selinux: Drop needless getfilecon()-s

When SELinux support was first introduced the libselinux library wasn't that advanced and setfilecon_raw() or fsetfilecon_raw() could fail even when the target context was set. Looking at the current code [1][2] this is no longer the case. We can drop our workarounds. 1: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/setfilecon.c#L10 2: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/fsetfilecon.c#L10 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2024-07-06 09:55:46 +00:00 · 2019-11-28 09:37:22 +01:00 · 2019-11-28 09:37:22 +01:00 · 087fac8fa7
commit 087fac8fa7
parent e8a8ee92bd
1 changed files with 0 additions and 22 deletions
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@ -1249,8 +1249,6 @@ virSecuritySELinuxSetFileconImpl(const char *path,
                                 const char *tcon,
                                 bool privileged)
 {
-    security_context_t econ;
-
    /* Be aware that this function might run in a separate process.
     * Therefore, any driver state changes would be thrown away. */

@ -1259,15 +1257,6 @@ virSecuritySELinuxSetFileconImpl(const char *path,
    if (setfilecon_raw(path, (const char *)tcon) < 0) {
        int setfilecon_errno = errno;

-        if (getfilecon_raw(path, &econ) >= 0) {
-            if (STREQ(tcon, econ)) {
-                freecon(econ);
-                /* It's alright, there's nothing to change anyway. */
-                return 1;
-            }
-            freecon(econ);
-        }
-
        /* If the error complaint is related to an image hosted on a (possibly
         * read-only) NFS mount, or a usbfs/sysfs filesystem not supporting
         * labelling, then just ignore it & hope for the best.  The user
@ -1401,22 +1390,11 @@ virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
 static int
 virSecuritySELinuxFSetFilecon(int fd, char *tcon)
 {
-    security_context_t econ;
-
    VIR_INFO("Setting SELinux context on fd %d to '%s'", fd, tcon);

    if (fsetfilecon_raw(fd, tcon) < 0) {
        int fsetfilecon_errno = errno;

-        if (fgetfilecon_raw(fd, &econ) >= 0) {
-            if (STREQ(tcon, econ)) {
-                freecon(econ);
-                /* It's alright, there's nothing to change anyway. */
-                return 0;
-            }
-            freecon(econ);
-        }
-
        /* if the error complaint is related to an image hosted on
         * an nfs mount, or a usbfs/sysfs filesystem not supporting
         * labelling, then just ignore it & hope for the best.