Re: [PATCH 4/7] security: Label parent directories of character devices

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Aug 14, 2015 at 11:58:54AM +0200, Martin Kletzander wrote:
> On Thu, Aug 13, 2015 at 04:59:47PM +0100, Daniel P. Berrange wrote:
> >On Thu, Aug 13, 2015 at 05:47:42PM +0200, Martin Kletzander wrote:
> >>We are currently unable to label parent directories for some paths.
> >>However, we will need to have per-domain directories that we would like
> >>to have labelled, but we can't label all of them.  So let's add a
> >>boolean variable that will determine whether parent directory for such
> >>chardev should be labelled as well as that character device itself.
> >>
> >>Signed-off-by: Martin Kletzander <mkletzan@xxxxxxxxxx>
> >>---
> >> src/conf/domain_conf.h          |  1 +
> >> src/security/security_dac.c     | 13 ++++++++++++-
> >> src/security/security_selinux.c | 13 ++++++++++++-
> >> 3 files changed, 25 insertions(+), 2 deletions(-)
> >>
> >>diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
> >>index e1872bca002c..9d549a395e29 100644
> >>--- a/src/conf/domain_conf.h
> >>+++ b/src/conf/domain_conf.h
> >>@@ -1191,6 +1191,7 @@ struct _virDomainChrSourceDef {
> >>         } udp;
> >>         struct {
> >>             char *path;
> >>+            bool autopath;
> >>             bool listen;
> >>         } nix;
> >>         int spicevmc;
> >
> >I don't think we need this - it seems we can just pass a 'bool labelParent'
> >parameter into  virSecurityManagerSetChardevLabel() when calling it for
> >the monitor socket.
> >
> 
> It's not used only for the monitor socket, but mainly for virtio
> channel's target's unix socket as well and maybe more in the future.
> But I agree it could be named 'labelParent' as well.  Should I resend
> it with that changed?

In the non-monitor cases how will we decide whether it is appropriate
to set labelParent or not ? Those paths are broadly user specified,
so we can't assume the parent is per-VM

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]