selinux: Drop needless getfilecon()-s

When SELinux support was first introduced the libselinux library
wasn't that advanced and setfilecon_raw() or fsetfilecon_raw()
could fail even when the target context was set. Looking at the
current code [1][2] this is no longer the case. We can drop our
workarounds.

1: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/setfilecon.c#L10
2: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/fsetfilecon.c#L10

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Michal Privoznik 2019-11-28 09:37:22 +01:00
parent e8a8ee92bd
commit 087fac8fa7

View File

@ -1249,8 +1249,6 @@ virSecuritySELinuxSetFileconImpl(const char *path,
const char *tcon,
bool privileged)
{
security_context_t econ;
/* Be aware that this function might run in a separate process.
* Therefore, any driver state changes would be thrown away. */
@ -1259,15 +1257,6 @@ virSecuritySELinuxSetFileconImpl(const char *path,
if (setfilecon_raw(path, (const char *)tcon) < 0) {
int setfilecon_errno = errno;
if (getfilecon_raw(path, &econ) >= 0) {
if (STREQ(tcon, econ)) {
freecon(econ);
/* It's alright, there's nothing to change anyway. */
return 1;
}
freecon(econ);
}
/* If the error complaint is related to an image hosted on a (possibly
* read-only) NFS mount, or a usbfs/sysfs filesystem not supporting
* labelling, then just ignore it & hope for the best. The user
@ -1401,22 +1390,11 @@ virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
static int
virSecuritySELinuxFSetFilecon(int fd, char *tcon)
{
security_context_t econ;
VIR_INFO("Setting SELinux context on fd %d to '%s'", fd, tcon);
if (fsetfilecon_raw(fd, tcon) < 0) {
int fsetfilecon_errno = errno;
if (fgetfilecon_raw(fd, &econ) >= 0) {
if (STREQ(tcon, econ)) {
freecon(econ);
/* It's alright, there's nothing to change anyway. */
return 0;
}
freecon(econ);
}
/* if the error complaint is related to an image hosted on
* an nfs mount, or a usbfs/sysfs filesystem not supporting
* labelling, then just ignore it & hope for the best.