[libvirt] [PATCHv2 0/2] selinux: Always label FD's passed to qemu
This second version just always creates the imagelabel field that will be used to label the passed FDs appropriately and always even if relabeling is not requested. The rest of the code paths are still relabeled only if relabeling is enabled. Peter Krempa (2): selinux: Cleanup coding style selinux: Always generate imagelabel src/security/security_selinux.c | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) -- 1.8.2.1
--- src/security/security_selinux.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 7802dda..ec4f764 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -589,23 +589,22 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr, int catMin, catMax; seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (seclabel == NULL) { + if (seclabel == NULL) return rc; - } data = virSecurityManagerGetPrivateData(mgr); VIR_DEBUG("label=%s", virSecurityManagerGetDriver(mgr)); if (seclabel->type == VIR_DOMAIN_SECLABEL_DYNAMIC && seclabel->label) { - virReportError(VIR_ERR_INTERNAL_ERROR, - "%s", _("security label already defined for VM")); + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("security label already defined for VM")); return rc; } if (seclabel->imagelabel) { - virReportError(VIR_ERR_INTERNAL_ERROR, - "%s", _("security image label already defined for VM")); + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("security image label already defined for VM")); return rc; } @@ -628,8 +627,7 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr, return rc; } - range = context_range_get(ctx); - if (!range) { + if (!(range = context_range_get(ctx))) { virReportOOMError(); goto cleanup; } -- 1.8.2.1
On 07/08/13 14:35, Martin Kletzander wrote:
On 07/03/2013 02:43 PM, Peter Krempa wrote:
--- src/security/security_selinux.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-)
ACK,
Pushed; Thanks. Peter
The imagelabel SELinux label was only generated when relabeling was enabled. This prohibited labeling of files created by libvirt that need to be labeled even if relabeling is turned off. The only codepath this change has direct impact on is labeling of FD's passed to qemu which is allways safe in current state. --- src/security/security_selinux.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index ec4f764..d7c978d 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -687,13 +687,12 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr, goto cleanup; } - if (!seclabel->norelabel) { - seclabel->imagelabel = virSecuritySELinuxGenNewContext(data->file_context, - mcs, - true); - if (!seclabel->imagelabel) - goto cleanup; - } + /* always generate a image label, needed to label new objects */ + seclabel->imagelabel = virSecuritySELinuxGenNewContext(data->file_context, + mcs, + true); + if (!seclabel->imagelabel) + goto cleanup; if (!seclabel->model && VIR_STRDUP(seclabel->model, SECURITY_SELINUX_NAME) < 0) -- 1.8.2.1
On 07/03/2013 02:43 PM, Peter Krempa wrote:
The imagelabel SELinux label was only generated when relabeling was enabled. This prohibited labeling of files created by libvirt that need to be labeled even if relabeling is turned off.
The only codepath this change has direct impact on is labeling of FD's
s/FD's/FDs/
passed to qemu which is allways safe in current state.
s/allways/always/ The only affected function is virSecuritySELinuxSetImageFDLabel() and that's desired, so ACK. Martin
On 07/08/13 15:01, Martin Kletzander wrote:
On 07/03/2013 02:43 PM, Peter Krempa wrote:
The imagelabel SELinux label was only generated when relabeling was enabled. This prohibited labeling of files created by libvirt that need to be labeled even if relabeling is turned off.
The only codepath this change has direct impact on is labeling of FD's
s/FD's/FDs/
passed to qemu which is allways safe in current state.
s/allways/always/
The only affected function is virSecuritySELinuxSetImageFDLabel() and that's desired, so ACK.
I've fixed the spelling and pushed the series. Thanks. Peter
participants (2)
-
Martin Kletzander -
Peter Krempa