External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-10-05 22:05:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

selinux: Use fd_path instead of /dev/tap* to get context

Browse Source 
/dev/tap* is an invalid path but it works with lax policy.
Make it work with more accurate policy as well

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dominick Grift <dac.override@gmail.com>
This commit is contained in:
Dominick Grift 2020-01-07 15:22:30 +01:00 committed by Daniel P. Berrangé
parent a4877192a1
commit c0236d1c84
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/security/security_selinux.c
View File

@ -3251,7 +3251,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
goto cleanup;
}
/* Label /dev/tap.* devices only. Leave /dev/net/tun alone! */
/* Label /dev/tap([0-9]+)? devices only. Leave /dev/net/tun alone! */
proc = g_strdup_printf("/proc/self/fd/%d", fd);
if (virFileResolveLink(proc, &fd_path) < 0) {
@ -3267,7 +3267,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
goto cleanup;
}
if (getContext(mgr, "/dev/tap*", buf.st_mode, &fcon) < 0) {
if (getContext(mgr, fd_path, buf.st_mode, &fcon) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot lookup default selinux label for tap fd %d"), fd);
goto cleanup;