External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-07-01 15:42:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

security_selinux.c: Relabel existing mode="bind" UNIX sockets

Browse Source 
This supports sockets created by libvirt and passed by FD using the
same method as in security_dac.c.

Signed-off-by: David Michael <david@bigbadwolfsecurity.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
David Michael 2022-06-28 08:33:41 -04:00 committed by Michal Privoznik
parent 09010f7e76
commit 9f13f54a63
2 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/security/security_selinux.c
View File

@ -2541,7 +2541,12 @@ virSecuritySELinuxSetChardevLabel(virSecurityManager *mgr,
break;
case VIR_DOMAIN_CHR_TYPE_UNIX:
if (!dev_source->data.nix.listen) {
if (!dev_source->data.nix.listen ||
(dev_source->data.nix.path &&
virFileExists(dev_source->data.nix.path))) {
/* Also label mode='bind' sockets if they exist,
* e.g. because they were created by libvirt
* and passed via FD */
if (virSecuritySELinuxSetFilecon(mgr,
dev_source->data.nix.path,
imagelabel,
@ -2618,7 +2623,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManager *mgr,
case VIR_DOMAIN_CHR_TYPE_UNIX:
if (!dev_source->data.nix.listen) {
if (virSecuritySELinuxRestoreFileLabel(mgr,
dev_source->data.file.path,
dev_source->data.nix.path,
true) < 0)
goto done;
}

2
tests/securityselinuxlabeldata/chardev.txt
View File

@ -2,6 +2,6 @@
/plain.dev;system_u:object_r:svirt_image_t:s0:c41,c264
/plain.fifo;system_u:object_r:svirt_image_t:s0:c41,c264
/nolabel.sock;
/plain.sock;
/plain.sock;system_u:object_r:svirt_image_t:s0:c41,c264
/yeslabel.sock;system_u:object_r:svirt_image_t:s0:c41,c264
/altlabel.sock;system_u:object_r:svirt_image_custom_t:s0:c41,c264