[libvirt] [PATCH 2/2] libvirt patch to write a mcs translation file to /run/setrans directory
dwalsh at redhat.com
dwalsh at redhat.com
Wed May 15 18:36:32 UTC 2013
From: Dan Walsh <dwalsh at redhat.com>
mcstransd is a translation tool that can translate MCS Labels into human
understandable code. I have patched it to watch for translation files in the
/run/setrans directory. This allows us to run commands like ps -eZ and see
system_u:system_r:svirt_t:Fedora18 rather then system_u:system_r:svirt_t:s0:c1,c2.
When used with containers it would make an easy way to list all processes within
a container using ps -eZ | grep Fedora18
---
src/security/security_selinux.c | 59 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 58 insertions(+), 1 deletion(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 5d108b9..cbcd013 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -83,6 +83,57 @@ virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr mgr,
virDomainTPMDefPtr tpm);
+static int
+virSecuritySELinuxAddMCSFile(const char *name,
+ const char *label)
+{
+ int ret = -1;
+ char *tmp = NULL;
+ context_t con = NULL;
+
+ if (virAsprintf(&tmp, "%s/%s", SELINUX_TRANS_DIR, name) < 0) {
+ virReportOOMError();
+ return -1;
+ }
+ if (! (con = context_new(label))) {
+ virReportSystemError(errno, "%s",
+ _("unable to allocate security context"));
+ goto cleanup;
+ }
+ if (virFileWriteStr(tmp, context_range_get(con), 0) < 0) {
+ virReportSystemError(errno,
+ _("unable to create MCS file %s"), tmp);
+ goto cleanup;
+ }
+ ret = 0;
+
+cleanup:
+ VIR_FREE(tmp);
+ context_free(con);
+ return ret;
+}
+
+static int
+virSecuritySELinuxRemoveMCSFile(const char *name)
+{
+ char *tmp=NULL;
+ int ret = -1;
+ if (virAsprintf(&tmp, "%s/%s", SELINUX_TRANS_DIR, name) < 0) {
+ virReportOOMError();
+ return -1;
+ }
+ if (unlink(tmp) < 0 && errno != ENOENT) {
+ virReportSystemError(errno,
+ _("Unable to remove MCS file %s"), tmp);
+ goto cleanup;
+ }
+ ret = 0;
+
+cleanup:
+ VIR_FREE(tmp);
+ return ret;
+}
+
/*
* Returns 0 on success, 1 if already reserved, or -1 on fatal error
*/
@@ -1953,7 +2004,7 @@ virSecuritySELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr,
}
VIR_FREE(secdef->imagelabel);
- return 0;
+ return virSecuritySELinuxRemoveMCSFile(def->name);
}
@@ -2047,10 +2098,16 @@ virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
return -1;
}
+ if (virSecuritySELinuxAddMCSFile(def->name, secdef->label) < 0) {
+ if (security_getenforce() == 1)
+ return -1;
+ }
+
if (setexeccon_raw(secdef->label) == -1) {
virReportSystemError(errno,
_("unable to set security context '%s'"),
secdef->label);
+ virSecuritySELinuxRemoveMCSFile(def->name);
if (security_getenforce() == 1)
return -1;
}
--
1.8.2.1
More information about the libvir-list
mailing list