[libvirt] [PATCH] selinux: Don't fail RestoreAll if file doesn't have a default label
Daniel J Walsh
dwalsh at redhat.com
Tue Oct 23 10:56:25 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/22/2012 04:13 PM, Cole Robinson wrote:
> On 10/22/2012 11:51 AM, Eric Blake wrote:
>> On 10/21/2012 02:44 PM, Cole Robinson wrote:
>>> When restoring selinux labels after a VM is stopped, any non-standard
>>> path that doesn't have a default selinux label causes the process
>>> to stop and exit early. This isn't really an error condition IMO.
>>>
>>> Of course the selinux API could be erroring for some other reason
>>> but hopefully that's rare enough to not need explicit handling.
>>>
>>> Common example here is storing disk images in a non-standard location
>>> like under /mnt.
>>> ---
>>> src/security/security_selinux.c | 4 ++++
>>> 1 file changed, 4 insertions(+)
>>>
>>> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
>>> index eee8d71..7681f1b 100644
>>> --- a/src/security/security_selinux.c
>>> +++ b/src/security/security_selinux.c
>>> @@ -936,7 +936,11 @@ virSecuritySELinuxRestoreSecurityFileLabel(const char *path)
>>> }
>>>
>>> if (getContext(newpath, buf.st_mode, &fcon) < 0) {
>>> + /* Any user created path likely does not have a default label,
>>> + * which makes this an expected non error
>>> + */
>>> VIR_WARN("cannot lookup default selinux label for %s", newpath);
>>> + rc = 0;
>>
>> In the case where there is no default label to restore, shouldn't we
>> still be removing our sVirt label rather than just ignoring the failure
>> but leaving our label intact?
>>
>
> I don't know if we can just 'remove' a label, we have to replace it with a
> different label, right? If I create a file under /mnt/foo the catch all label
> is unconfined_u:object_r:file_t:s0 but not sure if we can hardcode that.
>
> dwalsh, is there a way to programmatically determine the fallback default label?
>
> - Cole
>
Another option would be to get the label before the virtual machine starts and
then restore it to the old label, if we have kept the label around.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCGd9kACgkQrlYvE4MpobOTqgCfX7IlWThWpHRbPIopZ4BUIerB
e/MAn2YNe6wBNA6X7OGjDHqIqGv2E+7B
=78kR
-----END PGP SIGNATURE-----
More information about the libvir-list
mailing list