[libvirt] [PATCH] selinux: Fix incorrect object label generation.
This is a fix for the object label generation. It uses a new flag for virSecuritySELinuxGenNewContext that specifies whether the context is for an object. If so the context role remains unchanged. Without this fix it is not possible to start domains with image file or block device backed storage when selinux is enabled. Signed-off-by: Viktor Mihajlovski <mihajlov@linux.vnet.ibm.com> --- src/security/security_selinux.c | 17 +++++++++++------ 1 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 48fd78b..8cf23b7 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -141,7 +141,9 @@ cleanup: static char * -virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs) +virSecuritySELinuxGenNewContext(const char *basecontext, + const char *mcs, + bool isObjectContext) { context_t context = NULL; char *ret = NULL; @@ -176,10 +178,11 @@ virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs) goto cleanup; } - if (context_role_set(context, + if (!isObjectContext && + context_role_set(context, context_role_get(ourContext)) != 0) { virReportSystemError(errno, - _("Unable to set SELinux context user '%s'"), + _("Unable to set SELinux context role '%s'"), context_role_get(ourContext)); goto cleanup; } @@ -421,7 +424,8 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr, if (!(def->seclabel.label = virSecuritySELinuxGenNewContext(def->seclabel.baselabel ? def->seclabel.baselabel : - data->domain_context, mcs))) + data->domain_context, + mcs, false))) goto cleanup; break; @@ -438,7 +442,7 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr, if (!def->seclabel.norelabel) { if (!(def->seclabel.imagelabel = - virSecuritySELinuxGenNewContext(data->file_context, mcs))) + virSecuritySELinuxGenNewContext(data->file_context, mcs, true))) goto cleanup; } @@ -1639,7 +1643,8 @@ virSecuritySELinuxGenImageLabel(virSecurityManagerPtr mgr, virReportOOMError(); goto cleanup; } - if (!(label = virSecuritySELinuxGenNewContext(data->file_context, mcs))) + if (!(label = virSecuritySELinuxGenNewContext(data->file_context, + mcs, true))) goto cleanup; } } -- 1.7.0.4
On Mon, Aug 20, 2012 at 01:52:16PM +0200, Viktor Mihajlovski wrote:
This is a fix for the object label generation. It uses a new flag for virSecuritySELinuxGenNewContext that specifies whether the context is for an object. If so the context role remains unchanged. Without this fix it is not possible to start domains with image file or block device backed storage when selinux is enabled.
Signed-off-by: Viktor Mihajlovski <mihajlov@linux.vnet.ibm.com> --- src/security/security_selinux.c | 17 +++++++++++------ 1 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 48fd78b..8cf23b7 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -141,7 +141,9 @@ cleanup:
static char * -virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs) +virSecuritySELinuxGenNewContext(const char *basecontext, + const char *mcs, + bool isObjectContext) { context_t context = NULL; char *ret = NULL; @@ -176,10 +178,11 @@ virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs) goto cleanup; }
- if (context_role_set(context, + if (!isObjectContext && + context_role_set(context, context_role_get(ourContext)) != 0) { virReportSystemError(errno, - _("Unable to set SELinux context user '%s'"), + _("Unable to set SELinux context role '%s'"), context_role_get(ourContext)); goto cleanup; } @@ -421,7 +424,8 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr, if (!(def->seclabel.label = virSecuritySELinuxGenNewContext(def->seclabel.baselabel ? def->seclabel.baselabel : - data->domain_context, mcs))) + data->domain_context, + mcs, false))) goto cleanup; break;
@@ -438,7 +442,7 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
if (!def->seclabel.norelabel) { if (!(def->seclabel.imagelabel = - virSecuritySELinuxGenNewContext(data->file_context, mcs))) + virSecuritySELinuxGenNewContext(data->file_context, mcs, true))) goto cleanup; }
@@ -1639,7 +1643,8 @@ virSecuritySELinuxGenImageLabel(virSecurityManagerPtr mgr, virReportOOMError(); goto cleanup; } - if (!(label = virSecuritySELinuxGenNewContext(data->file_context, mcs))) + if (!(label = virSecuritySELinuxGenNewContext(data->file_context, + mcs, true))) goto cleanup; } }
ACK Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 08/20/2012 02:01 PM, Daniel P. Berrange wrote:
On Mon, Aug 20, 2012 at 01:52:16PM +0200, Viktor Mihajlovski wrote:
ACK
Daniel
there was make syntax-check error (trailing blank) which I missed :-(. Resending the patch. -- Mit freundlichen Grüßen/Kind Regards Viktor Mihajlovski IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294
participants (2)
-
Daniel P. Berrange -
Viktor Mihajlovski