Fix error reporting in virSecuritySELinuxGenNewContext

The virSecuritySELinuxGenNewContext method was not reporting any
errors, leaving it up to the caller to report a generic error.
In addition it could potentially trigger a strdup(NULL) in an
OOM scenario. Move all error reporting into the
virSecuritySELinuxGenNewContext method where accurate info
can be provided

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

src/security/security_selinux.c

@@ -99,20 +99,37 @@ virSecuritySELinuxMCSRemove(virSecurityManagerPtr mgr,
 }
 
 static char *
-virSecuritySELinuxGenNewContext(const char *oldcontext, const char *mcs)
+virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
 {
-    char *newcontext = NULL;
+    context_t context;
-    char *scontext = strdup(oldcontext);
+    char *ret = NULL;
-    context_t con;
+    char *str;
-    if (!scontext) goto err;
+
-    con = context_new(scontext);
+    if (!(context = context_new(basecontext))) {
-    if (!con) goto err;
+        virReportSystemError(errno,
-    context_range_set(con, mcs);
+                             _("Unable to parse base SELinux context '%s'"),
-    newcontext = strdup(context_str(con));
+                             basecontext);
-    context_free(con);
+        goto cleanup;
-err:
+    }
-    freecon(scontext);
+
-    return newcontext;
+    if (context_range_set(context, mcs) != 0) {
+        virReportSystemError(errno,
+                             _("Unable to set SELinux context MCS '%s'"),
+                             mcs);
+        goto cleanup;
+    }
+    if (!(str = context_str(context))) {
+        virReportSystemError(errno, "%s",
+                             _("Unable to format SELinux context"));
+        goto cleanup;
+    }
+    if (!(ret = strdup(str))) {
+        virReportOOMError();
+        goto cleanup;
+    }
+cleanup:
+    context_free(context);
+    return ret;
 }
 
 
@@ -348,15 +365,11 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
                 break;
         }
 
-        def->seclabel.label =
+        if (!(def->seclabel.label =
               virSecuritySELinuxGenNewContext(def->seclabel.baselabel ?
                                               def->seclabel.baselabel :
-                                            data->domain_context, mcs);
+                                              data->domain_context, mcs)))
-        if (! def->seclabel.label)  {
-            virReportError(VIR_ERR_INTERNAL_ERROR,
-                           _("cannot generate selinux context for %s"), mcs);
             goto cleanup;
-        }
         break;
 
     case VIR_DOMAIN_SECLABEL_NONE:
@@ -371,13 +384,10 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
     }
 
     if (!def->seclabel.norelabel) {
-        def->seclabel.imagelabel = virSecuritySELinuxGenNewContext(data->file_context, mcs);
+        if (!(def->seclabel.imagelabel =
-        if (!def->seclabel.imagelabel)  {
+              virSecuritySELinuxGenNewContext(data->file_context, mcs)))
-            virReportError(VIR_ERR_INTERNAL_ERROR,
-                           _("cannot generate selinux context for %s"), mcs);
             goto cleanup;
     }
-    }
 
     if (!def->seclabel.model &&
         !(def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) {
@@ -1576,13 +1586,10 @@ virSecuritySELinuxGenImageLabel(virSecurityManagerPtr mgr,
                 virReportOOMError();
                 goto cleanup;
             }
-            label = virSecuritySELinuxGenNewContext(data->file_context, mcs);
+            if (!(label = virSecuritySELinuxGenNewContext(data->file_context, mcs)))
-            if (!label) {
-                virReportOOMError();
                 goto cleanup;
         }
     }
-    }
 
 cleanup:
         context_free(ctx);