On 09/18/2018 12:25 AM, John Ferlan wrote: > > > On 09/10/2018 05:36 AM, Michal Privoznik wrote: >> So far the whole transaction handling is done >> virSecuritySELinuxSetFileconHelper(). This needs to change for >> the sake of security label remembering and locking. Otherwise we >> would be locking a path when only appending it to transaction >> list and not when actually relabelling it. >> >> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> >> --- >> src/security/security_selinux.c | 35 ++++++++++++++++++++++++++--------- >> 1 file changed, 26 insertions(+), 9 deletions(-) >> > > I shall note only that you didn't follow what you did for DAC with > regard to copying around the comment: > > /* Be aware that this function might run in a separate process. > * Therefore, any driver state changes would be thrown away. */ That is because in selinux driver only virSecuritySELinuxSetFileconImpl() is called from transactionCommit callback. Once I implement label remembering SELinux driver will become more complicated too. Don't worry ;-) IOW, DAC differentiates set/restore, SELinux doesn't (in transaction code). Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
