[libvirt] [PATCH v3 11/18] security_selinux: Remember old labels
John Ferlan
jferlan at redhat.com
Wed Dec 19 23:39:08 UTC 2018
On 12/12/18 7:40 AM, Michal Privoznik wrote:
> Similarly to what I did in DAC driver, this also requires the
> same SELinux label to be used for shared paths. If a path is
> already in use by a domain (or domains) then and the domain we
> are starting now wants to access the path it has to have the same
> SELinux label. This might look too restrictive as the new label
> can still guarantee access to already running domains but in
> reality it is very unlikely and usually an admin mistake.
>
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
> src/security/security_selinux.c | 177 +++++++++++++++++++++++---------
> 1 file changed, 130 insertions(+), 47 deletions(-)
>
[...]
> +
> +static int
> +virSecuritySELinuxRecallLabel(const char *path,
> + security_context_t *con)
> +{
> + if (virSecurityGetRememberedLabel(SECURITY_SELINUX_NAME,
> + path, con) < 0)
> + return -1;
> +
> + if (!con)
> + return 1;
This ordering of the !con check has caused a Coverity concern that we
use @con in the first call... When compared to the *_dac.c code which
passes &label, I assume this should be passing &con, right?
I'd usually send a patch, but wanted to make sure it was the right option...
John
> +
> + return 0;
> +}
> +
> +
[...]
More information about the libvir-list
mailing list