mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-03-07 17:28:15 +00:00
SELinux: don't fail silently when no label is present
This fixes startup of a domain with: <seclabel type='none' model='dac'/> on a host with selinux and dac drivers and security_default_confined = 0 https://bugzilla.redhat.com/show_bug.cgi?id=1105939 https://bugzilla.redhat.com/show_bug.cgi?id=1102611
This commit is contained in:
parent
a7b0040ad2
commit
f9bf63e673
@ -585,7 +585,7 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
|
|||||||
|
|
||||||
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (seclabel == NULL)
|
if (seclabel == NULL)
|
||||||
return rc;
|
return 0;
|
||||||
|
|
||||||
data = virSecurityManagerGetPrivateData(mgr);
|
data = virSecurityManagerGetPrivateData(mgr);
|
||||||
|
|
||||||
@ -739,11 +739,7 @@ virSecuritySELinuxReserveSecurityLabel(virSecurityManagerPtr mgr,
|
|||||||
virSecurityLabelDefPtr seclabel;
|
virSecurityLabelDefPtr seclabel;
|
||||||
|
|
||||||
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (seclabel == NULL) {
|
if (!seclabel || seclabel->type == VIR_DOMAIN_SECLABEL_STATIC)
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (seclabel->type == VIR_DOMAIN_SECLABEL_STATIC)
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (getpidcon_raw(pid, &pctx) == -1) {
|
if (getpidcon_raw(pid, &pctx) == -1) {
|
||||||
@ -1060,7 +1056,7 @@ virSecuritySELinuxSetSecurityTPMFileLabel(virSecurityManagerPtr mgr,
|
|||||||
|
|
||||||
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (seclabel == NULL)
|
if (seclabel == NULL)
|
||||||
return -1;
|
return 0;
|
||||||
|
|
||||||
switch (tpm->type) {
|
switch (tpm->type) {
|
||||||
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
|
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
|
||||||
@ -1102,7 +1098,7 @@ virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr mgr,
|
|||||||
|
|
||||||
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (seclabel == NULL)
|
if (seclabel == NULL)
|
||||||
return -1;
|
return 0;
|
||||||
|
|
||||||
switch (tpm->type) {
|
switch (tpm->type) {
|
||||||
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
|
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
|
||||||
@ -1136,7 +1132,7 @@ virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
|
|||||||
|
|
||||||
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (seclabel == NULL)
|
if (seclabel == NULL)
|
||||||
return -1;
|
return 0;
|
||||||
|
|
||||||
disk_seclabel = virDomainDiskDefGetSecurityLabelDef(disk,
|
disk_seclabel = virDomainDiskDefGetSecurityLabelDef(disk,
|
||||||
SECURITY_SELINUX_NAME);
|
SECURITY_SELINUX_NAME);
|
||||||
@ -1256,10 +1252,7 @@ virSecuritySELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
|
|||||||
cbdata.manager = mgr;
|
cbdata.manager = mgr;
|
||||||
cbdata.secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
cbdata.secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
|
|
||||||
if (cbdata.secdef == NULL)
|
if (!cbdata.secdef || cbdata.secdef->norelabel)
|
||||||
return -1;
|
|
||||||
|
|
||||||
if (cbdata.secdef->norelabel)
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (virDomainDiskGetType(disk) == VIR_STORAGE_TYPE_NETWORK)
|
if (virDomainDiskGetType(disk) == VIR_STORAGE_TYPE_NETWORK)
|
||||||
@ -1279,7 +1272,7 @@ virSecuritySELinuxSetSecurityHostdevLabelHelper(const char *file, void *opaque)
|
|||||||
|
|
||||||
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (secdef == NULL)
|
if (secdef == NULL)
|
||||||
return -1;
|
return 0;
|
||||||
return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
|
return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1397,7 +1390,7 @@ virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
|
|||||||
|
|
||||||
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (secdef == NULL)
|
if (secdef == NULL)
|
||||||
return -1;
|
return 0;
|
||||||
|
|
||||||
switch (dev->source.caps.type) {
|
switch (dev->source.caps.type) {
|
||||||
case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
|
case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
|
||||||
@ -1447,10 +1440,7 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
|
|||||||
virSecurityLabelDefPtr secdef;
|
virSecurityLabelDefPtr secdef;
|
||||||
|
|
||||||
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (secdef == NULL)
|
if (!secdef || secdef->norelabel)
|
||||||
return -1;
|
|
||||||
|
|
||||||
if (secdef->norelabel)
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
switch (dev->mode) {
|
switch (dev->mode) {
|
||||||
@ -1635,10 +1625,7 @@ virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
|
|||||||
virSecurityLabelDefPtr secdef;
|
virSecurityLabelDefPtr secdef;
|
||||||
|
|
||||||
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (secdef == NULL)
|
if (!secdef || secdef->norelabel)
|
||||||
return -1;
|
|
||||||
|
|
||||||
if (secdef->norelabel)
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
switch (dev->mode) {
|
switch (dev->mode) {
|
||||||
@ -1667,14 +1654,14 @@ virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
|
|||||||
int ret = -1;
|
int ret = -1;
|
||||||
|
|
||||||
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (seclabel == NULL)
|
if (!seclabel || seclabel->norelabel)
|
||||||
return -1;
|
return 0;
|
||||||
|
|
||||||
if (dev)
|
if (dev)
|
||||||
chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
|
chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
|
||||||
SECURITY_SELINUX_NAME);
|
SECURITY_SELINUX_NAME);
|
||||||
|
|
||||||
if (seclabel->norelabel || (chr_seclabel && chr_seclabel->norelabel))
|
if (chr_seclabel && chr_seclabel->norelabel)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (chr_seclabel)
|
if (chr_seclabel)
|
||||||
@ -1738,13 +1725,13 @@ virSecuritySELinuxRestoreSecurityChardevLabel(virSecurityManagerPtr mgr,
|
|||||||
int ret = -1;
|
int ret = -1;
|
||||||
|
|
||||||
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (seclabel == NULL)
|
if (!seclabel || seclabel->norelabel)
|
||||||
return -1;
|
return 0;
|
||||||
|
|
||||||
if (dev)
|
if (dev)
|
||||||
chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
|
chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
|
||||||
SECURITY_SELINUX_NAME);
|
SECURITY_SELINUX_NAME);
|
||||||
if (seclabel->norelabel || (chr_seclabel && chr_seclabel->norelabel))
|
if (chr_seclabel && chr_seclabel->norelabel)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
switch (dev_source->type) {
|
switch (dev_source->type) {
|
||||||
@ -1864,7 +1851,7 @@ virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
|
|||||||
|
|
||||||
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (secdef == NULL)
|
if (secdef == NULL)
|
||||||
return -1;
|
return 0;
|
||||||
|
|
||||||
if (secdef->norelabel || data->skipAllLabel)
|
if (secdef->norelabel || data->skipAllLabel)
|
||||||
return 0;
|
return 0;
|
||||||
@ -1925,7 +1912,7 @@ virSecuritySELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr,
|
|||||||
|
|
||||||
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (secdef == NULL)
|
if (secdef == NULL)
|
||||||
return -1;
|
return 0;
|
||||||
|
|
||||||
if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
|
if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
|
||||||
if (secdef->label != NULL) {
|
if (secdef->label != NULL) {
|
||||||
@ -1953,10 +1940,7 @@ virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|||||||
virSecurityLabelDefPtr secdef;
|
virSecurityLabelDefPtr secdef;
|
||||||
|
|
||||||
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (secdef == NULL)
|
if (!secdef || secdef->norelabel)
|
||||||
return -1;
|
|
||||||
|
|
||||||
if (secdef->norelabel)
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
return virSecuritySELinuxSetFilecon(savefile, secdef->imagelabel);
|
return virSecuritySELinuxSetFilecon(savefile, secdef->imagelabel);
|
||||||
@ -1971,10 +1955,7 @@ virSecuritySELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr,
|
|||||||
virSecurityLabelDefPtr secdef;
|
virSecurityLabelDefPtr secdef;
|
||||||
|
|
||||||
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (secdef == NULL)
|
if (!secdef || secdef->norelabel)
|
||||||
return -1;
|
|
||||||
|
|
||||||
if (secdef->norelabel)
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
return virSecuritySELinuxRestoreSecurityFileLabel(mgr, savefile);
|
return virSecuritySELinuxRestoreSecurityFileLabel(mgr, savefile);
|
||||||
@ -1989,7 +1970,7 @@ virSecuritySELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|||||||
|
|
||||||
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (secdef == NULL)
|
if (secdef == NULL)
|
||||||
return -1;
|
return 0;
|
||||||
|
|
||||||
if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
|
if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
@ -2018,10 +1999,7 @@ virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
|
|||||||
virSecurityLabelDefPtr secdef;
|
virSecurityLabelDefPtr secdef;
|
||||||
|
|
||||||
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (secdef == NULL)
|
if (!secdef || !secdef->label)
|
||||||
return -1;
|
|
||||||
|
|
||||||
if (secdef->label == NULL)
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
VIR_DEBUG("label=%s", secdef->label);
|
VIR_DEBUG("label=%s", secdef->label);
|
||||||
@ -2055,10 +2033,7 @@ virSecuritySELinuxSetSecurityChildProcessLabel(virSecurityManagerPtr mgr ATTRIBU
|
|||||||
virSecurityLabelDefPtr secdef;
|
virSecurityLabelDefPtr secdef;
|
||||||
|
|
||||||
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (secdef == NULL)
|
if (!secdef || !secdef->label)
|
||||||
return -1;
|
|
||||||
|
|
||||||
if (secdef->label == NULL)
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
VIR_DEBUG("label=%s", secdef->label);
|
VIR_DEBUG("label=%s", secdef->label);
|
||||||
@ -2088,10 +2063,7 @@ virSecuritySELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBU
|
|||||||
int rc = -1;
|
int rc = -1;
|
||||||
|
|
||||||
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (secdef == NULL)
|
if (!secdef || !secdef->label)
|
||||||
return -1;
|
|
||||||
|
|
||||||
if (secdef->label == NULL)
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
|
if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
|
||||||
@ -2138,10 +2110,7 @@ virSecuritySELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNU
|
|||||||
int rc = -1;
|
int rc = -1;
|
||||||
|
|
||||||
secdef = virDomainDefGetSecurityLabelDef(vm, SECURITY_SELINUX_NAME);
|
secdef = virDomainDefGetSecurityLabelDef(vm, SECURITY_SELINUX_NAME);
|
||||||
if (secdef == NULL)
|
if (!secdef || !secdef->label)
|
||||||
return -1;
|
|
||||||
|
|
||||||
if (secdef->label == NULL)
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
|
if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
|
||||||
@ -2179,10 +2148,7 @@ virSecuritySELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_U
|
|||||||
virSecurityLabelDefPtr secdef;
|
virSecurityLabelDefPtr secdef;
|
||||||
|
|
||||||
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (secdef == NULL)
|
if (!secdef || !secdef->label)
|
||||||
return -1;
|
|
||||||
|
|
||||||
if (secdef->label == NULL)
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
|
if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
|
||||||
@ -2264,7 +2230,7 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
|
|||||||
|
|
||||||
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (secdef == NULL)
|
if (secdef == NULL)
|
||||||
return -1;
|
return 0;
|
||||||
|
|
||||||
if (secdef->norelabel || data->skipAllLabel)
|
if (secdef->norelabel || data->skipAllLabel)
|
||||||
return 0;
|
return 0;
|
||||||
@ -2337,10 +2303,7 @@ virSecuritySELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|||||||
virSecurityLabelDefPtr secdef;
|
virSecurityLabelDefPtr secdef;
|
||||||
|
|
||||||
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (secdef == NULL)
|
if (!secdef || !secdef->imagelabel)
|
||||||
return -1;
|
|
||||||
|
|
||||||
if (secdef->imagelabel == NULL)
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
return virSecuritySELinuxFSetFilecon(fd, secdef->imagelabel);
|
return virSecuritySELinuxFSetFilecon(fd, secdef->imagelabel);
|
||||||
@ -2358,10 +2321,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
|
|||||||
int rc = -1;
|
int rc = -1;
|
||||||
|
|
||||||
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
if (secdef == NULL)
|
if (!secdef || !secdef->label)
|
||||||
return rc;
|
|
||||||
|
|
||||||
if (secdef->label == NULL)
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (fstat(fd, &buf) < 0) {
|
if (fstat(fd, &buf) < 0) {
|
||||||
|
Loading…
x
Reference in New Issue
Block a user