mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-23 06:05:27 +00:00
selinux: Use fd_path instead of /dev/tap* to get context
/dev/tap* is an invalid path but it works with lax policy. Make it work with more accurate policy as well Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dominick Grift <dac.override@gmail.com>
This commit is contained in:
parent
a4877192a1
commit
c0236d1c84
@ -3251,7 +3251,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/* Label /dev/tap.* devices only. Leave /dev/net/tun alone! */
|
||||
/* Label /dev/tap([0-9]+)? devices only. Leave /dev/net/tun alone! */
|
||||
proc = g_strdup_printf("/proc/self/fd/%d", fd);
|
||||
|
||||
if (virFileResolveLink(proc, &fd_path) < 0) {
|
||||
@ -3267,7 +3267,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if (getContext(mgr, "/dev/tap*", buf.st_mode, &fcon) < 0) {
|
||||
if (getContext(mgr, fd_path, buf.st_mode, &fcon) < 0) {
|
||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||
_("cannot lookup default selinux label for tap fd %d"), fd);
|
||||
goto cleanup;
|
||||
|
Loading…
Reference in New Issue
Block a user