From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
For a while we're have random failures of 'securityselinuxtest'
which were not at all reproducible. Fortunately we finally
caught a failure with VIR_TEST_DEBUG=1 enabled. This revealed
TEST: securityselinuxtest
1) GenLabel "dynamic unconfined, s0, c0.c1023" ... OK
2) GenLabel "dynamic unconfined, s0, c0.c1023" ... OK
3) GenLabel "dynamic unconfined, s0, c0.c1023" ... OK
4) GenLabel "dynamic virtd, s0, c0.c1023" ... OK
5) GenLabel "dynamic virtd, s0, c0.c10" ... OK
6) GenLabel "dynamic virtd, s2-s3, c0.c1023" ... OK
7) GenLabel "dynamic virtd, missing range" ... Category two 1024 is out of range 0-1023
FAILED
FAIL: securityselinuxtest
And sure enough we had an off-by-1 in the MCS range code when
the current process has no range set. The test suite randomly
allocates 2 categories from 0->1024 so the chances of hitting
this in the test suite were slim indeed :-)
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
src/security/security_selinux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 310e300..ace9cc0 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -218,10 +218,10 @@ virSecuritySELinuxMCSGetProcessRange(char **sens,
*tmp = '\0';
/* sens now just contains the sensitivity lower bound */
- /* If there was no category part, just assume c0.c1024 */
+ /* If there was no category part, just assume c0.c1023 */
if (!cat) {
*catMin = 0;
- *catMax = 1024;
+ *catMax = 1023;
ret = 0;
goto cleanup;
}
--
1.8.3.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list