7:42 a.m.
This second version just always creates the imagelabel field that
will be used to label the passed FDs appropriately and always even
if relabeling is not requested. The rest of the code paths
are still relabeled only if relabeling is enabled.
Peter Krempa (2):
selinux: Cleanup coding style
selinux: Always generate imagelabel
src/security/security_selinux.c | 27 ++++++++++++---------------
1 file changed, 12 insertions(+), 15 deletions(-)
--
1.8.2.1
7:43 a.m.
New subject: [libvirt] [PATCHv2 1/2] selinux: Cleanup coding style
---
src/security/security_selinux.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 7802dda..ec4f764 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -589,23 +589,22 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
int catMin, catMax;
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (seclabel == NULL) {
+ if (seclabel == NULL)
return rc;
- }
data = virSecurityManagerGetPrivateData(mgr);
VIR_DEBUG("label=%s", virSecurityManagerGetDriver(mgr));
if (seclabel->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
seclabel->label) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- "%s", _("security label already defined for
VM"));
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("security label already defined for VM"));
return rc;
}
if (seclabel->imagelabel) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- "%s", _("security image label already defined for
VM"));
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("security image label already defined for VM"));
return rc;
}
@@ -628,8 +627,7 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
return rc;
}
- range = context_range_get(ctx);
- if (!range) {
+ if (!(range = context_range_get(ctx))) {
virReportOOMError();
goto cleanup;
}
--
1.8.2.1
9:07 a.m.
New subject: [libvirt] [PATCHv2 1/2] selinux: Cleanup coding style
On 07/08/13 14:35, Martin Kletzander wrote:
On 07/03/2013 02:43 PM, Peter Krempa wrote:
> ---
> src/security/security_selinux.c | 14 ++++++--------
> 1 file changed, 6 insertions(+), 8 deletions(-)
>
ACK,
Pushed; Thanks.
Peter
7:43 a.m.
New subject: [libvirt] [PATCHv2 2/2] selinux: Always generate imagelabel
The imagelabel SELinux label was only generated when relabeling was
enabled. This prohibited labeling of files created by libvirt that need
to be labeled even if relabeling is turned off.
The only codepath this change has direct impact on is labeling of FD's
passed to qemu which is allways safe in current state.
---
src/security/security_selinux.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ec4f764..d7c978d 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -687,13 +687,12 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
goto cleanup;
}
- if (!seclabel->norelabel) {
- seclabel->imagelabel = virSecuritySELinuxGenNewContext(data->file_context,
- mcs,
- true);
- if (!seclabel->imagelabel)
- goto cleanup;
- }
+ /* always generate a image label, needed to label new objects */
+ seclabel->imagelabel = virSecuritySELinuxGenNewContext(data->file_context,
+ mcs,
+ true);
+ if (!seclabel->imagelabel)
+ goto cleanup;
if (!seclabel->model &&
VIR_STRDUP(seclabel->model, SECURITY_SELINUX_NAME) < 0)
--
1.8.2.1
8:01 a.m.
New subject: [libvirt] [PATCHv2 2/2] selinux: Always generate imagelabel
On 07/03/2013 02:43 PM, Peter Krempa wrote:
The imagelabel SELinux label was only generated when relabeling was
enabled. This prohibited labeling of files created by libvirt that need
to be labeled even if relabeling is turned off.
The only codepath this change has direct impact on is labeling of FD's
s/FD's/FDs/
passed to qemu which is allways safe in current state.
s/allways/always/
The only affected function is virSecuritySELinuxSetImageFDLabel() and
that's desired, so ACK.
Martin
9:07 a.m.
New subject: [libvirt] [PATCHv2 2/2] selinux: Always generate imagelabel
On 07/08/13 15:01, Martin Kletzander wrote:
On 07/03/2013 02:43 PM, Peter Krempa wrote:
> The imagelabel SELinux label was only generated when relabeling was
> enabled. This prohibited labeling of files created by libvirt that need
> to be labeled even if relabeling is turned off.
>
> The only codepath this change has direct impact on is labeling of FD's
s/FD's/FDs/
> passed to qemu which is allways safe in current state.
s/allways/always/
The only affected function is virSecuritySELinuxSetImageFDLabel() and
that's desired, so ACK.
I've fixed the spelling and pushed the series. Thanks.
Peter
4155
days inactive
4160
days old
6 comments
2 participants
participants (2)
-
Martin Kletzander -
Peter Krempa