[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH 6/6] Try much harder to restore disk file labels



* src/security_selinux.c: matchpath() may well return NULL for many
  directories, to try and fallback to using parent directory label
  in that scenario.
---
 src/security_selinux.c |   29 ++++++++++++++++++++++++++++-
 1 files changed, 28 insertions(+), 1 deletions(-)

diff --git a/src/security_selinux.c b/src/security_selinux.c
index bc295b1..0072360 100644
--- a/src/security_selinux.c
+++ b/src/security_selinux.c
@@ -366,8 +366,35 @@ SELinuxRestoreSecurityFileLabel(virConnectPtr conn,
     if (stat(newpath, &buf) != 0)
         goto err;
 
-    if (matchpathcon(newpath, buf.st_mode, &fcon) == 0)  {
+    /* We try real hard to reset the context
+     *
+     *   - Prefer an explicit context from policy for the file
+     *   - Otherwise copy from parent directory.
+     *
+     * NB this is not just for disk images - PCI/USB device/sysfs
+     * files here too
+     */
+    if (matchpathcon(newpath, buf.st_mode, &fcon) == 0) {
         rc = SELinuxSetFilecon(conn, newpath, fcon);
+    } else {
+        char *dir = strdup(newpath);
+        char *sep;
+        if (!dir) {
+            virReportOOMError(conn);
+            goto err;
+        }
+        VIR_WARN("Cannot find default context for %s, copying from parent", newpath);
+        sep = strrchr(dir, '/');
+        if (sep) {
+            *sep = '\0';
+            if (getfilecon(dir, &fcon) >= 0)
+                rc = SELinuxSetFilecon(conn, newpath, fcon);
+            else
+                VIR_ERROR("Unable to get security context for directory %s", dir);
+        } else {
+            VIR_ERROR("File %s did not contain a directory separator", newpath);
+        }
+        VIR_FREE(dir);
     }
 err:
     VIR_FREE(fcon);
-- 
1.6.2.5


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]