Re: [PATCH] security_selinux.c: Relabel existing mode="bind" UNIX sockets
On 6/28/22 14:33, David Michael wrote:
This supports sockets created by libvirt and passed by FD using the
same method as in security_dac.c.
Signed-off-by: David Michael <david(a)bigbadwolfsecurity.com>
---
Hi,
Custom SELinux labels are not applied to sockets when they have
mode="bind", but other security models (DAC) allow changing these
sockets. Can the same method be used to support SELinux?
Thanks.
David
src/security/security_selinux.c | 6 ++++--
tests/securityselinuxlabeldata/chardev.txt | 2 +-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index e2f34a27dc..8b258c9e36 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2618,7 +2620,7 @@
virSecuritySELinuxRestoreChardevLabel(virSecurityManager *mgr,
case VIR_DOMAIN_CHR_TYPE_UNIX:
if (!dev_source->data.nix.listen) {
if (virSecuritySELinuxRestoreFileLabel(mgr,
- dev_source->data.file.path,
+ dev_source->data.nix.path,
true) < 0)
goto done;
}
Regardless of the fate of the rest of the patch, this hunk is a bug fix
and thus should be merged. It's just a coincidence that data.file.path
maps onto data.nix.path in the union.
Michal