[libvirt] [PATCH v3 11/18] security_selinux: Remember old labels

Michal Prívozník mprivozn at redhat.com
Thu Dec 20 20:36:28 UTC 2018


On 12/20/18 12:39 AM, John Ferlan wrote:
> 
> 
> On 12/12/18 7:40 AM, Michal Privoznik wrote:
>> Similarly to what I did in DAC driver, this also requires the
>> same SELinux label to be used for shared paths. If a path is
>> already in use by a domain (or domains) then and the domain we
>> are starting now wants to access the path it has to have the same
>> SELinux label. This might look too restrictive as the new label
>> can still guarantee access to already running domains but in
>> reality it is very unlikely and usually an admin mistake.
>>
>> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
>> ---
>>  src/security/security_selinux.c | 177 +++++++++++++++++++++++---------
>>  1 file changed, 130 insertions(+), 47 deletions(-)
>>
> 
> [...]
> 
>> +
>> +static int
>> +virSecuritySELinuxRecallLabel(const char *path,
>> +                              security_context_t *con)
>> +{
>> +    if (virSecurityGetRememberedLabel(SECURITY_SELINUX_NAME,
>> +                                      path, con) < 0)
>> +        return -1;
>> +
>> +    if (!con)
>> +        return 1;
> 
> This ordering of the !con check has caused a Coverity concern that we
> use @con in the first call... When compared to the *_dac.c code which
> passes &label, I assume this should be passing &con, right?

Ooops, this hould have been if (!*con) return 1;.
security_context_t is actually char *; therefore here con is type of
char ** (just look at virSecurityGetRememberedLabel).

I wonder if this will fix the issue Marc reported (unfortunately I don't
have much time to dig into it right now).

Michal




More information about the libvir-list mailing list