mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-25 15:15:25 +00:00
selinux: Fix incorrect object label generation.
This is a fix for the object label generation. It uses a new flag for virSecuritySELinuxGenNewContext that specifies whether the context is for an object. If so the context role remains unchanged. Without this fix it is not possible to start domains with image file or block device backed storage when selinux is enabled. Signed-off-by: Viktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
This commit is contained in:
parent
521b7ab7eb
commit
b6ad2c2334
@ -141,7 +141,9 @@ cleanup:
|
|||||||
|
|
||||||
|
|
||||||
static char *
|
static char *
|
||||||
virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
|
virSecuritySELinuxGenNewContext(const char *basecontext,
|
||||||
|
const char *mcs,
|
||||||
|
bool isObjectContext)
|
||||||
{
|
{
|
||||||
context_t context = NULL;
|
context_t context = NULL;
|
||||||
char *ret = NULL;
|
char *ret = NULL;
|
||||||
@ -176,10 +178,11 @@ virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (context_role_set(context,
|
if (!isObjectContext &&
|
||||||
|
context_role_set(context,
|
||||||
context_role_get(ourContext)) != 0) {
|
context_role_get(ourContext)) != 0) {
|
||||||
virReportSystemError(errno,
|
virReportSystemError(errno,
|
||||||
_("Unable to set SELinux context user '%s'"),
|
_("Unable to set SELinux context role '%s'"),
|
||||||
context_role_get(ourContext));
|
context_role_get(ourContext));
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
@ -421,7 +424,8 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
|
|||||||
if (!(def->seclabel.label =
|
if (!(def->seclabel.label =
|
||||||
virSecuritySELinuxGenNewContext(def->seclabel.baselabel ?
|
virSecuritySELinuxGenNewContext(def->seclabel.baselabel ?
|
||||||
def->seclabel.baselabel :
|
def->seclabel.baselabel :
|
||||||
data->domain_context, mcs)))
|
data->domain_context,
|
||||||
|
mcs, false)))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
@ -438,7 +442,7 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
|
|||||||
|
|
||||||
if (!def->seclabel.norelabel) {
|
if (!def->seclabel.norelabel) {
|
||||||
if (!(def->seclabel.imagelabel =
|
if (!(def->seclabel.imagelabel =
|
||||||
virSecuritySELinuxGenNewContext(data->file_context, mcs)))
|
virSecuritySELinuxGenNewContext(data->file_context, mcs, true)))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1639,7 +1643,8 @@ virSecuritySELinuxGenImageLabel(virSecurityManagerPtr mgr,
|
|||||||
virReportOOMError();
|
virReportOOMError();
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
if (!(label = virSecuritySELinuxGenNewContext(data->file_context, mcs)))
|
if (!(label = virSecuritySELinuxGenNewContext(data->file_context,
|
||||||
|
mcs, true)))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user