Re: [libvirt] [PATCH] security_selinux: Don't relabel /dev/net/tun
On 10/08/2014 07:23 AM, Michal Privoznik wrote:
>> + if (!STRPREFIX(fd_path, "/dev/tap")) {
>
> Should this be "/dev/tap.", since...
>
>> + VIR_DEBUG("fd=%d points to %s not setting SELinux label",
>> + fd, fd_path);
>> + rc = 0;
>> + goto cleanup;
>> + }
>> +
>> if (getContext(mgr, "/dev/tap.*", buf.st_mode, &fcon) < 0)
{
>
> ...you require a '.' in the context lookup? Without the '.' in the
> filter, you would let the (unlikely) name '/dev/tapX' get through.
>
> ACK with that tweaked.
>
>
In fact, /dev/tapX is what is created. getContext should be using it too
as it accepts shell expendable names, not regular expressions. I'm
adjusting getContext's argument too.
I assume "shell expendable" meant "glob" :)
Oh wow - so you're saying the only reason this even worked is that
getContext was getting lucky and realizing that any file that matches
the stricter glob '/dev/tap.*' also matches the looser glob '/dev/tap*',
and that we were lucky the context rule we were trying to look up was
not written against a tighter glob such as '/dev/tap[0-9]*'.
Yes, you've convinced me that the name really is /dev/tapX and that
removing the spurious '.' in the call to getContext is correct.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 539 bytes)