[libvirt] [PATCH] selinux: Fix incorrect file label generation.
Osier Yang
jyang at redhat.com
Fri Aug 17 14:18:25 UTC 2012
On 2012年08月17日 20:53, Viktor Mihajlovski wrote:
> This is an ad-hoc fix for the file label generation. It uses the base context
> role to determine whether to use the libvirt process context role. If this
> is object_r we don't touch it.
> It might be better to add a new flag to virSecuritySELinuxGenNewContext that
> specifies the context type (process or file) in the future.
>
> Signed-off-by: Viktor Mihajlovski<mihajlov at linux.vnet.ibm.com>
> ---
> src/security/security_selinux.c | 4 +++-
> 1 files changed, 3 insertions(+), 1 deletions(-)
>
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 48fd78b..34b9aad 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -176,7 +176,9 @@ virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
> goto cleanup;
> }
>
> - if (context_role_set(context,
> + /* don't exchange role context if object_r as this is a file context */
> + if (strcmp("object_r", context_role_get(context))&&
No strcmp directly, it should be STREQ instead. Good to read HACKING
before making patches. :-)
> + context_role_set(context,
> context_role_get(ourContext)) != 0) {
> virReportSystemError(errno,
> _("Unable to set SELinux context user '%s'"),
More information about the libvir-list
mailing list