[libvirt] [PATCH v1] virSecuritySELinuxSetTapFDLabel: Use fd_path instead of /dev/tap* to get context
/dev/tap* is an invalid path but it works with lax policy. Make it work with more accurate policy as well v1: fix typo in description Signed-off-by: Dominick Grift <dac.override@gmail.com> --- src/security/security_selinux.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 32dc78d777..8c698966cb 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -3251,7 +3251,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr, goto cleanup; } - /* Label /dev/tap.* devices only. Leave /dev/net/tun alone! */ + /* Label /dev/tap([0-9]+)? devices only. Leave /dev/net/tun alone! */ proc = g_strdup_printf("/proc/self/fd/%d", fd); if (virFileResolveLink(proc, &fd_path) < 0) { @@ -3267,7 +3267,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr, goto cleanup; } - if (getContext(mgr, "/dev/tap*", buf.st_mode, &fcon) < 0) { + if (getContext(mgr, fd_path, buf.st_mode, &fcon) < 0) { virReportError(VIR_ERR_INTERNAL_ERROR, _("cannot lookup default selinux label for tap fd %d"), fd); goto cleanup; -- 2.24.1
On Tue, Jan 07, 2020 at 03:22:30PM +0100, Dominick Grift wrote:
/dev/tap* is an invalid path but it works with lax policy. Make it work with more accurate policy as well
v1: fix typo in description Signed-off-by: Dominick Grift <dac.override@gmail.com> --- src/security/security_selinux.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> I'll push it shortly Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
participants (2)
-
Daniel P. Berrangé -
Dominick Grift