Re: [libvirt] [PATCH 6/6] Try much harder to restore disk file labels

* src/security_selinux.c: matchpath() may well return NULL for many directories, to try and fallback to using parent directory label in that scenario.

--- src/security_selinux.c | 29 ++++++++++++++++++++++++++++- 1 files changed, 28 insertions(+), 1 deletions(-) diff --git a/src/security_selinux.c b/src/security_selinux.c index bc295b1..0072360 100644 --- a/src/security_selinux.c +++ b/src/security_selinux.c @@ -366,8 +366,35 @@ SELinuxRestoreSecurityFileLabel(virConnectPtr conn, if (stat(newpath, &buf) != 0) goto err; - if (matchpathcon(newpath, buf.st_mode, &fcon) == 0) { + /* We try real hard to reset the context + * + * - Prefer an explicit context from policy for the file + * - Otherwise copy from parent directory. + * + * NB this is not just for disk images - PCI/USB device/sysfs + * files here too + */ + if (matchpathcon(newpath, buf.st_mode, &fcon) == 0) { rc = SELinuxSetFilecon(conn, newpath, fcon); + } else { + char *dir = strdup(newpath); + char *sep; + if (!dir) { + virReportOOMError(conn); + goto err; + } + VIR_WARN("Cannot find default context for %s, copying from parent", newpath); + sep = strrchr(dir, '/'); + if (sep) { + *sep = '\0'; + if (getfilecon(dir, &fcon) >= 0) + rc = SELinuxSetFilecon(conn, newpath, fcon); + else + VIR_ERROR("Unable to get security context for directory %s", dir); + } else { + VIR_ERROR("File %s did not contain a directory separator", newpath); + } + VIR_FREE(dir); } err: VIR_FREE(fcon);