selinux: Use fd_path instead of /dev/tap* to get context

/dev/tap* is an invalid path but it works with lax policy. Make it work with more accurate policy as well Reviewed-by: N Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: N Dominick Grift <dac.override@gmail.com>

selinux: Use fd_path instead of /dev/tap* to get context
/dev/tap* is an invalid path but it works with lax policy. Make it work with more accurate policy as well Reviewed-by: N Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: N Dominick Grift <dac.override@gmail.com>
c0236d1c · Dominick Grift · Daniel P. Berrangé · a4877192 · c0236d1c
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

src/security/security_selinux.c src/security/security_selinux.c +2 -2

未找到文件。
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -3251,7 +3251,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
        goto cleanup;
    }
-    /* Label /dev/tap.* devices only. Leave /dev/net/tun alone! */
+    /* Label /dev/tap([0-9]+)? devices only. Leave /dev/net/tun alone! */
    proc = g_strdup_printf("/proc/self/fd/%d", fd);
    if (virFileResolveLink(proc, &fd_path) < 0) {
@@ -3267,7 +3267,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
        goto cleanup;
    }
-    if (getContext(mgr, "/dev/tap*", buf.st_mode, &fcon) < 0) {
+    if (getContext(mgr, fd_path, buf.st_mode, &fcon) < 0) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("cannot lookup default selinux label for tap fd %d"), fd);
        goto cleanup;