[PATCH 1/3] selinux: Don't remember label for restore path
Michal Privoznik
mprivozn at redhat.com
Fri Apr 3 15:58:01 UTC 2020
The seclabel for @stdin_path in virSecuritySELinuxSetAllLabel()
is not restored, because at virSecuritySELinuxRestoreAllLabel()
phase it's too late and the caller (QEMU driver) simply doesn't
care. Well, don't remember the label and let the perms leak.
Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
---
src/security/security_selinux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 8aeb6e45a5..f47bfbdba9 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -3233,7 +3233,7 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
if (stdin_path &&
virSecuritySELinuxSetFilecon(mgr, stdin_path,
- data->content_context, true) < 0)
+ data->content_context, false) < 0)
return -1;
return 0;
--
2.24.1
More information about the libvir-list
mailing list