On 6/28/22 14:33, David Michael wrote:
This supports sockets created by libvirt and passed by FD using the same method as in security_dac.c.
Signed-off-by: David Michael <david@bigbadwolfsecurity.com> ---
Hi,
Custom SELinux labels are not applied to sockets when they have mode="bind", but other security models (DAC) allow changing these sockets. Can the same method be used to support SELinux?
Thanks.
David
src/security/security_selinux.c | 6 ++++-- tests/securityselinuxlabeldata/chardev.txt | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index e2f34a27dc..8b258c9e36 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c
@@ -2618,7 +2620,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManager *mgr, case VIR_DOMAIN_CHR_TYPE_UNIX: if (!dev_source->data.nix.listen) { if (virSecuritySELinuxRestoreFileLabel(mgr, - dev_source->data.file.path, + dev_source->data.nix.path, true) < 0) goto done; }
Regardless of the fate of the rest of the patch, this hunk is a bug fix and thus should be merged. It's just a coincidence that data.file.path maps onto data.nix.path in the union. Michal