[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] selinux: Fix incorrect file label generation.



On Fri, Aug 17, 2012 at 02:53:29PM +0200, Viktor Mihajlovski wrote:
> This is an ad-hoc fix for the file label generation. It uses the base context
> role to determine whether to use the libvirt process context role. If this
> is object_r we don't touch it.
> It might be better to add a new flag to virSecuritySELinuxGenNewContext that
> specifies the context type (process or file) in the future.
> 
> Signed-off-by: Viktor Mihajlovski <mihajlov linux vnet ibm com>
> ---
>  src/security/security_selinux.c |    4 +++-
>  1 files changed, 3 insertions(+), 1 deletions(-)
> 
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 48fd78b..34b9aad 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -176,7 +176,9 @@ virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
>          goto cleanup;
>      }
>  
> -    if (context_role_set(context,
> +    /* don't exchange role context if object_r as this is a file context */
> +    if (strcmp("object_r", context_role_get(context)) &&
> +        context_role_set(context,
>                           context_role_get(ourContext)) != 0) {
>          virReportSystemError(errno,
>                               _("Unable to set SELinux context user '%s'"),

Depending on the role name is a bit hacky & potentially unreliable.
We should add a 'bool isObject' parameter to this method to indicate
whether the label being generated is for an object or a process and
conditionalize based on that.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]