[libvirt] [PATCH 5/8] Honour current user and role in SELinux label generation
Daniel P. Berrange
berrange at redhat.com
Tue Aug 14 14:22:21 UTC 2012
On Fri, Aug 10, 2012 at 02:55:24PM -0600, Eric Blake wrote:
> On 08/10/2012 07:48 AM, Daniel P. Berrange wrote:
> > From: "Daniel P. Berrange" <berrange at redhat.com>
> >
> > When generating an SELinux context for a VM from the template
> > "system_u:system_r:svirt_t:s0", copy the role + user from the
> > current process instead of the template context. So if the
> > current process is
> >
> > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >
> > then the VM context ends up as
> >
> > unconfined_u:unconfined_r:svirt_t:s0:c386,c703
> >
> > instead of
> >
> > system_u:system_r:svirt_t:s0:c177,c424
> >
>
> > virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
> > {
> > - context_t context;
> > + context_t context = NULL;
> > char *ret = NULL;
> > char *str;
> > + security_context_t curseccontext = NULL;
>
> When I first read this, I wondered why you felt the context of the C
> language was worth cursing - is it really hard to manage security labels
> in the C language? Adding some underscores would not hurt, since you
> meant cur_sec_context and not curse_c_context :)
Changed it to ourSecContext :-)
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list