
On Tue, 2009-09-01 at 16:28 +0100, Daniel P. Berrange wrote:
* src/security_selinux.c: matchpath() may well return NULL for many directories, to try and fallback to using parent directory label in that scenario.
When have you seen this happen? matchpathcon() ultimately should fall back to the top-level regex (/.*) and map any otherwise unmatched files to default_t, and should generally have a fallback regex for each subtree (e.g. any file under /dev that isn't otherwise matched would get device_t). So I wouldn't expect this to happen. Also, files will inherit their SELinux type from the parent directory by default upon creation unless a type transition rule is specified, so it isn't clear why you need to replicate this copying from parent behavior in the application.
--- src/security_selinux.c | 29 ++++++++++++++++++++++++++++- 1 files changed, 28 insertions(+), 1 deletions(-)
diff --git a/src/security_selinux.c b/src/security_selinux.c index bc295b1..0072360 100644 --- a/src/security_selinux.c +++ b/src/security_selinux.c @@ -366,8 +366,35 @@ SELinuxRestoreSecurityFileLabel(virConnectPtr conn, if (stat(newpath, &buf) != 0) goto err;
- if (matchpathcon(newpath, buf.st_mode, &fcon) == 0) { + /* We try real hard to reset the context + * + * - Prefer an explicit context from policy for the file + * - Otherwise copy from parent directory. + * + * NB this is not just for disk images - PCI/USB device/sysfs + * files here too + */ + if (matchpathcon(newpath, buf.st_mode, &fcon) == 0) { rc = SELinuxSetFilecon(conn, newpath, fcon); + } else { + char *dir = strdup(newpath); + char *sep; + if (!dir) { + virReportOOMError(conn); + goto err; + } + VIR_WARN("Cannot find default context for %s, copying from parent", newpath); + sep = strrchr(dir, '/'); + if (sep) { + *sep = '\0'; + if (getfilecon(dir, &fcon) >= 0) + rc = SELinuxSetFilecon(conn, newpath, fcon); + else + VIR_ERROR("Unable to get security context for directory %s", dir); + } else { + VIR_ERROR("File %s did not contain a directory separator", newpath); + } + VIR_FREE(dir); } err: VIR_FREE(fcon); -- Stephen Smalley National Security Agency