From d37c6a3ae0b0b9b4e16ada094567597e8025b193 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Tue, 29 Mar 2011 15:46:48 +0100 Subject: [PATCH] Fix security driver handling of FIFOs with QEMU When setting up a FIFO for QEMU, it allows either a pair of fifos used unidirectionally, or a single fifo used bidirectionally. Look for the bidirectional fifo first when labelling since that is more useful * src/security/security_dac.c, src/security/security_selinux.c: Fix fifo handling --- src/security/security_dac.c | 19 ++++++++++++------- src/security/security_selinux.c | 19 ++++++++++++------- 2 files changed, 24 insertions(+), 14 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index fba2d1ddbf..b8642d2d72 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -406,14 +406,19 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr, break; case VIR_DOMAIN_CHR_TYPE_PIPE: - if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0) || - (virAsprintf(&out, "%s.out", dev->data.file.path) < 0)) { - virReportOOMError(); - goto done; + if (virFileExists(dev->data.file.path)) { + if (virSecurityDACSetOwnership(dev->data.file.path, priv->user, priv->group) < 0) + goto done; + } else { + if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0) || + (virAsprintf(&out, "%s.out", dev->data.file.path) < 0)) { + virReportOOMError(); + goto done; + } + if ((virSecurityDACSetOwnership(in, priv->user, priv->group) < 0) || + (virSecurityDACSetOwnership(out, priv->user, priv->group) < 0)) + goto done; } - if ((virSecurityDACSetOwnership(in, priv->user, priv->group) < 0) || - (virSecurityDACSetOwnership(out, priv->user, priv->group) < 0)) - goto done; ret = 0; break; diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index d8706163cc..0ce999f9fe 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -733,14 +733,19 @@ SELinuxSetSecurityChardevLabel(virDomainObjPtr vm, break; case VIR_DOMAIN_CHR_TYPE_PIPE: - if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0) || - (virAsprintf(&out, "%s.out", dev->data.file.path) < 0)) { - virReportOOMError(); - goto done; + if (virFileExists(dev->data.file.path)) { + if (SELinuxSetFilecon(dev->data.file.path, secdef->imagelabel) < 0) + goto done; + } else { + if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0) || + (virAsprintf(&out, "%s.out", dev->data.file.path) < 0)) { + virReportOOMError(); + goto done; + } + if ((SELinuxSetFilecon(in, secdef->imagelabel) < 0) || + (SELinuxSetFilecon(out, secdef->imagelabel) < 0)) + goto done; } - if ((SELinuxSetFilecon(in, secdef->imagelabel) < 0) || - (SELinuxSetFilecon(out, secdef->imagelabel) < 0)) - goto done; ret = 0; break;