-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/22/2012 04:13 PM, Cole Robinson wrote:
> On 10/22/2012 11:51 AM, Eric Blake wrote:
>> On 10/21/2012 02:44 PM, Cole Robinson wrote:
>>> When restoring selinux labels after a VM is stopped, any non-standard
>>> path that doesn't have a default selinux label causes the process to
>>> stop and exit early. This isn't really an error condition IMO.
>>>
>>> Of course the selinux API could be erroring for some other reason but
>>> hopefully that's rare enough to not need explicit handling.
>>>
>>> Common example here is storing disk images in a non-standard location
>>> like under /mnt. --- src/security/security_selinux.c | 4 ++++ 1 file
>>> changed, 4 insertions(+)
>>>
>>> diff --git a/src/security/security_selinux.c
>>> b/src/security/security_selinux.c index eee8d71..7681f1b 100644 ---
>>> a/src/security/security_selinux.c +++
>>> b/src/security/security_selinux.c @@ -936,7 +936,11 @@
>>> virSecuritySELinuxRestoreSecurityFileLabel(const char *path) }
>>>
>>> if (getContext(newpath, buf.st_mode, &fcon) < 0) { + /* Any user
>>> created path likely does not have a default label, + * which
>>> makes this an expected non error + */ VIR_WARN("cannot lookup
>>> default selinux label for %s", newpath); + rc = 0;
>>
>> In the case where there is no default label to restore, shouldn't we
>> still be removing our sVirt label rather than just ignoring the failure
>> but leaving our label intact?
>>
>
> I don't know if we can just 'remove' a label, we have to replace it with a
> different label, right? If I create a file under /mnt/foo the catch all
> label is unconfined_u:object_r:file_t:s0 but not sure if we can hardcode
> that.
>
> dwalsh, is there a way to programmatically determine the fallback default
> label?
>
> - Cole
>
I would guess you could walk the stack until you got a file system with a label.
dirs(newpath) ...
For example in /mnt/a/b/c
Check /mnt/a/b/c, then /mnt/a/b then /mnt/a then /mnt then /
It should definitely not set it to file_t.
I will send this question off to the selinux list to see if they have any
better suggestions.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCGd0YACgkQrlYvE4MpobORcACgg8Ctj7tX5qtlSEtyOzaOArvw
rWUAniGx8b73oIhFJpssbid3oexmO46i
=Vz87
-----END PGP SIGNATURE-----
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list