Re: [libvirt] [PATCH 6/6] Try much harder to restore disk file labels

1 Sep 2009

On Tue, 2009-09-01 at 16:28 +0100, Daniel P. Berrange wrote:
...
* src/security_selinux.c: matchpath() may well return NULL for many
  directories, to try and fallback to using parent directory label
  in that scenario.
When have you seen this happen?  matchpathcon() ultimately should fall
back to the top-level regex (/.*) and map any otherwise unmatched files
to default_t, and should generally have a fallback regex for each
subtree (e.g. any file under /dev that isn't otherwise matched would get
device_t).  So I wouldn't expect this to happen.

Also, files will inherit their SELinux type from the parent directory by
default upon creation unless a type transition rule is specified, so it
isn't clear why you need to replicate this copying from parent behavior
in the application.
...
---
 src/security_selinux.c |   29 ++++++++++++++++++++++++++++-
 1 files changed, 28 insertions(+), 1 deletions(-)

diff --git a/src/security_selinux.c b/src/security_selinux.c
index bc295b1..0072360 100644
--- a/src/security_selinux.c
+++ b/src/security_selinux.c
@@ -366,8 +366,35 @@ SELinuxRestoreSecurityFileLabel(virConnectPtr conn,
     if (stat(newpath, &buf) != 0)
         goto err;
-    if (matchpathcon(newpath, buf.st_mode, &fcon) == 0)  {
+    /* We try real hard to reset the context
+     *
+     *   - Prefer an explicit context from policy for the file
+     *   - Otherwise copy from parent directory.
+     *
+     * NB this is not just for disk images - PCI/USB device/sysfs
+     * files here too
+     */
+    if (matchpathcon(newpath, buf.st_mode, &fcon) == 0) {
         rc = SELinuxSetFilecon(conn, newpath, fcon);
+    } else {
+        char *dir = strdup(newpath);
+        char *sep;
+        if (!dir) {
+            virReportOOMError(conn);
+            goto err;
+        }
+        VIR_WARN("Cannot find default context for %s, copying from parent", newpath);
+        sep = strrchr(dir, '/');
+        if (sep) {
+            *sep = '\0';
+            if (getfilecon(dir, &fcon) >= 0)
+                rc = SELinuxSetFilecon(conn, newpath, fcon);
+            else
+                VIR_ERROR("Unable to get security context for directory %s", dir);
+        } else {
+            VIR_ERROR("File %s did not contain a directory separator", newpath);
+        }
+        VIR_FREE(dir);
     }
 err:
     VIR_FREE(fcon);
-- 
Stephen Smalley
National Security Agency

    