From 547147084d03ebf30d09d242a5a721a4df664ffe Mon Sep 17 00:00:00 2001 From: Mark McLoughlin Date: Fri, 3 Jul 2009 10:26:37 +0000 Subject: [PATCH] Re-label shared and readonly images This patch was posted ages ago here: https://bugzilla.redhat.com/493692 But was never posted upstream AFAICT. Patch from Dan Berrange Signed-off-by: Mark McLoughlin --- ChangeLog | 6 ++++++ src/security_selinux.c | 27 +++++++++++++++++---------- 2 files changed, 23 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3f89a74357..ec228e451e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +Thu Jul 3 11:24:44 GMT 2009 Mark McLoughlin + + Patch from Dan Berrange in https://bugzilla.redhat.com/493692 + + * src/security_selinux.c: Re-label shared and readonly images + Thu Jul 2 15:58:09 CEST 2009 Daniel Veillard * docs/schemas/network.rng: fix the network schemas to match diff --git a/src/security_selinux.c b/src/security_selinux.c index 4fb7c867f6..87073d2ecd 100644 --- a/src/security_selinux.c +++ b/src/security_selinux.c @@ -24,11 +24,12 @@ #include "virterror_internal.h" #include "util.h" #include "memory.h" - +#include "logging.h" #define VIR_FROM_THIS VIR_FROM_SECURITY static char default_domain_context[1024]; +static char default_content_context[1024]; static char default_image_context[1024]; #define SECURITY_SELINUX_VOID_DOI "0" #define SECURITY_SELINUX_NAME "selinux" @@ -148,8 +149,13 @@ SELinuxInitialize(virConnectPtr conn) close(fd); ptr = strchrnul(default_image_context, '\n'); - *ptr = '\0'; - + if (*ptr == '\n') { + *ptr = '\0'; + strcpy(default_content_context, ptr+1); + ptr = strchrnul(default_content_context, '\n'); + if (*ptr == '\n') + *ptr = '\0'; + } return 0; } @@ -313,6 +319,8 @@ SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon) { char ebuf[1024]; + VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon); + if(setfilecon(path, tcon) < 0) { virSecurityReportError(conn, VIR_ERR_ERROR, _("%s: unable to set security context " @@ -337,9 +345,6 @@ SELinuxRestoreSecurityImageLabel(virConnectPtr conn, char *newpath = NULL; const char *path = disk->src; - if (disk->readonly || disk->shared) - return 0; - if ((err = virFileResolveLink(path, &newpath)) < 0) { virReportSystemError(conn, err, _("cannot resolve symlink %s"), path); @@ -366,8 +371,13 @@ SELinuxSetSecurityImageLabel(virConnectPtr conn, { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; - if (secdef->imagelabel) + if (disk->shared) { + return SELinuxSetFilecon(conn, disk->src, default_image_context); + } else if (disk->readonly) { + return SELinuxSetFilecon(conn, disk->src, default_content_context); + } else if (secdef->imagelabel) { return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel); + } return 0; } @@ -441,9 +451,6 @@ SELinuxSetSecurityLabel(virConnectPtr conn, if (secdef->imagelabel) { for (i = 0 ; i < vm->def->ndisks ; i++) { - if (vm->def->disks[i]->readonly || - vm->def->disks[i]->shared) continue; - if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0) return -1; }