External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-11 07:17:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

security_selinux: Allow caller to suppress owner remembering

Browse Source 
Just like previous commit allowed to enable or disable owner
remembering for each individual path, do the same for SELinux
driver. This is going to be needed in the next commit.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Michal Privoznik 2019-02-15 15:36:06 +01:00
parent 377b4e0a6b
commit d87f363a3f
1 changed files with 94 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

163
src/security/security_selinux.c
View File

@ -82,6 +82,7 @@ struct _virSecuritySELinuxContextItem {
char *path; char *path;
char *tcon; char *tcon;
bool optional; bool optional;
bool remember; /* Whether owner remembering should be done for @path/@src */
bool restore; /* Whether current operation is 'set' or 'restore' */ bool restore; /* Whether current operation is 'set' or 'restore' */
}; };
@ -122,6 +123,7 @@ virSecuritySELinuxContextListAppend(virSecuritySELinuxContextListPtr list,
const char *path, const char *path,
const char *tcon, const char *tcon,
bool optional, bool optional,
bool remember,
bool restore) bool restore)
{ {
int ret = -1; int ret = -1;
@ -134,6 +136,7 @@ virSecuritySELinuxContextListAppend(virSecuritySELinuxContextListPtr list,
goto cleanup; goto cleanup;
item->optional = optional; item->optional = optional;
item->remember = remember;
item->restore = restore; item->restore = restore;
if (VIR_APPEND_ELEMENT(list->items, list->nItems, item) < 0) if (VIR_APPEND_ELEMENT(list->items, list->nItems, item) < 0)
@ -168,9 +171,12 @@ virSecuritySELinuxContextListFree(void *opaque)
* @path: Path to chown * @path: Path to chown
* @tcon: target context * @tcon: target context
* @optional: true if setting @tcon is optional * @optional: true if setting @tcon is optional
* @remember: if the original owner should be recorded/recalled
* @restore: if current operation is set or restore * @restore: if current operation is set or restore
* *
* Appends an entry onto transaction list. * Appends an entry onto transaction list.
* The @remember should be true if caller wishes to record/recall
* the original owner of @path/@src.
* The @restore should be true if the operation is restoring * The @restore should be true if the operation is restoring
* seclabel and false otherwise. * seclabel and false otherwise.
* *
@ -182,6 +188,7 @@ static int
virSecuritySELinuxTransactionAppend(const char *path, virSecuritySELinuxTransactionAppend(const char *path,
const char *tcon, const char *tcon,
bool optional, bool optional,
bool remember,
bool restore) bool restore)
{ {
virSecuritySELinuxContextListPtr list; virSecuritySELinuxContextListPtr list;
@ -190,7 +197,8 @@ virSecuritySELinuxTransactionAppend(const char *path,
if (!list) if (!list)
return 0; return 0;
if (virSecuritySELinuxContextListAppend(list, path, tcon, optional, restore) < 0) if (virSecuritySELinuxContextListAppend(list, path, tcon,
optional, remember, restore) < 0)
return -1; return -1;
return 1; return 1;
@ -276,17 +284,18 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UNUSED,
rv = 0; rv = 0;
for (i = 0; i < list->nItems; i++) { for (i = 0; i < list->nItems; i++) {
virSecuritySELinuxContextItemPtr item = list->items[i]; virSecuritySELinuxContextItemPtr item = list->items[i];
const bool remember = item->remember && list->lock;
if (!item->restore) { if (!item->restore) {
rv = virSecuritySELinuxSetFileconHelper(list->manager, rv = virSecuritySELinuxSetFileconHelper(list->manager,
item->path, item->path,
item->tcon, item->tcon,
item->optional, item->optional,
list->lock); remember);
} else { } else {
rv = virSecuritySELinuxRestoreFileLabel(list->manager, rv = virSecuritySELinuxRestoreFileLabel(list->manager,
item->path, item->path,
list->lock); remember);
} }
if (rv < 0) if (rv < 0)
@ -295,11 +304,12 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UNUSED,
for (; rv < 0 && i > 0; i--) { for (; rv < 0 && i > 0; i--) {
virSecuritySELinuxContextItemPtr item = list->items[i - 1]; virSecuritySELinuxContextItemPtr item = list->items[i - 1];
const bool remember = item->remember && list->lock;
if (!item->restore) { if (!item->restore) {
virSecuritySELinuxRestoreFileLabel(list->manager, virSecuritySELinuxRestoreFileLabel(list->manager,
item->path, item->path,
list->lock); remember);
} else { } else {
VIR_WARN("Ignoring failed restore attempt on %s", item->path); VIR_WARN("Ignoring failed restore attempt on %s", item->path);
} }
@ -1326,7 +1336,8 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
int rc; int rc;
int ret = -1; int ret = -1;
if ((rc = virSecuritySELinuxTransactionAppend(path, tcon, optional, false)) < 0) if ((rc = virSecuritySELinuxTransactionAppend(path, tcon,
optional, remember, false)) < 0)
return -1; return -1;
else if (rc > 0) else if (rc > 0)
return 0; return 0;
@ -1389,16 +1400,20 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
static int static int
virSecuritySELinuxSetFileconOptional(virSecurityManagerPtr mgr, virSecuritySELinuxSetFileconOptional(virSecurityManagerPtr mgr,
const char *path, const char *tcon) const char *path,
const char *tcon,
bool remember)
{ {
return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, true, false); return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, true, remember);
} }
static int static int
virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr, virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
const char *path, const char *tcon) const char *path,
const char *tcon,
bool remember)
{ {
return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, false, false); return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, false, remember);
} }
static int static int
@ -1484,7 +1499,8 @@ virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr,
goto cleanup; goto cleanup;
} }
if ((rc = virSecuritySELinuxTransactionAppend(path, NULL, false, true)) < 0) { if ((rc = virSecuritySELinuxTransactionAppend(path, NULL,
false, recall, true)) < 0) {
goto cleanup; goto cleanup;
} else if (rc > 0) { } else if (rc > 0) {
ret = 0; ret = 0;
@ -1545,7 +1561,7 @@ virSecuritySELinuxSetInputLabel(virSecurityManagerPtr mgr,
switch ((virDomainInputType)input->type) { switch ((virDomainInputType)input->type) {
case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH: case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
if (virSecuritySELinuxSetFilecon(mgr, input->source.evdev, if (virSecuritySELinuxSetFilecon(mgr, input->source.evdev,
seclabel->imagelabel) < 0) seclabel->imagelabel, true) < 0)
return -1; return -1;
break; break;
@ -1574,7 +1590,7 @@ virSecuritySELinuxRestoreInputLabel(virSecurityManagerPtr mgr,
switch ((virDomainInputType)input->type) { switch ((virDomainInputType)input->type) {
case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH: case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
rc = virSecuritySELinuxRestoreFileLabel(mgr, input->source.evdev, false); rc = virSecuritySELinuxRestoreFileLabel(mgr, input->source.evdev, true);
break; break;
case VIR_DOMAIN_INPUT_TYPE_MOUSE: case VIR_DOMAIN_INPUT_TYPE_MOUSE:
@ -1602,7 +1618,7 @@ virSecuritySELinuxSetMemoryLabel(virSecurityManagerPtr mgr,
return 0; return 0;
if (virSecuritySELinuxSetFilecon(mgr, mem->nvdimmPath, if (virSecuritySELinuxSetFilecon(mgr, mem->nvdimmPath,
seclabel->imagelabel) < 0) seclabel->imagelabel, true) < 0)
return -1; return -1;
break; break;
@ -1630,7 +1646,7 @@ virSecuritySELinuxRestoreMemoryLabel(virSecurityManagerPtr mgr,
if (!seclabel || !seclabel->relabel) if (!seclabel || !seclabel->relabel)
return 0; return 0;
ret = virSecuritySELinuxRestoreFileLabel(mgr, mem->nvdimmPath, false); ret = virSecuritySELinuxRestoreFileLabel(mgr, mem->nvdimmPath, true);
break; break;
case VIR_DOMAIN_MEMORY_MODEL_DIMM: case VIR_DOMAIN_MEMORY_MODEL_DIMM:
@ -1661,14 +1677,14 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerPtr mgr,
switch (tpm->type) { switch (tpm->type) {
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
tpmdev = tpm->data.passthrough.source.data.file.path; tpmdev = tpm->data.passthrough.source.data.file.path;
rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel); rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel, true);
if (rc < 0) if (rc < 0)
return -1; return -1;
if ((cancel_path = virTPMCreateCancelPath(tpmdev)) != NULL) { if ((cancel_path = virTPMCreateCancelPath(tpmdev)) != NULL) {
rc = virSecuritySELinuxSetFilecon(mgr, rc = virSecuritySELinuxSetFilecon(mgr,
cancel_path, cancel_path,
seclabel->imagelabel); seclabel->imagelabel, true);
VIR_FREE(cancel_path); VIR_FREE(cancel_path);
if (rc < 0) { if (rc < 0) {
virSecuritySELinuxRestoreTPMFileLabelInt(mgr, def, tpm); virSecuritySELinuxRestoreTPMFileLabelInt(mgr, def, tpm);
@ -1680,7 +1696,7 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerPtr mgr,
break; break;
case VIR_DOMAIN_TPM_TYPE_EMULATOR: case VIR_DOMAIN_TPM_TYPE_EMULATOR:
tpmdev = tpm->data.emulator.source.data.nix.path; tpmdev = tpm->data.emulator.source.data.nix.path;
rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel); rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel, true);
if (rc < 0) if (rc < 0)
return -1; return -1;
break; break;
@ -1709,10 +1725,10 @@ virSecuritySELinuxRestoreTPMFileLabelInt(virSecurityManagerPtr mgr,
switch (tpm->type) { switch (tpm->type) {
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
tpmdev = tpm->data.passthrough.source.data.file.path; tpmdev = tpm->data.passthrough.source.data.file.path;
rc = virSecuritySELinuxRestoreFileLabel(mgr, tpmdev, false); rc = virSecuritySELinuxRestoreFileLabel(mgr, tpmdev, true);
if ((cancel_path = virTPMCreateCancelPath(tpmdev)) != NULL) { if ((cancel_path = virTPMCreateCancelPath(tpmdev)) != NULL) {
if (virSecuritySELinuxRestoreFileLabel(mgr, cancel_path, false) < 0) if (virSecuritySELinuxRestoreFileLabel(mgr, cancel_path, true) < 0)
rc = -1; rc = -1;
VIR_FREE(cancel_path); VIR_FREE(cancel_path);
} }
@ -1779,7 +1795,7 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityManagerPtr mgr,
} }
} }
return virSecuritySELinuxRestoreFileLabel(mgr, src->path, false); return virSecuritySELinuxRestoreFileLabel(mgr, src->path, true);
} }
@ -1822,32 +1838,38 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
if (!disk_seclabel->relabel) if (!disk_seclabel->relabel)
return 0; return 0;
ret = virSecuritySELinuxSetFilecon(mgr, src->path, disk_seclabel->label); ret = virSecuritySELinuxSetFilecon(mgr, src->path,
disk_seclabel->label, true);
} else if (parent_seclabel && (!parent_seclabel->relabel || parent_seclabel->label)) { } else if (parent_seclabel && (!parent_seclabel->relabel || parent_seclabel->label)) {
if (!parent_seclabel->relabel) if (!parent_seclabel->relabel)
return 0; return 0;
ret = virSecuritySELinuxSetFilecon(mgr, src->path, parent_seclabel->label); ret = virSecuritySELinuxSetFilecon(mgr, src->path,
parent_seclabel->label, true);
} else if (!parent || parent == src) { } else if (!parent || parent == src) {
if (src->shared) { if (src->shared) {
ret = virSecuritySELinuxSetFileconOptional(mgr, ret = virSecuritySELinuxSetFileconOptional(mgr,
src->path, src->path,
data->file_context); data->file_context,
true);
} else if (src->readonly) { } else if (src->readonly) {
ret = virSecuritySELinuxSetFileconOptional(mgr, ret = virSecuritySELinuxSetFileconOptional(mgr,
src->path, src->path,
data->content_context); data->content_context,
true);
} else if (secdef->imagelabel) { } else if (secdef->imagelabel) {
ret = virSecuritySELinuxSetFileconOptional(mgr, ret = virSecuritySELinuxSetFileconOptional(mgr,
src->path, src->path,
secdef->imagelabel); secdef->imagelabel,
true);
} else { } else {
ret = 0; ret = 0;
} }
} else { } else {
ret = virSecuritySELinuxSetFileconOptional(mgr, ret = virSecuritySELinuxSetFileconOptional(mgr,
src->path, src->path,
data->content_context); data->content_context,
true);
} }
if (ret == 1 && !disk_seclabel) { if (ret == 1 && !disk_seclabel) {
@ -1900,7 +1922,7 @@ virSecuritySELinuxSetHostdevLabelHelper(const char *file, void *opaque)
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (secdef == NULL)
return 0; return 0;
return virSecuritySELinuxSetFilecon(mgr, file, secdef->imagelabel); return virSecuritySELinuxSetFilecon(mgr, file, secdef->imagelabel, true);
} }
static int static int
@ -1932,13 +1954,13 @@ virSecuritySELinuxSetSCSILabel(virSCSIDevicePtr dev,
if (virSCSIDeviceGetShareable(dev)) if (virSCSIDeviceGetShareable(dev))
return virSecuritySELinuxSetFileconOptional(mgr, file, return virSecuritySELinuxSetFileconOptional(mgr, file,
data->file_context); data->file_context, true);
else if (virSCSIDeviceGetReadonly(dev)) else if (virSCSIDeviceGetReadonly(dev))
return virSecuritySELinuxSetFileconOptional(mgr, file, return virSecuritySELinuxSetFileconOptional(mgr, file,
data->content_context); data->content_context, true);
else else
return virSecuritySELinuxSetFileconOptional(mgr, file, return virSecuritySELinuxSetFileconOptional(mgr, file,
secdef->imagelabel); secdef->imagelabel, true);
} }
static int static int
@ -2093,7 +2115,7 @@ virSecuritySELinuxSetHostdevCapsLabel(virSecurityManagerPtr mgr,
if (VIR_STRDUP(path, dev->source.caps.u.storage.block) < 0) if (VIR_STRDUP(path, dev->source.caps.u.storage.block) < 0)
return -1; return -1;
} }
ret = virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel); ret = virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel, true);
VIR_FREE(path); VIR_FREE(path);
break; break;
} }
@ -2107,7 +2129,7 @@ virSecuritySELinuxSetHostdevCapsLabel(virSecurityManagerPtr mgr,
if (VIR_STRDUP(path, dev->source.caps.u.misc.chardev) < 0) if (VIR_STRDUP(path, dev->source.caps.u.misc.chardev) < 0)
return -1; return -1;
} }
ret = virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel); ret = virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel, true);
VIR_FREE(path); VIR_FREE(path);
break; break;
} }
@ -2153,7 +2175,7 @@ virSecuritySELinuxRestorePCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
{ {
virSecurityManagerPtr mgr = opaque; virSecurityManagerPtr mgr = opaque;
return virSecuritySELinuxRestoreFileLabel(mgr, file, false); return virSecuritySELinuxRestoreFileLabel(mgr, file, true);
} }
static int static int
@ -2163,7 +2185,7 @@ virSecuritySELinuxRestoreUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
{ {
virSecurityManagerPtr mgr = opaque; virSecurityManagerPtr mgr = opaque;
return virSecuritySELinuxRestoreFileLabel(mgr, file, false); return virSecuritySELinuxRestoreFileLabel(mgr, file, true);
} }
@ -2180,7 +2202,7 @@ virSecuritySELinuxRestoreSCSILabel(virSCSIDevicePtr dev,
if (virSCSIDeviceGetShareable(dev) || virSCSIDeviceGetReadonly(dev)) if (virSCSIDeviceGetShareable(dev) || virSCSIDeviceGetReadonly(dev))
return 0; return 0;
return virSecuritySELinuxRestoreFileLabel(mgr, file, false); return virSecuritySELinuxRestoreFileLabel(mgr, file, true);
} }
static int static int
@ -2190,7 +2212,7 @@ virSecuritySELinuxRestoreHostLabel(virSCSIVHostDevicePtr dev ATTRIBUTE_UNUSED,
{ {
virSecurityManagerPtr mgr = opaque; virSecurityManagerPtr mgr = opaque;
return virSecuritySELinuxRestoreFileLabel(mgr, file, false); return virSecuritySELinuxRestoreFileLabel(mgr, file, true);
} }
@ -2294,7 +2316,7 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManagerPtr mgr,
if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr))) if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr)))
goto done; goto done;
ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev, false); ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev, true);
VIR_FREE(vfiodev); VIR_FREE(vfiodev);
break; break;
@ -2328,7 +2350,7 @@ virSecuritySELinuxRestoreHostdevCapsLabel(virSecurityManagerPtr mgr,
if (VIR_STRDUP(path, dev->source.caps.u.storage.block) < 0) if (VIR_STRDUP(path, dev->source.caps.u.storage.block) < 0)
return -1; return -1;
} }
ret = virSecuritySELinuxRestoreFileLabel(mgr, path, false); ret = virSecuritySELinuxRestoreFileLabel(mgr, path, true);
VIR_FREE(path); VIR_FREE(path);
break; break;
} }
@ -2342,7 +2364,7 @@ virSecuritySELinuxRestoreHostdevCapsLabel(virSecurityManagerPtr mgr,
if (VIR_STRDUP(path, dev->source.caps.u.misc.chardev) < 0) if (VIR_STRDUP(path, dev->source.caps.u.misc.chardev) < 0)
return -1; return -1;
} }
ret = virSecuritySELinuxRestoreFileLabel(mgr, path, false); ret = virSecuritySELinuxRestoreFileLabel(mgr, path, true);
VIR_FREE(path); VIR_FREE(path);
break; break;
} }
@ -2420,14 +2442,16 @@ virSecuritySELinuxSetChardevLabel(virSecurityManagerPtr mgr,
case VIR_DOMAIN_CHR_TYPE_FILE: case VIR_DOMAIN_CHR_TYPE_FILE:
ret = virSecuritySELinuxSetFilecon(mgr, ret = virSecuritySELinuxSetFilecon(mgr,
dev_source->data.file.path, dev_source->data.file.path,
imagelabel); imagelabel,
true);
break; break;
case VIR_DOMAIN_CHR_TYPE_UNIX: case VIR_DOMAIN_CHR_TYPE_UNIX:
if (!dev_source->data.nix.listen) { if (!dev_source->data.nix.listen) {
if (virSecuritySELinuxSetFilecon(mgr, if (virSecuritySELinuxSetFilecon(mgr,
dev_source->data.nix.path, dev_source->data.nix.path,
imagelabel) < 0) imagelabel,
true) < 0)
goto done; goto done;
} }
ret = 0; ret = 0;
@ -2438,13 +2462,14 @@ virSecuritySELinuxSetChardevLabel(virSecurityManagerPtr mgr,
(virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0)) (virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0))
goto done; goto done;
if (virFileExists(in) && virFileExists(out)) { if (virFileExists(in) && virFileExists(out)) {
if ((virSecuritySELinuxSetFilecon(mgr, in, imagelabel) < 0) || if ((virSecuritySELinuxSetFilecon(mgr, in, imagelabel, true) < 0) ||
(virSecuritySELinuxSetFilecon(mgr, out, imagelabel) < 0)) { (virSecuritySELinuxSetFilecon(mgr, out, imagelabel, true) < 0)) {
goto done; goto done;
} }
} else if (virSecuritySELinuxSetFilecon(mgr, } else if (virSecuritySELinuxSetFilecon(mgr,
dev_source->data.file.path, dev_source->data.file.path,
imagelabel) < 0) { imagelabel,
true) < 0) {
goto done; goto done;
} }
ret = 0; ret = 0;
@ -2492,7 +2517,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr,
case VIR_DOMAIN_CHR_TYPE_FILE: case VIR_DOMAIN_CHR_TYPE_FILE:
if (virSecuritySELinuxRestoreFileLabel(mgr, if (virSecuritySELinuxRestoreFileLabel(mgr,
dev_source->data.file.path, dev_source->data.file.path,
false) < 0) true) < 0)
goto done; goto done;
ret = 0; ret = 0;
break; break;
@ -2501,7 +2526,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr,
if (!dev_source->data.nix.listen) { if (!dev_source->data.nix.listen) {
if (virSecuritySELinuxRestoreFileLabel(mgr, if (virSecuritySELinuxRestoreFileLabel(mgr,
dev_source->data.file.path, dev_source->data.file.path,
false) < 0) true) < 0)
goto done; goto done;
} }
ret = 0; ret = 0;
@ -2512,13 +2537,13 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr,
(virAsprintf(&in, "%s.in", dev_source->data.file.path) < 0)) (virAsprintf(&in, "%s.in", dev_source->data.file.path) < 0))
goto done; goto done;
if (virFileExists(in) && virFileExists(out)) { if (virFileExists(in) && virFileExists(out)) {
if ((virSecuritySELinuxRestoreFileLabel(mgr, out, false) < 0) || if ((virSecuritySELinuxRestoreFileLabel(mgr, out, true) < 0) ||
(virSecuritySELinuxRestoreFileLabel(mgr, in, false) < 0)) { (virSecuritySELinuxRestoreFileLabel(mgr, in, true) < 0)) {
goto done; goto done;
} }
} else if (virSecuritySELinuxRestoreFileLabel(mgr, } else if (virSecuritySELinuxRestoreFileLabel(mgr,
dev_source->data.file.path, dev_source->data.file.path,
false) < 0) { true) < 0) {
goto done; goto done;
} }
ret = 0; ret = 0;
@ -2570,7 +2595,7 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
database = dev->data.cert.database; database = dev->data.cert.database;
if (!database) if (!database)
database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE; database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
return virSecuritySELinuxRestoreFileLabel(mgr, database, false); return virSecuritySELinuxRestoreFileLabel(mgr, database, true);
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
return virSecuritySELinuxRestoreChardevLabel(mgr, def, return virSecuritySELinuxRestoreChardevLabel(mgr, def,
@ -2665,23 +2690,23 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
rc = -1; rc = -1;
if (def->os.loader && def->os.loader->nvram && if (def->os.loader && def->os.loader->nvram &&
virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram, false) < 0) virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram, true) < 0)
rc = -1; rc = -1;
if (def->os.kernel && if (def->os.kernel &&
virSecuritySELinuxRestoreFileLabel(mgr, def->os.kernel, false) < 0) virSecuritySELinuxRestoreFileLabel(mgr, def->os.kernel, true) < 0)
rc = -1; rc = -1;
if (def->os.initrd && if (def->os.initrd &&
virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd, false) < 0) virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd, true) < 0)
rc = -1; rc = -1;
if (def->os.dtb && if (def->os.dtb &&
virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb, false) < 0) virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb, true) < 0)
rc = -1; rc = -1;
if (def->os.slic_table && if (def->os.slic_table &&
virSecuritySELinuxRestoreFileLabel(mgr, def->os.slic_table, false) < 0) virSecuritySELinuxRestoreFileLabel(mgr, def->os.slic_table, true) < 0)
rc = -1; rc = -1;
return rc; return rc;
@ -2726,7 +2751,7 @@ virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr,
if (!secdef || !secdef->relabel) if (!secdef || !secdef->relabel)
return 0; return 0;
return virSecuritySELinuxSetFilecon(mgr, savefile, secdef->imagelabel); return virSecuritySELinuxSetFilecon(mgr, savefile, secdef->imagelabel, true);
} }
@ -2741,7 +2766,7 @@ virSecuritySELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr,
if (!secdef || !secdef->relabel) if (!secdef || !secdef->relabel)
return 0; return 0;
return virSecuritySELinuxRestoreFileLabel(mgr, savefile, false); return virSecuritySELinuxRestoreFileLabel(mgr, savefile, true);
} }
@ -2984,7 +3009,7 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
database = dev->data.cert.database; database = dev->data.cert.database;
if (!database) if (!database)
database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE; database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
return virSecuritySELinuxSetFilecon(mgr, database, data->content_context); return virSecuritySELinuxSetFilecon(mgr, database, data->content_context, true);
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
return virSecuritySELinuxSetChardevLabel(mgr, def, return virSecuritySELinuxSetChardevLabel(mgr, def,
@ -3075,32 +3100,32 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
if (def->os.loader && def->os.loader->nvram && if (def->os.loader && def->os.loader->nvram &&
secdef && secdef->imagelabel && secdef && secdef->imagelabel &&
virSecuritySELinuxSetFilecon(mgr, def->os.loader->nvram, virSecuritySELinuxSetFilecon(mgr, def->os.loader->nvram,
secdef->imagelabel) < 0) secdef->imagelabel, true) < 0)
return -1; return -1;
if (def->os.kernel && if (def->os.kernel &&
virSecuritySELinuxSetFilecon(mgr, def->os.kernel, virSecuritySELinuxSetFilecon(mgr, def->os.kernel,
data->content_context) < 0) data->content_context, true) < 0)
return -1; return -1;
if (def->os.initrd && if (def->os.initrd &&
virSecuritySELinuxSetFilecon(mgr, def->os.initrd, virSecuritySELinuxSetFilecon(mgr, def->os.initrd,
data->content_context) < 0) data->content_context, true) < 0)
return -1; return -1;
if (def->os.dtb && if (def->os.dtb &&
virSecuritySELinuxSetFilecon(mgr, def->os.dtb, virSecuritySELinuxSetFilecon(mgr, def->os.dtb,
data->content_context) < 0) data->content_context, true) < 0)
return -1; return -1;
if (def->os.slic_table && if (def->os.slic_table &&
virSecuritySELinuxSetFilecon(mgr, def->os.slic_table, virSecuritySELinuxSetFilecon(mgr, def->os.slic_table,
data->content_context) < 0) data->content_context, true) < 0)
return -1; return -1;
if (stdin_path && if (stdin_path &&
virSecuritySELinuxSetFilecon(mgr, stdin_path, virSecuritySELinuxSetFilecon(mgr, stdin_path,
data->content_context) < 0) data->content_context, true) < 0)
return -1; return -1;
return 0; return 0;
@ -3259,7 +3284,7 @@ virSecuritySELinuxDomainSetPathLabel(virSecurityManagerPtr mgr,
if (!seclabel || !seclabel->relabel) if (!seclabel || !seclabel->relabel)
return 0; return 0;
return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel); return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel, true);
} }
@ -3284,7 +3309,7 @@ virSecuritySELinuxSetFileLabels(virSecurityManagerPtr mgr,
char *filename = NULL; char *filename = NULL;
DIR *dir; DIR *dir;
if ((ret = virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel))) if ((ret = virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel, true)))
return ret; return ret;
if (!virFileIsDir(path)) if (!virFileIsDir(path))
@ -3299,7 +3324,7 @@ virSecuritySELinuxSetFileLabels(virSecurityManagerPtr mgr,
break; break;
} }
ret = virSecuritySELinuxSetFilecon(mgr, filename, ret = virSecuritySELinuxSetFilecon(mgr, filename,
seclabel->imagelabel); seclabel->imagelabel, true);
VIR_FREE(filename); VIR_FREE(filename);
if (ret < 0) if (ret < 0)
break; break;
@ -3333,7 +3358,7 @@ virSecuritySELinuxRestoreFileLabels(virSecurityManagerPtr mgr,
char *filename = NULL; char *filename = NULL;
DIR *dir; DIR *dir;
if ((ret = virSecuritySELinuxRestoreFileLabel(mgr, path, false))) if ((ret = virSecuritySELinuxRestoreFileLabel(mgr, path, true)))
return ret; return ret;
if (!virFileIsDir(path)) if (!virFileIsDir(path))
@ -3347,7 +3372,7 @@ virSecuritySELinuxRestoreFileLabels(virSecurityManagerPtr mgr,
ret = -1; ret = -1;
break; break;
} }
ret = virSecuritySELinuxRestoreFileLabel(mgr, filename, false); ret = virSecuritySELinuxRestoreFileLabel(mgr, filename, true);
VIR_FREE(filename); VIR_FREE(filename);
if (ret < 0) if (ret < 0)
break; break;