Re: [PATCH] selinux: Don't fail RestoreAll if file doesn't have a default label

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/21/2012 02:44 PM, Cole Robinson wrote:
> When restoring selinux labels after a VM is stopped, any non-standard
> path that doesn't have a default selinux label causes the process
> to stop and exit early. This isn't really an error condition IMO.
> 
> Of course the selinux API could be erroring for some other reason
> but hopefully that's rare enough to not need explicit handling.
> 
> Common example here is storing disk images in a non-standard location
> like under /mnt.
> ---
>  src/security/security_selinux.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index eee8d71..7681f1b 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -936,7 +936,11 @@ virSecuritySELinuxRestoreSecurityFileLabel(const char *path)
>      }
>  
>      if (getContext(newpath, buf.st_mode, &fcon) < 0) {
> +        /* Any user created path likely does not have a default label,
> +         * which makes this an expected non error
> +         */
>          VIR_WARN("cannot lookup default selinux label for %s", newpath);
> +        rc = 0;

In the case where there is no default label to restore, shouldn't we
still be removing our sVirt label rather than just ignoring the failure
but leaving our label intact?

-- 
Eric Blake   eblake@xxxxxxxxxx    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]