selinux: Fix incorrect object label generation.

This is a fix for the object label generation. It uses a new flag for virSecuritySELinuxGenNewContext that specifies whether the context is for an object. If so the context role remains unchanged. Without this fix it is not possible to start domains with image file or block device backed storage when selinux is enabled. Signed-off-by: N Viktor Mihajlovski <mihajlov@linux.vnet.ibm.com>

selinux: Fix incorrect object label generation.
This is a fix for the object label generation. It uses a new flag for virSecuritySELinuxGenNewContext that specifies whether the context is for an object. If so the context role remains unchanged. Without this fix it is not possible to start domains with image file or block device backed storage when selinux is enabled. Signed-off-by: N Viktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
b6ad2c23 · Viktor Mihajlovski · Eric Blake · 521b7ab7 · b6ad2c23
隐藏空白更改
内联并排

Showing with 11 addition and 6 deletion

src/security/security_selinux.c src/security/security_selinux.c +11 -6

未找到文件。
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -141,7 +141,9 @@ cleanup:


 static char *
-virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
+virSecuritySELinuxGenNewContext(const char *basecontext,
+                                const char *mcs,
+                                bool isObjectContext)
 {
    context_t context = NULL;
    char *ret = NULL;
@@ -176,10 +178,11 @@ virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
        goto cleanup;
    }

-    if (context_role_set(context,
+    if (!isObjectContext &&
+        context_role_set(context,
                         context_role_get(ourContext)) != 0) {
        virReportSystemError(errno,
-                             _("Unable to set SELinux context user '%s'"),
+                             _("Unable to set SELinux context role '%s'"),
                             context_role_get(ourContext));
        goto cleanup;
    }
@@ -421,7 +424,8 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
        if (!(def->seclabel.label =
              virSecuritySELinuxGenNewContext(def->seclabel.baselabel ?
                                              def->seclabel.baselabel :
-                                              data->domain_context, mcs)))
+                                              data->domain_context,
+                                              mcs, false)))
            goto cleanup;
        break;

@@ -438,7 +442,7 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,

    if (!def->seclabel.norelabel) {
        if (!(def->seclabel.imagelabel =
-              virSecuritySELinuxGenNewContext(data->file_context, mcs)))
+              virSecuritySELinuxGenNewContext(data->file_context, mcs, true)))
            goto cleanup;
    }

@@ -1639,7 +1643,8 @@ virSecuritySELinuxGenImageLabel(virSecurityManagerPtr mgr,
                virReportOOMError();
                goto cleanup;
            }
-            if (!(label = virSecuritySELinuxGenNewContext(data->file_context, mcs)))
+            if (!(label = virSecuritySELinuxGenNewContext(data->file_context,
+                                                          mcs, true)))
                goto cleanup;
        }
    }