Re-label shared and readonly images

This patch was posted ages ago here:

  https://bugzilla.redhat.com/493692

But was never posted upstream AFAICT.

Patch from Dan Berrange

Signed-off-by: Mark McLoughlin <markmc@redhat.com>
This commit is contained in:
Mark McLoughlin 2009-07-03 10:26:37 +00:00
parent 1e4434d652
commit 547147084d
2 changed files with 23 additions and 10 deletions

View File

@ -1,3 +1,9 @@
Thu Jul 3 11:24:44 GMT 2009 Mark McLoughlin <markmc@redhat.com>
Patch from Dan Berrange in https://bugzilla.redhat.com/493692
* src/security_selinux.c: Re-label shared and readonly images
Thu Jul 2 15:58:09 CEST 2009 Daniel Veillard <veillard@redhat.com> Thu Jul 2 15:58:09 CEST 2009 Daniel Veillard <veillard@redhat.com>
* docs/schemas/network.rng: fix the network schemas to match * docs/schemas/network.rng: fix the network schemas to match

View File

@ -24,11 +24,12 @@
#include "virterror_internal.h" #include "virterror_internal.h"
#include "util.h" #include "util.h"
#include "memory.h" #include "memory.h"
#include "logging.h"
#define VIR_FROM_THIS VIR_FROM_SECURITY #define VIR_FROM_THIS VIR_FROM_SECURITY
static char default_domain_context[1024]; static char default_domain_context[1024];
static char default_content_context[1024];
static char default_image_context[1024]; static char default_image_context[1024];
#define SECURITY_SELINUX_VOID_DOI "0" #define SECURITY_SELINUX_VOID_DOI "0"
#define SECURITY_SELINUX_NAME "selinux" #define SECURITY_SELINUX_NAME "selinux"
@ -148,8 +149,13 @@ SELinuxInitialize(virConnectPtr conn)
close(fd); close(fd);
ptr = strchrnul(default_image_context, '\n'); ptr = strchrnul(default_image_context, '\n');
*ptr = '\0'; if (*ptr == '\n') {
*ptr = '\0';
strcpy(default_content_context, ptr+1);
ptr = strchrnul(default_content_context, '\n');
if (*ptr == '\n')
*ptr = '\0';
}
return 0; return 0;
} }
@ -313,6 +319,8 @@ SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon)
{ {
char ebuf[1024]; char ebuf[1024];
VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);
if(setfilecon(path, tcon) < 0) { if(setfilecon(path, tcon) < 0) {
virSecurityReportError(conn, VIR_ERR_ERROR, virSecurityReportError(conn, VIR_ERR_ERROR,
_("%s: unable to set security context " _("%s: unable to set security context "
@ -337,9 +345,6 @@ SELinuxRestoreSecurityImageLabel(virConnectPtr conn,
char *newpath = NULL; char *newpath = NULL;
const char *path = disk->src; const char *path = disk->src;
if (disk->readonly || disk->shared)
return 0;
if ((err = virFileResolveLink(path, &newpath)) < 0) { if ((err = virFileResolveLink(path, &newpath)) < 0) {
virReportSystemError(conn, err, virReportSystemError(conn, err,
_("cannot resolve symlink %s"), path); _("cannot resolve symlink %s"), path);
@ -366,8 +371,13 @@ SELinuxSetSecurityImageLabel(virConnectPtr conn,
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
if (secdef->imagelabel) if (disk->shared) {
return SELinuxSetFilecon(conn, disk->src, default_image_context);
} else if (disk->readonly) {
return SELinuxSetFilecon(conn, disk->src, default_content_context);
} else if (secdef->imagelabel) {
return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel); return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel);
}
return 0; return 0;
} }
@ -441,9 +451,6 @@ SELinuxSetSecurityLabel(virConnectPtr conn,
if (secdef->imagelabel) { if (secdef->imagelabel) {
for (i = 0 ; i < vm->def->ndisks ; i++) { for (i = 0 ; i < vm->def->ndisks ; i++) {
if (vm->def->disks[i]->readonly ||
vm->def->disks[i]->shared) continue;
if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0) if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0)
return -1; return -1;
} }