[PATCHv2] selinux: Fix incorrect object label generation.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a fix for the object label generation. It uses a new flag for
virSecuritySELinuxGenNewContext that specifies whether the context is
for an object. If so the context role remains unchanged.
Without this fix it is not possible to start domains with image file or
block device backed storage when selinux is enabled.

Signed-off-by: Viktor Mihajlovski <mihajlov@xxxxxxxxxxxxxxxxxx>
---
 src/security/security_selinux.c |   17 +++++++++++------
 1 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 48fd78b..cf69040 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -141,7 +141,9 @@ cleanup:
 
 
 static char *
-virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
+virSecuritySELinuxGenNewContext(const char *basecontext,
+                                const char *mcs,
+                                bool isObjectContext)
 {
     context_t context = NULL;
     char *ret = NULL;
@@ -176,10 +178,11 @@ virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
         goto cleanup;
     }
 
-    if (context_role_set(context,
+    if (!isObjectContext &&
+        context_role_set(context,
                          context_role_get(ourContext)) != 0) {
         virReportSystemError(errno,
-                             _("Unable to set SELinux context user '%s'"),
+                             _("Unable to set SELinux context role '%s'"),
                              context_role_get(ourContext));
         goto cleanup;
     }
@@ -421,7 +424,8 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
         if (!(def->seclabel.label =
               virSecuritySELinuxGenNewContext(def->seclabel.baselabel ?
                                               def->seclabel.baselabel :
-                                              data->domain_context, mcs)))
+                                              data->domain_context,
+                                              mcs, false)))
             goto cleanup;
         break;
 
@@ -438,7 +442,7 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
 
     if (!def->seclabel.norelabel) {
         if (!(def->seclabel.imagelabel =
-              virSecuritySELinuxGenNewContext(data->file_context, mcs)))
+              virSecuritySELinuxGenNewContext(data->file_context, mcs, true)))
             goto cleanup;
     }
 
@@ -1639,7 +1643,8 @@ virSecuritySELinuxGenImageLabel(virSecurityManagerPtr mgr,
                 virReportOOMError();
                 goto cleanup;
             }
-            if (!(label = virSecuritySELinuxGenNewContext(data->file_context, mcs)))
+            if (!(label = virSecuritySELinuxGenNewContext(data->file_context,
+                                                          mcs, true)))
                 goto cleanup;
         }
     }
-- 
1.7.0.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]