[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] selinux: Do not automatically label images of unconfined domains



On Wed, Jul 25, 2012 at 10:56:37 +0100, Daniel P. Berrange wrote:
> On Wed, Jul 25, 2012 at 11:41:27AM +0200, Jiri Denemark wrote:
> > When an unconfined domain is begin started, it doesn't make any sense to
> > automatically relabel its disk images with the default label. Morever,
> > doing so would fail because the generated label would be generated
> > without the "s0" sensitivity (since mcs is NULL in this case).
> > ---
> >  src/security/security_selinux.c | 9 +++++++--
> >  1 file changed, 7 insertions(+), 2 deletions(-)
> > 
> > diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> > index ca19b70..02808a4 100644
> > --- a/src/security/security_selinux.c
> > +++ b/src/security/security_selinux.c
> > @@ -370,8 +370,13 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
> >          goto cleanup;
> >      }
> >  
> > -    if (!def->seclabel.norelabel) {
> > -        def->seclabel.imagelabel = virSecuritySELinuxGenNewContext(data->file_context, mcs);
> > +    /* Generating image label does not make any sense if the domain itself
> > +     * will not be labeled.
> > +     */
> > +    if (def->seclabel.type != VIR_DOMAIN_SECLABEL_NONE &&
> > +        !def->seclabel.norelabel) {
> > +        def->seclabel.imagelabel =
> > +            virSecuritySELinuxGenNewContext(data->file_context, mcs);
> >          if (!def->seclabel.imagelabel)  {
> >              virReportError(VIR_ERR_INTERNAL_ERROR,
> >                             _("cannot generate selinux context for %s"), mcs);
> 
> ACK, assuming all places in the file already handle the case of a
> imagelabel==NULL.

It appeared only disk labeling was working correctly with imagelabel == NULL,
methods relabeling other resources could not handle it. Anyway, the correct
fix seems to be a bit different, I'll send a v2.

Jirka


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]