Re: [PATCH] selinux: Fix incorrect object label generation.

"Daniel P. Berrange" <berrange@xxxxxxxxxx> · Mon, 20 Aug 2012 13:01:12 +0100



On Mon, Aug 20, 2012 at 01:52:16PM +0200, Viktor Mihajlovski wrote:
> This is a fix for the object label generation. It uses a new flag for
> virSecuritySELinuxGenNewContext that specifies whether the context is
> for an object. If so the context role remains unchanged.
> Without this fix it is not possible to start domains with image file or
> block device backed storage when selinux is enabled.
> 
> Signed-off-by: Viktor Mihajlovski <mihajlov@xxxxxxxxxxxxxxxxxx>
> ---
>  src/security/security_selinux.c |   17 +++++++++++------
>  1 files changed, 11 insertions(+), 6 deletions(-)
> 
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 48fd78b..8cf23b7 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -141,7 +141,9 @@ cleanup:
>  
>  
>  static char *
> -virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
> +virSecuritySELinuxGenNewContext(const char *basecontext, 
> +                                const char *mcs,
> +                                bool isObjectContext)
>  {
>      context_t context = NULL;
>      char *ret = NULL;
> @@ -176,10 +178,11 @@ virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
>          goto cleanup;
>      }
>  
> -    if (context_role_set(context,
> +    if (!isObjectContext &&
> +        context_role_set(context,
>                           context_role_get(ourContext)) != 0) {
>          virReportSystemError(errno,
> -                             _("Unable to set SELinux context user '%s'"),
> +                             _("Unable to set SELinux context role '%s'"),
>                               context_role_get(ourContext));
>          goto cleanup;
>      }
> @@ -421,7 +424,8 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
>          if (!(def->seclabel.label =
>                virSecuritySELinuxGenNewContext(def->seclabel.baselabel ?
>                                                def->seclabel.baselabel :
> -                                              data->domain_context, mcs)))
> +                                              data->domain_context,
> +                                              mcs, false)))
>              goto cleanup;
>          break;
>  
> @@ -438,7 +442,7 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
>  
>      if (!def->seclabel.norelabel) {
>          if (!(def->seclabel.imagelabel =
> -              virSecuritySELinuxGenNewContext(data->file_context, mcs)))
> +              virSecuritySELinuxGenNewContext(data->file_context, mcs, true)))
>              goto cleanup;
>      }
>  
> @@ -1639,7 +1643,8 @@ virSecuritySELinuxGenImageLabel(virSecurityManagerPtr mgr,
>                  virReportOOMError();
>                  goto cleanup;
>              }
> -            if (!(label = virSecuritySELinuxGenNewContext(data->file_context, mcs)))
> +            if (!(label = virSecuritySELinuxGenNewContext(data->file_context,
> +                                                          mcs, true)))
>                  goto cleanup;
>          }
>      }

ACK

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list