7:43 a.m.
This fixes a crash:
https://bugzilla.redhat.com/show_bug.cgi?id=969878
---
v3:
rewrote the patch to assume 's0' if the range is empty, instead
of reporting an error
v2:
https://www.redhat.com/archives/libvir-list/2013-June/msg00082.html
src/security/security_selinux.c | 9 +++++++--
tests/securityselinuxtest.c | 6 ++++++
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index b862fbf..6fe063e 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -170,11 +170,13 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr,
/*
* This needs to cope with several styles of range
*
+ * system_u:system_r:virtd_t
* system_u:system_r:virtd_t:s0
* system_u:system_r:virtd_t:s0-s0
* system_u:system_r:virtd_t:s0-s0:c0.c1023
*
- * In the first two cases, we'll assume c0.c1023 for
+ * In the first case we'll assume s0:c0.c1023 and
+ * in the next two cases, we'll assume c0.c1023 for
* the category part, since that's what we're really
* interested in. This won't work in Enforcing mode,
* but will prevent libvirtd breaking in Permissive
@@ -189,6 +191,7 @@ virSecuritySELinuxMCSGetProcessRange(char **sens,
context_t ourContext = NULL;
char *cat = NULL;
char *tmp;
+ const char *contextRange;
int ret = -1;
if (getcon_raw(&ourSecContext) < 0) {
@@ -202,8 +205,10 @@ virSecuritySELinuxMCSGetProcessRange(char **sens,
ourSecContext);
goto cleanup;
}
+ if (!(contextRange = context_range_get(ourContext)))
+ contextRange = "s0";
- if (VIR_STRDUP(*sens, context_range_get(ourContext)) < 0)
+ if (VIR_STRDUP(*sens, contextRange) < 0)
goto cleanup;
/* Find and blank out the category part (if any) */
diff --git a/tests/securityselinuxtest.c b/tests/securityselinuxtest.c
index bdf248b..8d85c68 100644
--- a/tests/securityselinuxtest.c
+++ b/tests/securityselinuxtest.c
@@ -333,6 +333,12 @@ mymain(void)
"system_u", "system_r", "object_r",
"svirt_t", "svirt_image_t",
2, 3, 0, 1023);
+ DO_TEST_GEN_LABEL("dynamic virtd, missing range",
+ "system_u:system_r:virtd_t",
+ true, NULL, NULL,
+ "system_u", "system_r", "object_r",
+ "svirt_t", "svirt_image_t",
+ 0, 0, 0, 1023);
return (ret == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
}
--
1.8.1.5
5:23 a.m.
On 06/10/13 14:43, Ján Tomko wrote:
This fixes a crash:
https://bugzilla.redhat.com/show_bug.cgi?id=969878
---
v3:
rewrote the patch to assume 's0' if the range is empty, instead
of reporting an error
v2:
https://www.redhat.com/archives/libvir-list/2013-June/msg00082.html
src/security/security_selinux.c | 9 +++++++--
tests/securityselinuxtest.c | 6 ++++++
2 files changed, 13 insertions(+), 2 deletions(-)
ACK.
Peter
6:15 a.m.
On 06/11/2013 12:23 PM, Peter Krempa wrote:
On 06/10/13 14:43, Ján Tomko wrote:
> This fixes a crash:
> https://bugzilla.redhat.com/show_bug.cgi?id=969878
> ---
> v3:
> rewrote the patch to assume 's0' if the range is empty, instead
> of reporting an error
>
> v2:
> https://www.redhat.com/archives/libvir-list/2013-June/msg00082.html
>
> src/security/security_selinux.c | 9 +++++++--
> tests/securityselinuxtest.c | 6 ++++++
> 2 files changed, 13 insertions(+), 2 deletions(-)
>
ACK.
Peter
Thanks, pushed now.
Jan
4185
days inactive
4186
days old
2 comments
2 participants
participants (2)
-
Ján Tomko -
Peter Krempa