[libvirt] [PATCH 6/6] Try much harder to restore disk file labels
Stephen Smalley
sds at tycho.nsa.gov
Tue Sep 1 17:00:13 UTC 2009
On Tue, 2009-09-01 at 16:28 +0100, Daniel P. Berrange wrote:
> * src/security_selinux.c: matchpath() may well return NULL for many
> directories, to try and fallback to using parent directory label
> in that scenario.
When have you seen this happen? matchpathcon() ultimately should fall
back to the top-level regex (/.*) and map any otherwise unmatched files
to default_t, and should generally have a fallback regex for each
subtree (e.g. any file under /dev that isn't otherwise matched would get
device_t). So I wouldn't expect this to happen.
Also, files will inherit their SELinux type from the parent directory by
default upon creation unless a type transition rule is specified, so it
isn't clear why you need to replicate this copying from parent behavior
in the application.
> ---
> src/security_selinux.c | 29 ++++++++++++++++++++++++++++-
> 1 files changed, 28 insertions(+), 1 deletions(-)
>
> diff --git a/src/security_selinux.c b/src/security_selinux.c
> index bc295b1..0072360 100644
> --- a/src/security_selinux.c
> +++ b/src/security_selinux.c
> @@ -366,8 +366,35 @@ SELinuxRestoreSecurityFileLabel(virConnectPtr conn,
> if (stat(newpath, &buf) != 0)
> goto err;
>
> - if (matchpathcon(newpath, buf.st_mode, &fcon) == 0) {
> + /* We try real hard to reset the context
> + *
> + * - Prefer an explicit context from policy for the file
> + * - Otherwise copy from parent directory.
> + *
> + * NB this is not just for disk images - PCI/USB device/sysfs
> + * files here too
> + */
> + if (matchpathcon(newpath, buf.st_mode, &fcon) == 0) {
> rc = SELinuxSetFilecon(conn, newpath, fcon);
> + } else {
> + char *dir = strdup(newpath);
> + char *sep;
> + if (!dir) {
> + virReportOOMError(conn);
> + goto err;
> + }
> + VIR_WARN("Cannot find default context for %s, copying from parent", newpath);
> + sep = strrchr(dir, '/');
> + if (sep) {
> + *sep = '\0';
> + if (getfilecon(dir, &fcon) >= 0)
> + rc = SELinuxSetFilecon(conn, newpath, fcon);
> + else
> + VIR_ERROR("Unable to get security context for directory %s", dir);
> + } else {
> + VIR_ERROR("File %s did not contain a directory separator", newpath);
> + }
> + VIR_FREE(dir);
> }
> err:
> VIR_FREE(fcon);
--
Stephen Smalley
National Security Agency
More information about the libvir-list
mailing list