[libvirt] [PATCH 3/6] Use private data struct in SELinux driver

Daniel P. Berrange berrange at redhat.com
Mon May 14 13:43:28 UTC 2012 

On Fri, May 11, 2012 at 10:43:38PM -0400, Stefan Berger wrote:
> On 05/11/2012 06:10 AM, Daniel P. Berrange wrote:
> >From: Daniel Walsh<dwalsh at redhat.com>
> >
> >Currently the SELinux driver stores its state in a set of global
> >variables. This switches it to use a private data struct instead.
> >This will enable different instances to have their own data.
> >
> >Signed-off-by: Daniel P. Berrange<berrange at redhat.com>
> >---
> >+SELinuxInitialize(virSecurityManagerPtr mgr)
> >  {
> [...]
> >-    ptr = strchrnul(default_image_context, '\n');
> >-    if (*ptr == '\n') {
> >+    ptr = strchrnul(data->file_context, '\n');
> >+    if (ptr&&  *ptr == '\n') {
> >          *ptr = '\0';
> >-        strcpy(default_content_context, ptr+1);
> >-        ptr = strchrnul(default_content_context, '\n');
> >-        if (*ptr == '\n')
> >+        data->content_context = strdup(ptr+1);
> >+        if (!data->content_context)
> >+            goto error;
> 
> virReportOOMError ?
> 
> >@@ -264,13 +277,11 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> >          goto cleanup;
> >      }
> >
> >-    if (!def->seclabel.norelabel) {
> >-        def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs);
> >-        if (!def->seclabel.imagelabel)  {
> >-            virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
> >-                                   _("cannot generate selinux context for %s"), mcs);
> >-            goto cleanup;
> >-        }
> >+    def->seclabel.imagelabel = SELinuxGenNewContext(data->file_context, mcs);
> >+    if (!def->seclabel.imagelabel)  {
> >+        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
> >+                               _("cannot generate selinux context for %s"), mcs);
> >+        goto cleanup;
> >      }
> 
> 
> There was this check if (!def->seclabel.norelabel) that's now gone.
> Was this removed by accident?

Yes & no. It was intentionally removed, but it should have been done in
a separate patch, rather than this one. I'll remove this behaviour
change & re-submit in a seprate patch.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list