Re: [libvirt] Fix a failure to restore SELinux label for character devices
On Thu, Nov 18, 2010 at 03:37:07PM +0000, Daniel P. Berrange wrote:
On Thu, Nov 18, 2010 at 04:26:55PM +0100, Daniel Veillard wrote:
> The code in SELinuxRestoreSecurityChardevLabel() was trying to
> use SELinuxSetFilecon directly for devices or file types while
> it should really use SELinuxRestoreSecurityFileLabel encapsulating
> routine, which avoid various problems like resolving symlinks,
> making sure he file exists and work around NFS problems
>
> Daniel
>
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 936a1a6..996177a 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -694,9 +694,10 @@ SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm,
> switch (dev->type) {
> case VIR_DOMAIN_CHR_TYPE_DEV:
> case VIR_DOMAIN_CHR_TYPE_FILE:
> - ret = SELinuxSetFilecon(dev->data.file.path, secdef->imagelabel);
> + if (SELinuxRestoreSecurityFileLabel(dev->data.file.path) < 0)
> + goto done;
> + ret = 0;
> break;
> -
> case VIR_DOMAIN_CHR_TYPE_PIPE:
> if ((virAsprintf(&out, "%s.out", dev->data.file.path) <
0) ||
> (virAsprintf(&in, "%s.in", dev->data.file.path) <
0)) {
ACK
okay, thanks, pushed !
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/