[libvirt] [PATCH v1 26/31] security_selinux: Simplify virSecuritySELinuxSetImageLabelInternal
This function calls virSecuritySELinuxSetFilecon() or
virSecuritySELinuxSetFileconOptional() from a lot of places.
It works, because in all places we're passing src->path which is
what we wanted. But not anymore. We will want to be able to pass
a different path and thus the function must be reworked a bit.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/security/security_selinux.c | 39 ++++++++++++++-------------------
1 file changed, 17 insertions(+), 22 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ea20373a90..99cef3f212 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1820,7 +1820,10 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
virSecurityDeviceLabelDefPtr disk_seclabel;
virSecurityDeviceLabelDefPtr parent_seclabel = NULL;
bool remember;
- int ret;
+ const char *path = src->path;
+ const char *tcon = NULL;
+ bool optional = false;
+ int ret = -1;
if (!src->path || !virStorageSourceIsLocalStorage(src))
return 0;
@@ -1853,40 +1856,32 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr
mgr,
if (!disk_seclabel->relabel)
return 0;
- ret = virSecuritySELinuxSetFilecon(mgr, src->path,
- disk_seclabel->label, remember);
+ tcon = disk_seclabel->label;
} else if (parent_seclabel && (!parent_seclabel->relabel ||
parent_seclabel->label)) {
if (!parent_seclabel->relabel)
return 0;
- ret = virSecuritySELinuxSetFilecon(mgr, src->path,
- parent_seclabel->label, remember);
+ tcon = parent_seclabel->label;
} else if (!parent || parent == src) {
if (src->shared) {
- ret = virSecuritySELinuxSetFileconOptional(mgr,
- src->path,
- data->file_context,
- remember);
+ tcon = data->file_context;
+ optional = true;
} else if (src->readonly) {
- ret = virSecuritySELinuxSetFileconOptional(mgr,
- src->path,
- data->content_context,
- remember);
+ tcon = data->content_context;
+ optional = true;
} else if (secdef->imagelabel) {
- ret = virSecuritySELinuxSetFileconOptional(mgr,
- src->path,
- secdef->imagelabel,
- remember);
+ tcon = secdef->imagelabel;
+ optional = true;
} else {
- ret = 0;
+ return 0;
}
} else {
- ret = virSecuritySELinuxSetFileconOptional(mgr,
- src->path,
- data->content_context,
- remember);
+ optional = true;
+ tcon = data->content_context;
}
+ ret = virSecuritySELinuxSetFileconHelper(mgr, path, tcon, optional, remember);
+
if (ret == 1 && !disk_seclabel) {
/* If we failed to set a label, but virt_use_nfs let us
* proceed anyway, then we don't need to relabel later. */
--
2.21.0