From 087fac8fa7b1624aba40f0f881a458bdedcc022c Mon Sep 17 00:00:00 2001
From: Michal Privoznik <mprivozn@redhat.com>
Date: Thu, 28 Nov 2019 09:37:22 +0100
Subject: [PATCH] selinux: Drop needless getfilecon()-s
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When SELinux support was first introduced the libselinux library
wasn't that advanced and setfilecon_raw() or fsetfilecon_raw()
could fail even when the target context was set. Looking at the
current code [1][2] this is no longer the case. We can drop our
workarounds.

1: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/setfilecon.c#L10
2: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/fsetfilecon.c#L10

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
---
 src/security/security_selinux.c | 22 ----------------------
 1 file changed, 22 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index e05ef7593e..0bfb6a7fa6 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1249,8 +1249,6 @@ virSecuritySELinuxSetFileconImpl(const char *path,
                                  const char *tcon,
                                  bool privileged)
 {
-    security_context_t econ;
-
     /* Be aware that this function might run in a separate process.
      * Therefore, any driver state changes would be thrown away. */
 
@@ -1259,15 +1257,6 @@ virSecuritySELinuxSetFileconImpl(const char *path,
     if (setfilecon_raw(path, (const char *)tcon) < 0) {
         int setfilecon_errno = errno;
 
-        if (getfilecon_raw(path, &econ) >= 0) {
-            if (STREQ(tcon, econ)) {
-                freecon(econ);
-                /* It's alright, there's nothing to change anyway. */
-                return 1;
-            }
-            freecon(econ);
-        }
-
         /* If the error complaint is related to an image hosted on a (possibly
          * read-only) NFS mount, or a usbfs/sysfs filesystem not supporting
          * labelling, then just ignore it & hope for the best.  The user
@@ -1401,22 +1390,11 @@ virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
 static int
 virSecuritySELinuxFSetFilecon(int fd, char *tcon)
 {
-    security_context_t econ;
-
     VIR_INFO("Setting SELinux context on fd %d to '%s'", fd, tcon);
 
     if (fsetfilecon_raw(fd, tcon) < 0) {
         int fsetfilecon_errno = errno;
 
-        if (fgetfilecon_raw(fd, &econ) >= 0) {
-            if (STREQ(tcon, econ)) {
-                freecon(econ);
-                /* It's alright, there's nothing to change anyway. */
-                return 0;
-            }
-            freecon(econ);
-        }
-
         /* if the error complaint is related to an image hosted on
          * an nfs mount, or a usbfs/sysfs filesystem not supporting
          * labelling, then just ignore it & hope for the best.
-- 
GitLab