Re: [libvirt] [PATCH v3 2/2] selinux: Only create the selabel_handle once.

24 Jan 2013

On Thu, Jan 24, 2013 at 10:10:58AM +0000, Richard W.M. Jones wrote:
...
From: "Richard W.M. Jones" <rjones@redhat.com>
According to Eric Paris this is slightly more efficient because it
only loads the regular expressions in libselinux once.
---
 src/security/security_selinux.c | 129 ++++++++++++++++++++++++++--------------
 1 file changed, 83 insertions(+), 46 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index a3ef728..d1f80b2 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -63,6 +63,9 @@ struct _virSecuritySELinuxData {
     char *content_context;
     virHashTablePtr mcs;
     bool skipAllLabel;
+#if HAVE_SELINUX_LABEL_H
+    struct selabel_handle *label_handle;
+#endif
 };
struct _virSecuritySELinuxCallbackData {
@@ -367,12 +370,21 @@ virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr)
data->skipAllLabel = true;
+#if HAVE_SELINUX_LABEL_H
+    data->label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+    if (!data->label_handle) {
+        virReportSystemError(errno,
+                             _("cannot open SELinux label_handle"));
This is missing "%s",
...
+        return -1;
+    }
+#endif
+
     selinux_conf = virConfReadFile(selinux_lxc_contexts_path(), 0);
     if (!selinux_conf) {
         virReportSystemError(errno,
                              _("cannot open SELinux lxc contexts file '%s'"),
                              selinux_lxc_contexts_path());
-        return -1;
+        goto error;
     }
scon = virConfGetValue(selinux_conf, "process");
@@ -418,6 +430,9 @@ virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr)
     return 0;
error:
+#if HAVE_SELINUX_LABEL_H
+    selabel_close(data->label_handle);
+#endif
     virConfFree(selinux_conf);
     VIR_FREE(data->domain_context);
     VIR_FREE(data->file_context);
@@ -444,6 +459,15 @@ virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr)
data->skipAllLabel = false;
+#if HAVE_SELINUX_LABEL_H
+    data->label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+    if (!data->label_handle) {
+        virReportSystemError(errno,
+                             _("cannot open SELinux label_handle"));
This is missing "%s",

Rest of the patch looks fine though.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

    

Re: [libvirt] [PATCH v3 2/2] selinux: Only create the selabel_handle once.

Daniel P. Berrange