[libvirt] [PATCH 5/8] Honour current user and role in SELinux label generation
From: "Daniel P. Berrange" <berrange(a)redhat.com>
When generating an SELinux context for a VM from the template
"system_u:system_r:svirt_t:s0", copy the role + user from the
current process instead of the template context. So if the
current process is
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
then the VM context ends up as
unconfined_u:unconfined_r:svirt_t:s0:c386,c703
instead of
system_u:system_r:svirt_t:s0:c177,c424
Ideally the /etc/selinux/targeted/contexts/virtual_domain_context
file would have just shown the 'svirt_t' type, and not the full
context, but that can't be changed now for compatibility reasons.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/security/security_selinux.c | 36 +++++++++++++++++++++++++++++++++++-
1 file changed, 35 insertions(+), 1 deletion(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 1b5c02e..5c917ea 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -101,9 +101,23 @@ virSecuritySELinuxMCSRemove(virSecurityManagerPtr mgr,
static char *
virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
{
- context_t context;
+ context_t context = NULL;
char *ret = NULL;
char *str;
+ security_context_t curseccontext = NULL;
+ context_t curcontext = NULL;
+
+ if (getcon(&curseccontext) < 0) {
+ virReportSystemError(errno, "%s",
+ _("Unable to get current process SELinux
context"));
+ goto cleanup;
+ }
+ if (!(curcontext = context_new(curseccontext))) {
+ virReportSystemError(errno,
+ _("Unable to parse current SELinux context
'%s'"),
+ curseccontext);
+ goto cleanup;
+ }
if (!(context = context_new(basecontext))) {
virReportSystemError(errno,
@@ -112,6 +126,22 @@ virSecuritySELinuxGenNewContext(const char *basecontext, const char
*mcs)
goto cleanup;
}
+ if (context_user_set(context,
+ context_user_get(curcontext)) != 0) {
+ virReportSystemError(errno,
+ _("Unable to set SELinux context user
'%s'"),
+ context_user_get(curcontext));
+ goto cleanup;
+ }
+
+ if (context_role_set(context,
+ context_role_get(curcontext)) != 0) {
+ virReportSystemError(errno,
+ _("Unable to set SELinux context user
'%s'"),
+ context_role_get(curcontext));
+ goto cleanup;
+ }
+
if (context_range_set(context, mcs) != 0) {
virReportSystemError(errno,
_("Unable to set SELinux context MCS
'%s'"),
@@ -127,7 +157,11 @@ virSecuritySELinuxGenNewContext(const char *basecontext, const char
*mcs)
virReportOOMError();
goto cleanup;
}
+ VIR_DEBUG("Generated context '%s' from '%s' and
'%s'",
+ ret, basecontext, curseccontext);
cleanup:
+ freecon(curseccontext);
+ context_free(curcontext);
context_free(context);
return ret;
}
--
1.7.11.2