[libvirt] [PATCH] selinux: Fix incorrect object label generation.
Daniel P. Berrange
berrange at redhat.com
Mon Aug 20 12:01:12 UTC 2012
On Mon, Aug 20, 2012 at 01:52:16PM +0200, Viktor Mihajlovski wrote:
> This is a fix for the object label generation. It uses a new flag for
> virSecuritySELinuxGenNewContext that specifies whether the context is
> for an object. If so the context role remains unchanged.
> Without this fix it is not possible to start domains with image file or
> block device backed storage when selinux is enabled.
>
> Signed-off-by: Viktor Mihajlovski <mihajlov at linux.vnet.ibm.com>
> ---
> src/security/security_selinux.c | 17 +++++++++++------
> 1 files changed, 11 insertions(+), 6 deletions(-)
>
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 48fd78b..8cf23b7 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -141,7 +141,9 @@ cleanup:
>
>
> static char *
> -virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
> +virSecuritySELinuxGenNewContext(const char *basecontext,
> + const char *mcs,
> + bool isObjectContext)
> {
> context_t context = NULL;
> char *ret = NULL;
> @@ -176,10 +178,11 @@ virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
> goto cleanup;
> }
>
> - if (context_role_set(context,
> + if (!isObjectContext &&
> + context_role_set(context,
> context_role_get(ourContext)) != 0) {
> virReportSystemError(errno,
> - _("Unable to set SELinux context user '%s'"),
> + _("Unable to set SELinux context role '%s'"),
> context_role_get(ourContext));
> goto cleanup;
> }
> @@ -421,7 +424,8 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
> if (!(def->seclabel.label =
> virSecuritySELinuxGenNewContext(def->seclabel.baselabel ?
> def->seclabel.baselabel :
> - data->domain_context, mcs)))
> + data->domain_context,
> + mcs, false)))
> goto cleanup;
> break;
>
> @@ -438,7 +442,7 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
>
> if (!def->seclabel.norelabel) {
> if (!(def->seclabel.imagelabel =
> - virSecuritySELinuxGenNewContext(data->file_context, mcs)))
> + virSecuritySELinuxGenNewContext(data->file_context, mcs, true)))
> goto cleanup;
> }
>
> @@ -1639,7 +1643,8 @@ virSecuritySELinuxGenImageLabel(virSecurityManagerPtr mgr,
> virReportOOMError();
> goto cleanup;
> }
> - if (!(label = virSecuritySELinuxGenNewContext(data->file_context, mcs)))
> + if (!(label = virSecuritySELinuxGenNewContext(data->file_context,
> + mcs, true)))
> goto cleanup;
> }
> }
ACK
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list