On 05/08/2018 04:01 PM, John Ferlan wrote:
On 05/04/2018 04:21 PM, Stefan Berger wrote:
Extend the DAC and SELinux modules with support for the
tpm-emulator.
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
---
src/security/security_dac.c | 4 ++++
src/security/security_selinux.c | 5 +++++
2 files changed, 9 insertions(+)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 5efbc27..351f6f4 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1373,6 +1373,10 @@ virSecurityDACSetTPMFileLabel(virSecurityManagerPtr mgr,
false);
break;
case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+ ret = virSecurityDACSetChardevLabel(mgr, def,
+ &tpm->data.emulator.source,
+ false);
+ break;
case VIR_DOMAIN_TPM_TYPE_LAST:
break;
}
virSecurityDACRestoreTPMFileLabel doesn't need to be changed? e.g.:
Hm, this is setting the DAC label for the Unix socket so that QEMU can
connect to it. swtpm creates it but then also removes it upon
termination. So basically restoring the security label is not need.
Maybe I should add a comment in the code why it's not there. The same is
true for the SELinux label below.
ret = virSecurityDACRestoreChardevLabel(mgr, def,
&tpm->data.emulator.source,
false);
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index f5ba877..17bc07a 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1473,6 +1473,11 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerPtr mgr,
}
break;
case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+ tpmdev = tpm->data.emulator.source.data.nix.path;
+ rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel);
+ if (rc < 0)
+ return -1;
+ break;
case VIR_DOMAIN_TPM_TYPE_LAST:
break;
}
Similarly for virSecuritySELinuxRestoreTPMFileLabelInt:
tpmdev = tpm->data.emulator.source.data.nix.path;
rc = virSecuritySELinuxRestoreFileLabel(mgr, tpmdev);
?
With the adjustments or at least an explanation in the commit message
why they cannot be Restored,
Reviewed-by: John Ferlan <jferlan@xxxxxxxxxx>
John
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list