On Thu, Nov 18, 2010 at 04:26:55PM +0100, Daniel Veillard wrote:
> The code in SELinuxRestoreSecurityChardevLabel() was trying to
> use SELinuxSetFilecon directly for devices or file types while
> it should really use SELinuxRestoreSecurityFileLabel encapsulating
> routine, which avoid various problems like resolving symlinks,
> making sure he file exists and work around NFS problems
>
> Daniel
>
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 936a1a6..996177a 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -694,9 +694,10 @@ SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm,
> switch (dev->type) {
> case VIR_DOMAIN_CHR_TYPE_DEV:
> case VIR_DOMAIN_CHR_TYPE_FILE:
> - ret = SELinuxSetFilecon(dev->data.file.path, secdef->imagelabel);
> + if (SELinuxRestoreSecurityFileLabel(dev->data.file.path) < 0)
> + goto done;
> + ret = 0;
> break;
> -
> case VIR_DOMAIN_CHR_TYPE_PIPE:
> if ((virAsprintf(&out, "%s.out", dev->data.file.path) < 0) ||
> (virAsprintf(&in, "%s.in", dev->data.file.path) < 0)) {
ACK
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list