Re: [libvirt] [PATCH 2/2] libvirt patch to write a mcs translation file to /run/setrans directory
On Wed, May 15, 2013 at 02:36:32PM -0400, dwalsh(a)redhat.com wrote:
From: Dan Walsh <dwalsh(a)redhat.com>
mcstransd is a translation tool that can translate MCS Labels into human
understandable code. I have patched it to watch for translation files in the
/run/setrans directory. This allows us to run commands like ps -eZ and see
system_u:system_r:svirt_t:Fedora18 rather then system_u:system_r:svirt_t:s0:c1,c2.
When used with containers it would make an easy way to list all processes within
a container using ps -eZ | grep Fedora18
---
src/security/security_selinux.c | 59 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 58 insertions(+), 1 deletion(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 5d108b9..cbcd013 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -83,6 +83,57 @@ virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr
mgr,
virDomainTPMDefPtr tpm);
+static int
+virSecuritySELinuxAddMCSFile(const char *name,
+ const char *label)
+{
+ int ret = -1;
+ char *tmp = NULL;
+ context_t con = NULL;
+
+ if (virAsprintf(&tmp, "%s/%s", SELINUX_TRANS_DIR, name) < 0) {
+ virReportOOMError();
+ return -1;
+ }
+ if (! (con = context_new(label))) {
Still has bogus whitespace after the '!'
+ virReportSystemError(errno, "%s",
+ _("unable to allocate security context"));
+ goto cleanup;
+ }
+ if (virFileWriteStr(tmp, context_range_get(con), 0) < 0) {
+ virReportSystemError(errno,
+ _("unable to create MCS file %s"), tmp);
+ goto cleanup;
+ }
+ ret = 0;
+
+cleanup:
+ VIR_FREE(tmp);
+ context_free(con);
+ return ret;
+}
+
+static int
+virSecuritySELinuxRemoveMCSFile(const char *name)
+{
+ char *tmp=NULL;
Space needed either side of the =
+ int ret = -1;
+ if (virAsprintf(&tmp, "%s/%s", SELINUX_TRANS_DIR, name) < 0) {
+ virReportOOMError();
+ return -1;
+ }
+ if (unlink(tmp) < 0 && errno != ENOENT) {
+ virReportSystemError(errno,
+ _("Unable to remove MCS file %s"), tmp);
+ goto cleanup;
+ }
+ ret = 0;
+
+cleanup:
+ VIR_FREE(tmp);
+ return ret;
+}
+
/*
* Returns 0 on success, 1 if already reserved, or -1 on fatal error
*/
@@ -1953,7 +2004,7 @@ virSecuritySELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr,
}
VIR_FREE(secdef->imagelabel);
- return 0;
+ return virSecuritySELinuxRemoveMCSFile(def->name);
}
@@ -2047,10 +2098,16 @@ virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr
mgr ATTRIBUTE_UN
return -1;
}
+ if (virSecuritySELinuxAddMCSFile(def->name, secdef->label) < 0) {
+ if (security_getenforce() == 1)
+ return -1;
This call to security_getenforce() must go - we should be unconditonally
reporting errors.
+ }
+
if (setexeccon_raw(secdef->label) == -1) {
virReportSystemError(errno,
_("unable to set security context
'%s'"),
secdef->label);
+ virSecuritySELinuxRemoveMCSFile(def->name);
if (security_getenforce() == 1)
return -1;
}
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|