* src/security_selinux.c: matchpath() may well return NULL for many
directories, to try and fallback to using parent directory label
in that scenario.
---
src/security_selinux.c | 29 ++++++++++++++++++++++++++++-
1 files changed, 28 insertions(+), 1 deletions(-)
diff --git a/src/security_selinux.c b/src/security_selinux.c
index bc295b1..0072360 100644
--- a/src/security_selinux.c
+++ b/src/security_selinux.c
@@ -366,8 +366,35 @@ SELinuxRestoreSecurityFileLabel(virConnectPtr conn,
if (stat(newpath, &buf) != 0)
goto err;
- if (matchpathcon(newpath, buf.st_mode, &fcon) == 0) {
+ /* We try real hard to reset the context
+ *
+ * - Prefer an explicit context from policy for the file
+ * - Otherwise copy from parent directory.
+ *
+ * NB this is not just for disk images - PCI/USB device/sysfs
+ * files here too
+ */
+ if (matchpathcon(newpath, buf.st_mode, &fcon) == 0) {
rc = SELinuxSetFilecon(conn, newpath, fcon);
+ } else {
+ char *dir = strdup(newpath);
+ char *sep;
+ if (!dir) {
+ virReportOOMError(conn);
+ goto err;
+ }
+ VIR_WARN("Cannot find default context for %s, copying from parent", newpath);
+ sep = strrchr(dir, '/');
+ if (sep) {
+ *sep = '\0';
+ if (getfilecon(dir, &fcon) >= 0)
+ rc = SELinuxSetFilecon(conn, newpath, fcon);
+ else
+ VIR_ERROR("Unable to get security context for directory %s", dir);
+ } else {
+ VIR_ERROR("File %s did not contain a directory separator", newpath);
+ }
+ VIR_FREE(dir);
}
err:
VIR_FREE(fcon);
--
1.6.2.5
--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list