[libvirt] [PATCH 5/8] Honour current user and role in SELinux label generation

Fri Aug 10 13:48:00 UTC 2012

From: "Daniel P. Berrange" <berrange at redhat.com>

When generating an SELinux context for a VM from the template
"system_u:system_r:svirt_t:s0", copy the role + user from the
current process instead of the template context. So if the
current process is

   unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

then the VM context ends up as

  unconfined_u:unconfined_r:svirt_t:s0:c386,c703

instead of

   system_u:system_r:svirt_t:s0:c177,c424

Ideally the /etc/selinux/targeted/contexts/virtual_domain_context
file would have just shown the 'svirt_t' type, and not the full
context, but that can't be changed now for compatibility reasons.

Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
---
 src/security/security_selinux.c | 36 +++++++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 1b5c02e..5c917ea 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -101,9 +101,23 @@ virSecuritySELinuxMCSRemove(virSecurityManagerPtr mgr,
 static char *
 virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
 {
-    context_t context;
+    context_t context = NULL;
     char *ret = NULL;
     char *str;
+    security_context_t curseccontext = NULL;
+    context_t curcontext = NULL;
+
+    if (getcon(&curseccontext) < 0) {
+        virReportSystemError(errno, "%s",
+                             _("Unable to get current process SELinux context"));
+        goto cleanup;
+    }
+    if (!(curcontext = context_new(curseccontext))) {
+        virReportSystemError(errno,
+                             _("Unable to parse current SELinux context '%s'"),
+                             curseccontext);
+        goto cleanup;
+    }
 
     if (!(context = context_new(basecontext))) {
         virReportSystemError(errno,
@@ -112,6 +126,22 @@ virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
         goto cleanup;
     }
 
+    if (context_user_set(context,
+                         context_user_get(curcontext)) != 0) {
+        virReportSystemError(errno,
+                             _("Unable to set SELinux context user '%s'"),
+                             context_user_get(curcontext));
+        goto cleanup;
+    }
+
+    if (context_role_set(context,
+                         context_role_get(curcontext)) != 0) {
+        virReportSystemError(errno,
+                             _("Unable to set SELinux context user '%s'"),
+                             context_role_get(curcontext));
+        goto cleanup;
+    }
+
     if (context_range_set(context, mcs) != 0) {
         virReportSystemError(errno,
                              _("Unable to set SELinux context MCS '%s'"),
@@ -127,7 +157,11 @@ virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
         virReportOOMError();
         goto cleanup;
     }
+    VIR_DEBUG("Generated context '%s' from '%s' and '%s'",
+              ret, basecontext, curseccontext);
 cleanup:
+    freecon(curseccontext);
+    context_free(curcontext);
     context_free(context);
     return ret;
 }
-- 
1.7.11.2


