[libvirt] [PATCH 6/6] Try much harder to restore disk file labels

Tue Sep 1 17:00:13 UTC 2009

On Tue, 2009-09-01 at 16:28 +0100, Daniel P. Berrange wrote:
> * src/security_selinux.c: matchpath() may well return NULL for many
>   directories, to try and fallback to using parent directory label
>   in that scenario.

When have you seen this happen?  matchpathcon() ultimately should fall
back to the top-level regex (/.*) and map any otherwise unmatched files
to default_t, and should generally have a fallback regex for each
subtree (e.g. any file under /dev that isn't otherwise matched would get
device_t).  So I wouldn't expect this to happen.

Also, files will inherit their SELinux type from the parent directory by
default upon creation unless a type transition rule is specified, so it
isn't clear why you need to replicate this copying from parent behavior
in the application.

> ---
>  src/security_selinux.c |   29 ++++++++++++++++++++++++++++-
>  1 files changed, 28 insertions(+), 1 deletions(-)
> 
> diff --git a/src/security_selinux.c b/src/security_selinux.c
> index bc295b1..0072360 100644
> --- a/src/security_selinux.c
> +++ b/src/security_selinux.c
> @@ -366,8 +366,35 @@ SELinuxRestoreSecurityFileLabel(virConnectPtr conn,
>      if (stat(newpath, &buf) != 0)
>          goto err;
>  
> -    if (matchpathcon(newpath, buf.st_mode, &fcon) == 0)  {
> +    /* We try real hard to reset the context
> +     *
> +     *   - Prefer an explicit context from policy for the file
> +     *   - Otherwise copy from parent directory.
> +     *
> +     * NB this is not just for disk images - PCI/USB device/sysfs
> +     * files here too
> +     */
> +    if (matchpathcon(newpath, buf.st_mode, &fcon) == 0) {
>          rc = SELinuxSetFilecon(conn, newpath, fcon);
> +    } else {
> +        char *dir = strdup(newpath);
> +        char *sep;
> +        if (!dir) {
> +            virReportOOMError(conn);
> +            goto err;
> +        }
> +        VIR_WARN("Cannot find default context for %s, copying from parent", newpath);
> +        sep = strrchr(dir, '/');
> +        if (sep) {
> +            *sep = '\0';
> +            if (getfilecon(dir, &fcon) >= 0)
> +                rc = SELinuxSetFilecon(conn, newpath, fcon);
> +            else
> +                VIR_ERROR("Unable to get security context for directory %s", dir);
> +        } else {
> +            VIR_ERROR("File %s did not contain a directory separator", newpath);
> +        }
> +        VIR_FREE(dir);
>      }
>  err:
>      VIR_FREE(fcon);
-- 
Stephen Smalley
National Security Agency