[PATCH] security_selinux.c: Relabel existing mode="bind" UNIX sockets
Michal Prívozník
mprivozn at redhat.com
Wed Jun 29 08:52:45 UTC 2022
On 6/28/22 14:33, David Michael wrote:
> This supports sockets created by libvirt and passed by FD using the
> same method as in security_dac.c.
>
> Signed-off-by: David Michael <david at bigbadwolfsecurity.com>
> ---
>
> Hi,
>
> Custom SELinux labels are not applied to sockets when they have
> mode="bind", but other security models (DAC) allow changing these
> sockets. Can the same method be used to support SELinux?
>
> Thanks.
>
> David
>
> src/security/security_selinux.c | 6 ++++--
> tests/securityselinuxlabeldata/chardev.txt | 2 +-
> 2 files changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index e2f34a27dc..8b258c9e36 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -2618,7 +2620,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManager *mgr,
> case VIR_DOMAIN_CHR_TYPE_UNIX:
> if (!dev_source->data.nix.listen) {
> if (virSecuritySELinuxRestoreFileLabel(mgr,
> - dev_source->data.file.path,
> + dev_source->data.nix.path,
> true) < 0)
> goto done;
> }
Regardless of the fate of the rest of the patch, this hunk is a bug fix
and thus should be merged. It's just a coincidence that data.file.path
maps onto data.nix.path in the union.
Michal
More information about the libvir-list
mailing list