the looser glob '/dev/tap*', and that we were lucky the context rule we were trying to look up was not written against a tighter glob such as '/dev/tap[0-9]*'. Yes, you've convinced me that the name really is /dev/tapX and that removing the spurious '.' in the call to getContext is correct. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list