Re: [libvirt] [PATCH 6/6] Try much harder to restore disk file labels

On Tue, Sep 01, 2009 at 01:00:13PM -0400, Stephen Smalley wrote: > On Tue, 2009-09-01 at 16:28 +0100, Daniel P. Berrange wrote: > > * src/security_selinux.c: matchpath() may well return NULL for many > > directories, to try and fallback to using parent directory label > > in that scenario. > > When have you seen this happen? matchpathcon() ultimately should fall > back to the top-level regex (/.*) and map any otherwise unmatched files > to default_t, and should generally have a fallback regex for each > subtree (e.g. any file under /dev that isn't otherwise matched would get > device_t). So I wouldn't expect this to happen. That describes what I always imagined would happen, but in my recent testing it doesn't appear to be doing that in practice in some cases eg, running matchpathcon("/media/usbdisk/virtual-images/demo.img") returned an error. Likewise for /sys/bus/pci/devices/NNNN.NN.NN.NN/*. I was testing this on a Fedora 11 host. Perhaps the policy is simply missing some rules

> Also, files will inherit their SELinux type from the parent directory by > default upon creation unless a type transition rule is specified, so it > isn't clear why you need to replicate this copying from parent behavior > in the application. This code is being run upon VM shutdown, to get rid of the dynamic label that was assigned at VM startup. THe file already exists, so the default rule for file creation wouldn't come into effect at this point, so I was aiming to replicate that behaviour for the existing file. If we could guarentee that matchpathcon($PATH) would always return something usable, I would happily kill this code