[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH v3 11/18] security_selinux: Remember old labels




On 12/12/18 7:40 AM, Michal Privoznik wrote:
> Similarly to what I did in DAC driver, this also requires the
> same SELinux label to be used for shared paths. If a path is
> already in use by a domain (or domains) then and the domain we
> are starting now wants to access the path it has to have the same
> SELinux label. This might look too restrictive as the new label
> can still guarantee access to already running domains but in
> reality it is very unlikely and usually an admin mistake.
> 
> Signed-off-by: Michal Privoznik <mprivozn redhat com>
> ---
>  src/security/security_selinux.c | 177 +++++++++++++++++++++++---------
>  1 file changed, 130 insertions(+), 47 deletions(-)
> 

[...]

> +
> +static int
> +virSecuritySELinuxRecallLabel(const char *path,
> +                              security_context_t *con)
> +{
> +    if (virSecurityGetRememberedLabel(SECURITY_SELINUX_NAME,
> +                                      path, con) < 0)
> +        return -1;
> +
> +    if (!con)
> +        return 1;

This ordering of the !con check has caused a Coverity concern that we
use @con in the first call... When compared to the *_dac.c code which
passes &label, I assume this should be passing &con, right?

I'd usually send a patch, but wanted to make sure it was the right option...

John

> +
> +    return 0;
> +}
> +
> +

[...]


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]