/dev/tap* is an invalid path but it works with lax policy. Make it work with more accurate
policy as well
v1: fix typo in description
Signed-off-by: Dominick Grift <dac.override(a)gmail.com>
---
src/security/security_selinux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 32dc78d777..8c698966cb 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -3251,7 +3251,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
goto cleanup;
}
- /* Label /dev/tap.* devices only. Leave /dev/net/tun alone! */
+ /* Label /dev/tap([0-9]+)? devices only. Leave /dev/net/tun alone! */
proc = g_strdup_printf("/proc/self/fd/%d", fd);
if (virFileResolveLink(proc, &fd_path) < 0) {
@@ -3267,7 +3267,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
goto cleanup;
}
- if (getContext(mgr, "/dev/tap*", buf.st_mode, &fcon) < 0) {
+ if (getContext(mgr, fd_path, buf.st_mode, &fcon) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot lookup default selinux label for tap fd %d"),
fd);
goto cleanup;
--
2.24.1
Show replies by date