diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 84d8e4427d..903dafdb79 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -192,10 +192,6 @@ qemuPhysIfaceConnect(virDomainDefPtr def, vmop, cfg->stateDir, virDomainNetGetActualBandwidth(net)); if (rc >= 0) { - if (virSecurityManagerSetTapFDLabel(driver->securityManager, - def, rc) < 0) - goto error; - virDomainAuditNetDevice(def, net, res_ifname, true); VIR_FREE(net->ifname); net->ifname = res_ifname; @@ -203,17 +199,6 @@ qemuPhysIfaceConnect(virDomainDefPtr def, virObjectUnref(cfg); return rc; - - error: - ignore_value(virNetDevMacVLanDeleteWithVPortProfile( - res_ifname, &net->mac, - virDomainNetGetActualDirectDev(net), - virDomainNetGetActualDirectMode(net), - virDomainNetGetActualVirtPortProfile(net), - cfg->stateDir)); - VIR_FREE(res_ifname); - virObjectUnref(cfg); - return -1; } @@ -7201,6 +7186,9 @@ qemuBuildInterfaceCommandLine(virCommandPtr cmd, } for (i = 0; i < tapfdSize; i++) { + if (virSecurityManagerSetTapFDLabel(driver->securityManager, + def, tapfd[i]) < 0) + goto cleanup; virCommandPassFD(cmd, tapfd[i], VIR_COMMAND_PASS_FD_CLOSE_PARENT); if (virAsprintf(&tapfdName[i], "%d", tapfd[i]) < 0) diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index bf43a41978..a364c527d4 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -948,6 +948,12 @@ int qemuDomainAttachNetDevice(virConnectPtr conn, goto cleanup; } + for (i = 0; i < tapfdSize; i++) { + if (virSecurityManagerSetTapFDLabel(driver->securityManager, + vm->def, tapfd[i]) < 0) + goto cleanup; + } + if (virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_NET_NAME) || virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_DEVICE)) { if (qemuAssignDeviceNetAlias(vm->def, net, -1) < 0) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index c078cab72f..5d184935c5 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2330,47 +2330,17 @@ virSecuritySELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, } static int -virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr, +virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainDefPtr def, int fd) { - struct stat buf; - security_context_t fcon = NULL; virSecurityLabelDefPtr secdef; - char *str = NULL; - int rc = -1; secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); if (!secdef || !secdef->label) return 0; - if (fstat(fd, &buf) < 0) { - virReportSystemError(errno, _("cannot stat tap fd %d"), fd); - goto cleanup; - } - - if ((buf.st_mode & S_IFMT) != S_IFCHR) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("tap fd %d is not character device"), fd); - goto cleanup; - } - - if (getContext(mgr, "/dev/tap.*", buf.st_mode, &fcon) < 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("cannot lookup default selinux label for tap fd %d"), fd); - goto cleanup; - } - - if (!(str = virSecuritySELinuxContextAddRange(secdef->label, fcon))) { - goto cleanup; - } else { - rc = virSecuritySELinuxFSetFilecon(fd, str); - } - - cleanup: - freecon(fcon); - VIR_FREE(str); - return rc; + return virSecuritySELinuxFSetFilecon(fd, secdef->label); } static char *