Re: [libvirt] [PATCH 25/30] security: selinux: Simplify SetImageLabelInternal
On 10/7/19 6:49 PM, Cole Robinson wrote:
All the SetFileCon calls only differ by the label they pass in.
Rework the conditionals to track what label we need, and use a
single SetFileCon call
Signed-off-by: Cole Robinson <crobinso(a)redhat.com>
---
Reviewed-by: Daniel Henrique Barboza <danielhb413(a)gmail.com>
src/security/security_selinux.c | 31
++++++++++---------------------
1 file changed, 10 insertions(+), 21 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index e879fa39ab..9d28bc5773 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1822,6 +1822,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
virSecurityLabelDefPtr secdef;
virSecurityDeviceLabelDefPtr disk_seclabel;
virSecurityDeviceLabelDefPtr parent_seclabel = NULL;
+ char *use_label = NULL;
bool remember;
int ret;
@@ -1856,40 +1857,28 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr
mgr,
if (!disk_seclabel->relabel)
return 0;
- ret = virSecuritySELinuxSetFilecon(mgr, src->path,
- disk_seclabel->label, remember);
+ use_label = disk_seclabel->label;
} else if (parent_seclabel && (!parent_seclabel->relabel ||
parent_seclabel->label)) {
if (!parent_seclabel->relabel)
return 0;
- ret = virSecuritySELinuxSetFilecon(mgr, src->path,
- parent_seclabel->label, remember);
+ use_label = parent_seclabel->label;
} else if (!parent || parent == src) {
if (src->shared) {
- ret = virSecuritySELinuxSetFilecon(mgr,
- src->path,
- data->file_context,
- remember);
+ use_label = data->file_context;
} else if (src->readonly) {
- ret = virSecuritySELinuxSetFilecon(mgr,
- src->path,
- data->content_context,
- remember);
+ use_label = data->content_context;
} else if (secdef->imagelabel) {
- ret = virSecuritySELinuxSetFilecon(mgr,
- src->path,
- secdef->imagelabel,
- remember);
+ use_label = secdef->imagelabel;
} else {
- ret = 0;
+ return 0;
}
} else {
- ret = virSecuritySELinuxSetFilecon(mgr,
- src->path,
- data->content_context,
- remember);
+ use_label = data->content_context;
}
+ ret = virSecuritySELinuxSetFilecon(mgr, src->path, use_label, remember);
+
if (ret == 1 && !disk_seclabel) {
/* If we failed to set a label, but virt_use_nfs let us
* proceed anyway, then we don't need to relabel later. */