[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH 4/6] Add support for LXC specific SELinux configuration



From: Daniel Walsh <dwalsh redhat com>

The SELinux policy for LXC uses a different confinguration file
to the traditional svirt one. Thus we need to load
/etc/selinux/targeted/contexts/lxc_contexts which contains
something like this:

 process = "system_u:system_r:svirt_lxc_net_t:s0"
 file = "system_u:object_r:svirt_lxc_file_t:s0"
 content = "system_u:object_r:virt_var_lib_t:s0"

cleverly designed to be parsable by virConfPtr

Signed-off-by: Daniel P. Berrange <berrange redhat com>
---
 src/security/security_selinux.c |   80 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 79 insertions(+), 1 deletion(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 7202e71..dd6aee9 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -126,8 +126,73 @@ err:
     return newcontext;
 }
 
+
 static int
-SELinuxInitialize(virSecurityManagerPtr mgr)
+SELinuxLXCInitialize(virSecurityManagerPtr mgr)
+{
+    virConfValuePtr scon = NULL;
+    virConfValuePtr tcon = NULL;
+    virConfValuePtr dcon = NULL;
+    virConfPtr selinux_conf;
+    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
+
+    selinux_conf = virConfReadFile(selinux_lxc_contexts_path(), 0);
+    if (!selinux_conf) {
+        virReportSystemError(errno,
+                             _("cannot open SELinux lxc contexts file '%s'"),
+                             selinux_lxc_contexts_path());
+        return -1;
+    }
+
+    scon = virConfGetValue(selinux_conf, "process");
+    if (! scon || scon->type != VIR_CONF_STRING || (! scon->str)) {
+        virReportSystemError(errno,
+                             _("cannot read 'process' value from selinux lxc contexts file '%s'"),
+                             selinux_lxc_contexts_path());
+        goto error;
+    }
+
+    tcon = virConfGetValue(selinux_conf, "file");
+    if (! tcon || tcon->type != VIR_CONF_STRING || (! tcon->str)) {
+        virReportSystemError(errno,
+                             _("cannot read 'file' value from selinux lxc contexts file '%s'"),
+                             selinux_lxc_contexts_path());
+        goto error;
+    }
+
+    dcon = virConfGetValue(selinux_conf, "content");
+    if (! dcon || dcon->type != VIR_CONF_STRING || (! dcon->str)) {
+        virReportSystemError(errno,
+                             _("cannot read 'file' value from selinux lxc contexts file '%s'"),
+                             selinux_lxc_contexts_path());
+        goto error;
+    }
+
+    data->domain_context = strdup(scon->str);
+    data->file_context = strdup(tcon->str);
+    data->content_context = strdup(dcon->str);
+    if (!data->domain_context ||
+        !data->file_context ||
+        !data->content_context) {
+        virReportSystemError(errno,
+                             _("cannot allocate memory for LXC SELinux contexts '%s'"),
+                             selinux_lxc_contexts_path());
+        goto error;
+    }
+    virConfFree(selinux_conf);
+    return 0;
+
+error:
+    virConfFree(selinux_conf);
+    VIR_FREE(data->domain_context);
+    VIR_FREE(data->file_context);
+    VIR_FREE(data->content_context);
+    return -1;
+}
+
+
+static int
+SELinuxQEMUInitialize(virSecurityManagerPtr mgr)
 {
     char *ptr;
     virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
@@ -170,6 +235,19 @@ error:
     return -1;
 }
 
+
+static int
+SELinuxInitialize(virSecurityManagerPtr mgr)
+{
+    VIR_DEBUG("SELinuxInitialize %s", virSecurityManagerGetDriver(mgr));
+    if (STREQ(virSecurityManagerGetDriver(mgr),  "LXC")) {
+        return SELinuxLXCInitialize(mgr);
+    } else {
+        return SELinuxQEMUInitialize(mgr);
+    }
+}
+
+
 static int
 SELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
                         virDomainDefPtr def)
-- 
1.7.10.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]