[libvirt] [PATCH] selinux: Do not automatically label images of unconfined domains
Daniel P. Berrange
berrange at redhat.com
Wed Jul 25 09:56:37 UTC 2012
On Wed, Jul 25, 2012 at 11:41:27AM +0200, Jiri Denemark wrote:
> When an unconfined domain is begin started, it doesn't make any sense to
> automatically relabel its disk images with the default label. Morever,
> doing so would fail because the generated label would be generated
> without the "s0" sensitivity (since mcs is NULL in this case).
> ---
> src/security/security_selinux.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index ca19b70..02808a4 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -370,8 +370,13 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
> goto cleanup;
> }
>
> - if (!def->seclabel.norelabel) {
> - def->seclabel.imagelabel = virSecuritySELinuxGenNewContext(data->file_context, mcs);
> + /* Generating image label does not make any sense if the domain itself
> + * will not be labeled.
> + */
> + if (def->seclabel.type != VIR_DOMAIN_SECLABEL_NONE &&
> + !def->seclabel.norelabel) {
> + def->seclabel.imagelabel =
> + virSecuritySELinuxGenNewContext(data->file_context, mcs);
> if (!def->seclabel.imagelabel) {
> virReportError(VIR_ERR_INTERNAL_ERROR,
> _("cannot generate selinux context for %s"), mcs);
ACK, assuming all places in the file already handle the case of a
imagelabel==NULL.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list