security: Don't skip relabel for all chardevs

Our commit e13e8808 was way too generic. Currently, virtlogd is used only for chardevs type of file and nothing else. True, we must not relabel the path in this case, but we have to in all other cases. For instance, if you want to have a physical console attached to your guest: <console type='dev'> <source path='/dev/ttyS0'/> <target type='virtio' port='1'/> </console> Starting such domain fails because qemu doesn't have access to /dev/ttyS0 because we haven't relabelled the path. Signed-off-by: N Michal Privoznik <mprivozn@redhat.com> Reviewed-by: N John Ferlan <jferlan@redhat.com>

security: Don't skip relabel for all chardevs
Our commit e13e8808 was way too generic. Currently, virtlogd is used only for chardevs type of file and nothing else. True, we must not relabel the path in this case, but we have to in all other cases. For instance, if you want to have a physical console attached to your guest: <console type='dev'> <source path='/dev/ttyS0'/> <target type='virtio' port='1'/> </console> Starting such domain fails because qemu doesn't have access to /dev/ttyS0 because we haven't relabelled the path. Signed-off-by: N Michal Privoznik <mprivozn@redhat.com> Reviewed-by: N John Ferlan <jferlan@redhat.com>
e0d1a378 · Michal Privoznik · 96a9b9a7 · e0d1a378 · e0d1a378
隐藏空白更改
内联并排

Showing with 12 addition and 4 deletion

src/security/security_dac.c src/security/security_dac.c +6 -2

src/security/security_selinux.c src/security/security_selinux.c +6 -2

未找到文件。
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1179,7 +1179,9 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
    if (chr_seclabel && !chr_seclabel->relabel)
        return 0;

-    if (!chr_seclabel && chardevStdioLogd)
+    if (!chr_seclabel &&
+        dev_source->type == VIR_DOMAIN_CHR_TYPE_FILE &&
+        chardevStdioLogd)
        return 0;

    if (chr_seclabel && chr_seclabel->label) {
@@ -1261,7 +1263,9 @@ virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr,
    if (chr_seclabel && !chr_seclabel->relabel)
        return 0;

-    if (!chr_seclabel && chardevStdioLogd)
+    if (!chr_seclabel &&
+        dev_source->type == VIR_DOMAIN_CHR_TYPE_FILE &&
+        chardevStdioLogd)
        return 0;

    switch ((virDomainChrType) dev_source->type) {

--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2199,7 +2199,9 @@ virSecuritySELinuxSetChardevLabel(virSecurityManagerPtr mgr,
    if (chr_seclabel && !chr_seclabel->relabel)
        return 0;

-    if (!chr_seclabel && chardevStdioLogd)
+    if (!chr_seclabel &&
+        dev_source->type == VIR_DOMAIN_CHR_TYPE_FILE &&
+        chardevStdioLogd)
        return 0;

    if (chr_seclabel)
@@ -2274,7 +2276,9 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr,
    if (chr_seclabel && !chr_seclabel->relabel)
        return 0;

-    if (!chr_seclabel && chardevStdioLogd)
+    if (!chr_seclabel &&
+        dev_source->type == VIR_DOMAIN_CHR_TYPE_FILE &&
+        chardevStdioLogd)
        return 0;

    switch (dev_source->type) {