Re: [libvirt] [PATCH v3 06/14] security: Add DAC and SELinux security for tpm-emulator

On 05/04/2018 04:21 PM, Stefan Berger wrote: > Extend the DAC and SELinux modules with support for the > tpm-emulator. > > Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com&gt; > --- > src/security/security_dac.c | 4 ++++ > src/security/security_selinux.c | 5 +++++ > 2 files changed, 9 insertions(+) > > diff --git a/src/security/security_dac.c b/src/security/security_dac.c > index 5efbc27..351f6f4 100644 > --- a/src/security/security_dac.c > +++ b/src/security/security_dac.c > @@ -1373,6 +1373,10 @@ virSecurityDACSetTPMFileLabel(virSecurityManagerPtr mgr, > false); > break; > case VIR_DOMAIN_TPM_TYPE_EMULATOR: > + ret = virSecurityDACSetChardevLabel(mgr, def, > + &tpm->data.emulator.source, > + false); > + break; > case VIR_DOMAIN_TPM_TYPE_LAST: > break; > } virSecurityDACRestoreTPMFileLabel doesn't need to be changed? e.g.:

ret = virSecurityDACRestoreChardevLabel(mgr, def, &tpm->data.emulator.source, false); > diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c > index f5ba877..17bc07a 100644 > --- a/src/security/security_selinux.c > +++ b/src/security/security_selinux.c > @@ -1473,6 +1473,11 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerPtr mgr, > } > break; > case VIR_DOMAIN_TPM_TYPE_EMULATOR: > + tpmdev = tpm->data.emulator.source.data.nix.path; > + rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel); > + if (rc < 0) > + return -1; > + break; > case VIR_DOMAIN_TPM_TYPE_LAST: > break; > } > Similarly for virSecuritySELinuxRestoreTPMFileLabelInt: tpmdev = tpm->data.emulator.source.data.nix.path; rc = virSecuritySELinuxRestoreFileLabel(mgr, tpmdev); ? With the adjustments or at least an explanation in the commit message why they cannot be Restored, Reviewed-by: John Ferlan <jferlan(a)redhat.com&gt; John