[PATCH] security_selinux.c: Relabel existing mode="bind" UNIX sockets

David Michael david at bigbadwolfsecurity.com
Tue Jun 28 12:33:41 UTC 2022 

This supports sockets created by libvirt and passed by FD using the
same method as in security_dac.c.

Signed-off-by: David Michael <david at bigbadwolfsecurity.com>
---

Hi,

Custom SELinux labels are not applied to sockets when they have
mode="bind", but other security models (DAC) allow changing these
sockets.  Can the same method be used to support SELinux?

Thanks.

David

 src/security/security_selinux.c            | 6 ++++--
 tests/securityselinuxlabeldata/chardev.txt | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index e2f34a27dc..8b258c9e36 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2541,7 +2541,9 @@ virSecuritySELinuxSetChardevLabel(virSecurityManager *mgr,
         break;
 
     case VIR_DOMAIN_CHR_TYPE_UNIX:
-        if (!dev_source->data.nix.listen) {
+        if (!dev_source->data.nix.listen ||
+            (dev_source->data.nix.path &&
+             virFileExists(dev_source->data.nix.path))) {
             if (virSecuritySELinuxSetFilecon(mgr,
                                              dev_source->data.nix.path,
                                              imagelabel,
@@ -2618,7 +2620,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManager *mgr,
     case VIR_DOMAIN_CHR_TYPE_UNIX:
         if (!dev_source->data.nix.listen) {
             if (virSecuritySELinuxRestoreFileLabel(mgr,
-                                                   dev_source->data.file.path,
+                                                   dev_source->data.nix.path,
                                                    true) < 0)
                 goto done;
         }
diff --git a/tests/securityselinuxlabeldata/chardev.txt b/tests/securityselinuxlabeldata/chardev.txt
index 3f4b6302b9..bdb367f7a5 100644
--- a/tests/securityselinuxlabeldata/chardev.txt
+++ b/tests/securityselinuxlabeldata/chardev.txt
@@ -2,6 +2,6 @@
 /plain.dev;system_u:object_r:svirt_image_t:s0:c41,c264
 /plain.fifo;system_u:object_r:svirt_image_t:s0:c41,c264
 /nolabel.sock;
-/plain.sock;
+/plain.sock;system_u:object_r:svirt_image_t:s0:c41,c264
 /yeslabel.sock;system_u:object_r:svirt_image_t:s0:c41,c264
 /altlabel.sock;system_u:object_r:svirt_image_custom_t:s0:c41,c264
-- 
2.36.1

More information about the libvir-list mailing list