* configure.ac (with_selinux): Check for <selinux/label.h>. * src/security/security_selinux.c (getContext): New function. (SELinuxRestoreSecurityFileLabel): Use it to restore compilation when using older libselinux. --- Although this fixes a build-breaker on RHEL, I'd rather get it reviewed before pushing. Compilation on RHEL 5 also depends on https://www.redhat.com/archives/libvir-list/2010-December/msg00592.html along with the latest gnulib. configure.ac | 3 +++ src/security/security_selinux.c | 29 +++++++++++++++++++++++------ 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/configure.ac b/configure.ac index 51e4271..a501721 100644 --- a/configure.ac +++ b/configure.ac @@ -1006,6 +1006,9 @@ fi if test "$with_selinux" = "yes"; then SELINUX_LIBS="-lselinux" AC_DEFINE_UNQUOTED([HAVE_SELINUX], 1, [whether basic SELinux functionality is available]) + dnl We prefer to use <selinux/label.h> and selabel_open, but can fall + dnl back to matchpathcon for the sake of RHEL 5's version of libselinux. + AC_CHECK_HEADERS([selinux/label.h]) fi AM_CONDITIONAL([HAVE_SELINUX], [test "$with_selinux" != "no"]) AC_SUBST([SELINUX_CFLAGS]) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 37539c2..1420a18 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -14,11 +14,13 @@ */ #include <config.h> #include <selinux/selinux.h> -#include <selinux/label.h> #include <selinux/context.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> +#if HAVE_SELINUX_LABEL_H +# include <selinux/label.h> +#endif #include "security_driver.h" #include "security_selinux.h" @@ -355,6 +357,25 @@ SELinuxSetFilecon(const char *path, char *tcon) return 0; } +/* Set fcon to the appropriate label for path and mode, or return -1. */ +static int +getContext(const char *newpath, mode_t mode, security_context_t *fcon) +{ +#if HAVE_SELINUX_LABEL_H + struct selabel_handle *handle = selabel_open(SELABEL_CTX_FILE, NULL, 0); + int ret; + + if (handle == NULL) + return -1; + + ret = selabel_lookup(handle, fcon, newpath, mode); + selabel_close(handle); + return ret; +#else + return matchpathcon(newpath, mode, fcon); +#endif +} + /* This method shouldn't raise errors, since they'll overwrite * errors that the caller(s) are already dealing with */ @@ -363,7 +384,6 @@ SELinuxRestoreSecurityFileLabel(const char *path) { struct stat buf; security_context_t fcon = NULL; - struct selabel_handle *handle = NULL; int rc = -1; char *newpath = NULL; char ebuf[1024]; @@ -382,16 +402,13 @@ SELinuxRestoreSecurityFileLabel(const char *path) goto err; } - if ((handle = selabel_open(SELABEL_CTX_FILE, NULL, 0)) == NULL || - selabel_lookup(handle, &fcon, newpath, buf.st_mode) < 0) { + if (getContext(newpath, buf.st_mode, &fcon) < 0) { VIR_WARN("cannot lookup default selinux label for %s", newpath); } else { rc = SELinuxSetFilecon(newpath, fcon); } err: - if (handle) - selabel_close(handle); freecon(fcon); VIR_FREE(newpath); return rc; -- 1.7.3.3 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list