Add support for LXC specific SELinux configuration

The SELinux policy for LXC uses a different configuration file than the traditional svirt one. Thus we need to load /etc/selinux/targeted/contexts/lxc_contexts which contains something like this: process = "system_u:system_r:svirt_lxc_net_t:s0" file = "system_u:object_r:svirt_lxc_file_t:s0" content = "system_u:object_r:virt_var_lib_t:s0" cleverly designed to be parsable by virConfPtr Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2025-02-22 03:12:22 +00:00 · 2012-05-11 10:54:31 +01:00 · 2012-05-11 10:54:31 +01:00 · 6844ceadb4
commit 6844ceadb4
parent fa5e68ffbf
1 changed files with 79 additions and 1 deletions
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@ -126,8 +126,73 @@ err:
    return newcontext;
 }

+
 static int
-SELinuxInitialize(virSecurityManagerPtr mgr)
+SELinuxLXCInitialize(virSecurityManagerPtr mgr)
+{
+    virConfValuePtr scon = NULL;
+    virConfValuePtr tcon = NULL;
+    virConfValuePtr dcon = NULL;
+    virConfPtr selinux_conf;
+    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
+
+    selinux_conf = virConfReadFile(selinux_lxc_contexts_path(), 0);
+    if (!selinux_conf) {
+        virReportSystemError(errno,
+                             _("cannot open SELinux lxc contexts file '%s'"),
+                             selinux_lxc_contexts_path());
+        return -1;
+    }
+
+    scon = virConfGetValue(selinux_conf, "process");
+    if (! scon || scon->type != VIR_CONF_STRING || (! scon->str)) {
+        virReportSystemError(errno,
+                             _("cannot read 'process' value from selinux lxc contexts file '%s'"),
+                             selinux_lxc_contexts_path());
+        goto error;
+    }
+
+    tcon = virConfGetValue(selinux_conf, "file");
+    if (! tcon || tcon->type != VIR_CONF_STRING || (! tcon->str)) {
+        virReportSystemError(errno,
+                             _("cannot read 'file' value from selinux lxc contexts file '%s'"),
+                             selinux_lxc_contexts_path());
+        goto error;
+    }
+
+    dcon = virConfGetValue(selinux_conf, "content");
+    if (! dcon || dcon->type != VIR_CONF_STRING || (! dcon->str)) {
+        virReportSystemError(errno,
+                             _("cannot read 'file' value from selinux lxc contexts file '%s'"),
+                             selinux_lxc_contexts_path());
+        goto error;
+    }
+
+    data->domain_context = strdup(scon->str);
+    data->file_context = strdup(tcon->str);
+    data->content_context = strdup(dcon->str);
+    if (!data->domain_context ||
+        !data->file_context ||
+        !data->content_context) {
+        virReportSystemError(errno,
+                             _("cannot allocate memory for LXC SELinux contexts '%s'"),
+                             selinux_lxc_contexts_path());
+        goto error;
+    }
+    virConfFree(selinux_conf);
+    return 0;
+
+error:
+    virConfFree(selinux_conf);
+    VIR_FREE(data->domain_context);
+    VIR_FREE(data->file_context);
+    VIR_FREE(data->content_context);
+    return -1;
+}
+
+
+static int
+SELinuxQEMUInitialize(virSecurityManagerPtr mgr)
 {
    char *ptr;
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
@ -172,6 +237,19 @@ error:
    return -1;
 }

+
+static int
+SELinuxInitialize(virSecurityManagerPtr mgr)
+{
+    VIR_DEBUG("SELinuxInitialize %s", virSecurityManagerGetDriver(mgr));
+    if (STREQ(virSecurityManagerGetDriver(mgr),  "LXC")) {
+        return SELinuxLXCInitialize(mgr);
+    } else {
+        return SELinuxQEMUInitialize(mgr);
+    }
+}
+
+
 static int
 SELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
                        virDomainDefPtr def)