* configure.ac (with_selinux): Check for <selinux/label.h>.
* src/security/security_selinux.c (getContext): New function.
(SELinuxRestoreSecurityFileLabel): Use it to restore compilation
when using older libselinux.
---
configure.ac | 3 +++
src/security/security_selinux.c | 29 +++++++++++++++++++++++------
2 files changed, 26 insertions(+), 6 deletions(-)
diff --git a/configure.ac b/configure.ac
index c44d024..4df915a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1023,6 +1023,9 @@ fi
if test "$with_selinux" = "yes"; then
SELINUX_LIBS="-lselinux"
AC_DEFINE_UNQUOTED([HAVE_SELINUX], 1, [whether basic SELinux functionality is
available])
+ dnl We prefer to use <selinux/label.h> and selabel_open, but can fall
+ dnl back to matchpathcon for the sake of RHEL 5's version of libselinux.
+ AC_CHECK_HEADERS([selinux/label.h])
fi
AM_CONDITIONAL([HAVE_SELINUX], [test "$with_selinux" != "no"])
AC_SUBST([SELINUX_CFLAGS])
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 37539c2..49efa75 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -14,11 +14,13 @@
*/
#include <config.h>
#include <selinux/selinux.h>
-#include <selinux/label.h>
#include <selinux/context.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
+#if HAVE_SELINUX_LABEL_H
+# include <selinux/label.h>
+#endif
#include "security_driver.h"
#include "security_selinux.h"
@@ -355,6 +357,25 @@ SELinuxSetFilecon(const char *path, char *tcon)
return 0;
}
+/* Set fcon to the appropriate label for path and mode, or return -1. */
+static int
+getContext(const char *newpath, mode_t mode, security_context_t *fcon)
+{
+#if HAVE_SELINUX_LABEL_H
+ struct selabel_handle *handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ int ret;
+
+ if (handle == NULL)
+ return -1;
+
+ ret = selabel_lookup(handle, fcon, newpath, mode);
+ selabel_close(handle);
+ return ret;
+#else
+ return matchpathcon(newpath, mode, fcon);
+#endif
+}
+
/* This method shouldn't raise errors, since they'll overwrite
* errors that the caller(s) are already dealing with */
@@ -363,7 +384,6 @@ SELinuxRestoreSecurityFileLabel(const char *path)
{
struct stat buf;
security_context_t fcon = NULL;
- struct selabel_handle *handle = NULL;
int rc = -1;
char *newpath = NULL;
char ebuf[1024];
@@ -382,16 +402,13 @@ SELinuxRestoreSecurityFileLabel(const char *path)
goto err;
}
- if ((handle = selabel_open(SELABEL_CTX_FILE, NULL, 0)) == NULL ||
- selabel_lookup(handle, &fcon, newpath, buf.st_mode) < 0) {
+ if (getContext(newpath, buf.st_mode, &fcon) < 0) {
VIR_WARN("cannot lookup default selinux label for %s", newpath);
} else {
rc = SELinuxSetFilecon(newpath, fcon);
}
err:
- if (handle)
- selabel_close(handle);
freecon(fcon);
VIR_FREE(newpath);
return rc;
--
1.7.3.3