[PATCH for v5.3.0 09/17] security_selinux: Allow caller to suppress owner remembering

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Just like previous commit allowed to enable or disable owner
remembering for each individual path, do the same for SELinux
driver. This is going to be needed in the next commit.

Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
---
 src/security/security_selinux.c | 163 ++++++++++++++++++--------------
 1 file changed, 94 insertions(+), 69 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 3cb7e1b3bc..e696311b09 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -82,6 +82,7 @@ struct _virSecuritySELinuxContextItem {
     char *path;
     char *tcon;
     bool optional;
+    bool remember; /* Whether owner remembering should be done for @path/@src */
     bool restore; /* Whether current operation is set or restore */
 };
 
@@ -122,6 +123,7 @@ virSecuritySELinuxContextListAppend(virSecuritySELinuxContextListPtr list,
                                     const char *path,
                                     const char *tcon,
                                     bool optional,
+                                    bool remember,
                                     bool restore)
 {
     int ret = -1;
@@ -134,6 +136,7 @@ virSecuritySELinuxContextListAppend(virSecuritySELinuxContextListPtr list,
         goto cleanup;
 
     item->optional = optional;
+    item->remember = remember;
     item->restore = restore;
 
     if (VIR_APPEND_ELEMENT(list->items, list->nItems, item) < 0)
@@ -168,9 +171,12 @@ virSecuritySELinuxContextListFree(void *opaque)
  * @path: Path to chown
  * @tcon: target context
  * @optional: true if setting @tcon is optional
+ * @remember: if the original owner should be recorded/recalled
  * @restore: if current operation is set or restore
  *
  * Appends an entry onto transaction list.
+ * The @remember should be true if caller wishes to record/recall
+ * the original owner of @path/@src.
  * The @restore should be true if the operation is restoring
  * seclabel and false otherwise.
  *
@@ -182,6 +188,7 @@ static int
 virSecuritySELinuxTransactionAppend(const char *path,
                                     const char *tcon,
                                     bool optional,
+                                    bool remember,
                                     bool restore)
 {
     virSecuritySELinuxContextListPtr list;
@@ -190,7 +197,8 @@ virSecuritySELinuxTransactionAppend(const char *path,
     if (!list)
         return 0;
 
-    if (virSecuritySELinuxContextListAppend(list, path, tcon, optional, restore) < 0)
+    if (virSecuritySELinuxContextListAppend(list, path, tcon,
+                                            optional, remember, restore) < 0)
         return -1;
 
     return 1;
@@ -276,17 +284,18 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UNUSED,
     rv = 0;
     for (i = 0; i < list->nItems; i++) {
         virSecuritySELinuxContextItemPtr item = list->items[i];
+        const bool remember = item->remember && list->lock;
 
         if (!item->restore) {
             rv = virSecuritySELinuxSetFileconHelper(list->manager,
                                                     item->path,
                                                     item->tcon,
                                                     item->optional,
-                                                    list->lock);
+                                                    remember);
         } else {
             rv = virSecuritySELinuxRestoreFileLabel(list->manager,
                                                     item->path,
-                                                    list->lock);
+                                                    remember);
         }
 
         if (rv < 0)
@@ -295,11 +304,12 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UNUSED,
 
     for (; rv < 0 && i > 0; i--) {
         virSecuritySELinuxContextItemPtr item = list->items[i - 1];
+        const bool remember = item->remember && list->lock;
 
         if (!item->restore) {
             virSecuritySELinuxRestoreFileLabel(list->manager,
                                                item->path,
-                                               list->lock);
+                                               remember);
         } else {
             VIR_WARN("Ignoring failed restore attempt on %s", item->path);
         }
@@ -1326,7 +1336,8 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
     int rc;
     int ret = -1;
 
-    if ((rc = virSecuritySELinuxTransactionAppend(path, tcon, optional, false)) < 0)
+    if ((rc = virSecuritySELinuxTransactionAppend(path, tcon,
+                                                  optional, remember, false)) < 0)
         return -1;
     else if (rc > 0)
         return 0;
@@ -1389,16 +1400,20 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
 
 static int
 virSecuritySELinuxSetFileconOptional(virSecurityManagerPtr mgr,
-                                     const char *path, const char *tcon)
+                                     const char *path,
+                                     const char *tcon,
+                                     bool remember)
 {
-    return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, true, false);
+    return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, true, remember);
 }
 
 static int
 virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
-                             const char *path, const char *tcon)
+                             const char *path,
+                             const char *tcon,
+                             bool remember)
 {
-    return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, false, false);
+    return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, false, remember);
 }
 
 static int
@@ -1484,7 +1499,8 @@ virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr,
         goto cleanup;
     }
 
-    if ((rc = virSecuritySELinuxTransactionAppend(path, NULL, false, true)) < 0) {
+    if ((rc = virSecuritySELinuxTransactionAppend(path, NULL,
+                                                  false, recall, true)) < 0) {
         goto cleanup;
     } else if (rc > 0) {
         ret = 0;
@@ -1545,7 +1561,7 @@ virSecuritySELinuxSetInputLabel(virSecurityManagerPtr mgr,
     switch ((virDomainInputType)input->type) {
     case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
         if (virSecuritySELinuxSetFilecon(mgr, input->source.evdev,
-                                         seclabel->imagelabel) < 0)
+                                         seclabel->imagelabel, true) < 0)
             return -1;
         break;
 
@@ -1574,7 +1590,7 @@ virSecuritySELinuxRestoreInputLabel(virSecurityManagerPtr mgr,
 
     switch ((virDomainInputType)input->type) {
     case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
-        rc = virSecuritySELinuxRestoreFileLabel(mgr, input->source.evdev, false);
+        rc = virSecuritySELinuxRestoreFileLabel(mgr, input->source.evdev, true);
         break;
 
     case VIR_DOMAIN_INPUT_TYPE_MOUSE:
@@ -1602,7 +1618,7 @@ virSecuritySELinuxSetMemoryLabel(virSecurityManagerPtr mgr,
             return 0;
 
         if (virSecuritySELinuxSetFilecon(mgr, mem->nvdimmPath,
-                                         seclabel->imagelabel) < 0)
+                                         seclabel->imagelabel, true) < 0)
             return -1;
         break;
 
@@ -1630,7 +1646,7 @@ virSecuritySELinuxRestoreMemoryLabel(virSecurityManagerPtr mgr,
         if (!seclabel || !seclabel->relabel)
             return 0;
 
-        ret = virSecuritySELinuxRestoreFileLabel(mgr, mem->nvdimmPath, false);
+        ret = virSecuritySELinuxRestoreFileLabel(mgr, mem->nvdimmPath, true);
         break;
 
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
@@ -1661,14 +1677,14 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerPtr mgr,
     switch (tpm->type) {
     case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
         tpmdev = tpm->data.passthrough.source.data.file.path;
-        rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel);
+        rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel, true);
         if (rc < 0)
             return -1;
 
         if ((cancel_path = virTPMCreateCancelPath(tpmdev)) != NULL) {
             rc = virSecuritySELinuxSetFilecon(mgr,
                                               cancel_path,
-                                              seclabel->imagelabel);
+                                              seclabel->imagelabel, true);
             VIR_FREE(cancel_path);
             if (rc < 0) {
                 virSecuritySELinuxRestoreTPMFileLabelInt(mgr, def, tpm);
@@ -1680,7 +1696,7 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerPtr mgr,
         break;
     case VIR_DOMAIN_TPM_TYPE_EMULATOR:
         tpmdev = tpm->data.emulator.source.data.nix.path;
-        rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel);
+        rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel, true);
         if (rc < 0)
             return -1;
         break;
@@ -1709,10 +1725,10 @@ virSecuritySELinuxRestoreTPMFileLabelInt(virSecurityManagerPtr mgr,
     switch (tpm->type) {
     case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
         tpmdev = tpm->data.passthrough.source.data.file.path;
-        rc = virSecuritySELinuxRestoreFileLabel(mgr, tpmdev, false);
+        rc = virSecuritySELinuxRestoreFileLabel(mgr, tpmdev, true);
 
         if ((cancel_path = virTPMCreateCancelPath(tpmdev)) != NULL) {
-            if (virSecuritySELinuxRestoreFileLabel(mgr, cancel_path, false) < 0)
+            if (virSecuritySELinuxRestoreFileLabel(mgr, cancel_path, true) < 0)
                 rc = -1;
             VIR_FREE(cancel_path);
         }
@@ -1779,7 +1795,7 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityManagerPtr mgr,
         }
     }
 
-    return virSecuritySELinuxRestoreFileLabel(mgr, src->path, false);
+    return virSecuritySELinuxRestoreFileLabel(mgr, src->path, true);
 }
 
 
@@ -1822,32 +1838,38 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
         if (!disk_seclabel->relabel)
             return 0;
 
-        ret = virSecuritySELinuxSetFilecon(mgr, src->path, disk_seclabel->label);
+        ret = virSecuritySELinuxSetFilecon(mgr, src->path,
+                                           disk_seclabel->label, true);
     } else if (parent_seclabel && (!parent_seclabel->relabel || parent_seclabel->label)) {
         if (!parent_seclabel->relabel)
             return 0;
 
-        ret = virSecuritySELinuxSetFilecon(mgr, src->path, parent_seclabel->label);
+        ret = virSecuritySELinuxSetFilecon(mgr, src->path,
+                                           parent_seclabel->label, true);
     } else if (!parent || parent == src) {
         if (src->shared) {
             ret = virSecuritySELinuxSetFileconOptional(mgr,
                                                        src->path,
-                                                       data->file_context);
+                                                       data->file_context,
+                                                       true);
         } else if (src->readonly) {
             ret = virSecuritySELinuxSetFileconOptional(mgr,
                                                        src->path,
-                                                       data->content_context);
+                                                       data->content_context,
+                                                       true);
         } else if (secdef->imagelabel) {
             ret = virSecuritySELinuxSetFileconOptional(mgr,
                                                        src->path,
-                                                       secdef->imagelabel);
+                                                       secdef->imagelabel,
+                                                       true);
         } else {
             ret = 0;
         }
     } else {
         ret = virSecuritySELinuxSetFileconOptional(mgr,
                                                    src->path,
-                                                   data->content_context);
+                                                   data->content_context,
+                                                   true);
     }
 
     if (ret == 1 && !disk_seclabel) {
@@ -1900,7 +1922,7 @@ virSecuritySELinuxSetHostdevLabelHelper(const char *file, void *opaque)
     secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
     if (secdef == NULL)
         return 0;
-    return virSecuritySELinuxSetFilecon(mgr, file, secdef->imagelabel);
+    return virSecuritySELinuxSetFilecon(mgr, file, secdef->imagelabel, true);
 }
 
 static int
@@ -1932,13 +1954,13 @@ virSecuritySELinuxSetSCSILabel(virSCSIDevicePtr dev,
 
     if (virSCSIDeviceGetShareable(dev))
         return virSecuritySELinuxSetFileconOptional(mgr, file,
-                                                    data->file_context);
+                                                    data->file_context, true);
     else if (virSCSIDeviceGetReadonly(dev))
         return virSecuritySELinuxSetFileconOptional(mgr, file,
-                                                    data->content_context);
+                                                    data->content_context, true);
     else
         return virSecuritySELinuxSetFileconOptional(mgr, file,
-                                                    secdef->imagelabel);
+                                                    secdef->imagelabel, true);
 }
 
 static int
@@ -2093,7 +2115,7 @@ virSecuritySELinuxSetHostdevCapsLabel(virSecurityManagerPtr mgr,
             if (VIR_STRDUP(path, dev->source.caps.u.storage.block) < 0)
                 return -1;
         }
-        ret = virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel);
+        ret = virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel, true);
         VIR_FREE(path);
         break;
     }
@@ -2107,7 +2129,7 @@ virSecuritySELinuxSetHostdevCapsLabel(virSecurityManagerPtr mgr,
             if (VIR_STRDUP(path, dev->source.caps.u.misc.chardev) < 0)
                 return -1;
         }
-        ret = virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel);
+        ret = virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel, true);
         VIR_FREE(path);
         break;
     }
@@ -2153,7 +2175,7 @@ virSecuritySELinuxRestorePCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
 {
     virSecurityManagerPtr mgr = opaque;
 
-    return virSecuritySELinuxRestoreFileLabel(mgr, file, false);
+    return virSecuritySELinuxRestoreFileLabel(mgr, file, true);
 }
 
 static int
@@ -2163,7 +2185,7 @@ virSecuritySELinuxRestoreUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
 {
     virSecurityManagerPtr mgr = opaque;
 
-    return virSecuritySELinuxRestoreFileLabel(mgr, file, false);
+    return virSecuritySELinuxRestoreFileLabel(mgr, file, true);
 }
 
 
@@ -2180,7 +2202,7 @@ virSecuritySELinuxRestoreSCSILabel(virSCSIDevicePtr dev,
     if (virSCSIDeviceGetShareable(dev) || virSCSIDeviceGetReadonly(dev))
         return 0;
 
-    return virSecuritySELinuxRestoreFileLabel(mgr, file, false);
+    return virSecuritySELinuxRestoreFileLabel(mgr, file, true);
 }
 
 static int
@@ -2190,7 +2212,7 @@ virSecuritySELinuxRestoreHostLabel(virSCSIVHostDevicePtr dev ATTRIBUTE_UNUSED,
 {
     virSecurityManagerPtr mgr = opaque;
 
-    return virSecuritySELinuxRestoreFileLabel(mgr, file, false);
+    return virSecuritySELinuxRestoreFileLabel(mgr, file, true);
 }
 
 
@@ -2294,7 +2316,7 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManagerPtr mgr,
         if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr)))
             goto done;
 
-        ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev, false);
+        ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev, true);
 
         VIR_FREE(vfiodev);
         break;
@@ -2328,7 +2350,7 @@ virSecuritySELinuxRestoreHostdevCapsLabel(virSecurityManagerPtr mgr,
             if (VIR_STRDUP(path, dev->source.caps.u.storage.block) < 0)
                 return -1;
         }
-        ret = virSecuritySELinuxRestoreFileLabel(mgr, path, false);
+        ret = virSecuritySELinuxRestoreFileLabel(mgr, path, true);
         VIR_FREE(path);
         break;
     }
@@ -2342,7 +2364,7 @@ virSecuritySELinuxRestoreHostdevCapsLabel(virSecurityManagerPtr mgr,
             if (VIR_STRDUP(path, dev->source.caps.u.misc.chardev) < 0)
                 return -1;
         }
-        ret = virSecuritySELinuxRestoreFileLabel(mgr, path, false);
+        ret = virSecuritySELinuxRestoreFileLabel(mgr, path, true);
         VIR_FREE(path);
         break;
     }
@@ -2420,14 +2442,16 @@ virSecuritySELinuxSetChardevLabel(virSecurityManagerPtr mgr,
     case VIR_DOMAIN_CHR_TYPE_FILE:
         ret = virSecuritySELinuxSetFilecon(mgr,
                                            dev_source->data.file.path,
-                                           imagelabel);
+                                           imagelabel,
+                                           true);
         break;
 
     case VIR_DOMAIN_CHR_TYPE_UNIX:
         if (!dev_source->data.nix.listen) {
             if (virSecuritySELinuxSetFilecon(mgr,
                                              dev_source->data.nix.path,
-                                             imagelabel) < 0)
+                                             imagelabel,
+                                             true) < 0)
                 goto done;
         }
         ret = 0;
@@ -2438,13 +2462,14 @@ virSecuritySELinuxSetChardevLabel(virSecurityManagerPtr mgr,
             (virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0))
             goto done;
         if (virFileExists(in) && virFileExists(out)) {
-            if ((virSecuritySELinuxSetFilecon(mgr, in, imagelabel) < 0) ||
-                (virSecuritySELinuxSetFilecon(mgr, out, imagelabel) < 0)) {
+            if ((virSecuritySELinuxSetFilecon(mgr, in, imagelabel, true) < 0) ||
+                (virSecuritySELinuxSetFilecon(mgr, out, imagelabel, true) < 0)) {
                 goto done;
             }
         } else if (virSecuritySELinuxSetFilecon(mgr,
                                                 dev_source->data.file.path,
-                                                imagelabel) < 0) {
+                                                imagelabel,
+                                                true) < 0) {
             goto done;
         }
         ret = 0;
@@ -2492,7 +2517,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr,
     case VIR_DOMAIN_CHR_TYPE_FILE:
         if (virSecuritySELinuxRestoreFileLabel(mgr,
                                                dev_source->data.file.path,
-                                               false) < 0)
+                                               true) < 0)
             goto done;
         ret = 0;
         break;
@@ -2501,7 +2526,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr,
         if (!dev_source->data.nix.listen) {
             if (virSecuritySELinuxRestoreFileLabel(mgr,
                                                    dev_source->data.file.path,
-                                                   false) < 0)
+                                                   true) < 0)
                 goto done;
         }
         ret = 0;
@@ -2512,13 +2537,13 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr,
             (virAsprintf(&in, "%s.in", dev_source->data.file.path) < 0))
             goto done;
         if (virFileExists(in) && virFileExists(out)) {
-            if ((virSecuritySELinuxRestoreFileLabel(mgr, out, false) < 0) ||
-                (virSecuritySELinuxRestoreFileLabel(mgr, in, false) < 0)) {
+            if ((virSecuritySELinuxRestoreFileLabel(mgr, out, true) < 0) ||
+                (virSecuritySELinuxRestoreFileLabel(mgr, in, true) < 0)) {
                 goto done;
             }
         } else if (virSecuritySELinuxRestoreFileLabel(mgr,
                                                       dev_source->data.file.path,
-                                                      false) < 0) {
+                                                      true) < 0) {
             goto done;
         }
         ret = 0;
@@ -2570,7 +2595,7 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
         database = dev->data.cert.database;
         if (!database)
             database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
-        return virSecuritySELinuxRestoreFileLabel(mgr, database, false);
+        return virSecuritySELinuxRestoreFileLabel(mgr, database, true);
 
     case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
         return virSecuritySELinuxRestoreChardevLabel(mgr, def,
@@ -2665,23 +2690,23 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
         rc = -1;
 
     if (def->os.loader && def->os.loader->nvram &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram, false) < 0)
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram, true) < 0)
         rc = -1;
 
     if (def->os.kernel &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.kernel, false) < 0)
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.kernel, true) < 0)
         rc = -1;
 
     if (def->os.initrd &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd, false) < 0)
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd, true) < 0)
         rc = -1;
 
     if (def->os.dtb &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb, false) < 0)
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb, true) < 0)
         rc = -1;
 
     if (def->os.slic_table &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.slic_table, false) < 0)
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.slic_table, true) < 0)
         rc = -1;
 
     return rc;
@@ -2726,7 +2751,7 @@ virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr,
     if (!secdef || !secdef->relabel)
         return 0;
 
-    return virSecuritySELinuxSetFilecon(mgr, savefile, secdef->imagelabel);
+    return virSecuritySELinuxSetFilecon(mgr, savefile, secdef->imagelabel, true);
 }
 
 
@@ -2741,7 +2766,7 @@ virSecuritySELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr,
     if (!secdef || !secdef->relabel)
         return 0;
 
-    return virSecuritySELinuxRestoreFileLabel(mgr, savefile, false);
+    return virSecuritySELinuxRestoreFileLabel(mgr, savefile, true);
 }
 
 
@@ -2984,7 +3009,7 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
         database = dev->data.cert.database;
         if (!database)
             database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
-        return virSecuritySELinuxSetFilecon(mgr, database, data->content_context);
+        return virSecuritySELinuxSetFilecon(mgr, database, data->content_context, true);
 
     case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
         return virSecuritySELinuxSetChardevLabel(mgr, def,
@@ -3075,32 +3100,32 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
     if (def->os.loader && def->os.loader->nvram &&
         secdef && secdef->imagelabel &&
         virSecuritySELinuxSetFilecon(mgr, def->os.loader->nvram,
-                                     secdef->imagelabel) < 0)
+                                     secdef->imagelabel, true) < 0)
         return -1;
 
     if (def->os.kernel &&
         virSecuritySELinuxSetFilecon(mgr, def->os.kernel,
-                                     data->content_context) < 0)
+                                     data->content_context, true) < 0)
         return -1;
 
     if (def->os.initrd &&
         virSecuritySELinuxSetFilecon(mgr, def->os.initrd,
-                                     data->content_context) < 0)
+                                     data->content_context, true) < 0)
         return -1;
 
     if (def->os.dtb &&
         virSecuritySELinuxSetFilecon(mgr, def->os.dtb,
-                                     data->content_context) < 0)
+                                     data->content_context, true) < 0)
         return -1;
 
     if (def->os.slic_table &&
         virSecuritySELinuxSetFilecon(mgr, def->os.slic_table,
-                                     data->content_context) < 0)
+                                     data->content_context, true) < 0)
         return -1;
 
     if (stdin_path &&
         virSecuritySELinuxSetFilecon(mgr, stdin_path,
-                                     data->content_context) < 0)
+                                     data->content_context, true) < 0)
         return -1;
 
     return 0;
@@ -3259,7 +3284,7 @@ virSecuritySELinuxDomainSetPathLabel(virSecurityManagerPtr mgr,
     if (!seclabel || !seclabel->relabel)
         return 0;
 
-    return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel);
+    return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel, true);
 }
 
 
@@ -3284,7 +3309,7 @@ virSecuritySELinuxSetFileLabels(virSecurityManagerPtr mgr,
     char *filename = NULL;
     DIR *dir;
 
-    if ((ret = virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel)))
+    if ((ret = virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel, true)))
         return ret;
 
     if (!virFileIsDir(path))
@@ -3302,7 +3327,7 @@ virSecuritySELinuxSetFileLabels(virSecurityManagerPtr mgr,
             break;
         }
         ret = virSecuritySELinuxSetFilecon(mgr, filename,
-                                           seclabel->imagelabel);
+                                           seclabel->imagelabel, true);
         VIR_FREE(filename);
         if (ret < 0)
             break;
@@ -3336,7 +3361,7 @@ virSecuritySELinuxRestoreFileLabels(virSecurityManagerPtr mgr,
     char *filename = NULL;
     DIR *dir;
 
-    if ((ret = virSecuritySELinuxRestoreFileLabel(mgr, path, false)))
+    if ((ret = virSecuritySELinuxRestoreFileLabel(mgr, path, true)))
         return ret;
 
     if (!virFileIsDir(path))
@@ -3353,7 +3378,7 @@ virSecuritySELinuxRestoreFileLabels(virSecurityManagerPtr mgr,
             ret = -1;
             break;
         }
-        ret = virSecuritySELinuxRestoreFileLabel(mgr, filename, false);
+        ret = virSecuritySELinuxRestoreFileLabel(mgr, filename, true);
         VIR_FREE(filename);
         if (ret < 0)
             break;
-- 
2.19.2

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux