From e0d1a378dca1656925da1f53ea3e9de13dbed0f8 Mon Sep 17 00:00:00 2001 From: Michal Privoznik Date: Thu, 22 Jun 2017 13:51:58 +0200 Subject: [PATCH] security: Don't skip relabel for all chardevs Our commit e13e8808f9 was way too generic. Currently, virtlogd is used only for chardevs type of file and nothing else. True, we must not relabel the path in this case, but we have to in all other cases. For instance, if you want to have a physical console attached to your guest: Starting such domain fails because qemu doesn't have access to /dev/ttyS0 because we haven't relabelled the path. Signed-off-by: Michal Privoznik Reviewed-by: John Ferlan --- src/security/security_dac.c | 8 ++++++-- src/security/security_selinux.c | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 79941f480a..ca7a6af6d4 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1179,7 +1179,9 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr, if (chr_seclabel && !chr_seclabel->relabel) return 0; - if (!chr_seclabel && chardevStdioLogd) + if (!chr_seclabel && + dev_source->type == VIR_DOMAIN_CHR_TYPE_FILE && + chardevStdioLogd) return 0; if (chr_seclabel && chr_seclabel->label) { @@ -1261,7 +1263,9 @@ virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr, if (chr_seclabel && !chr_seclabel->relabel) return 0; - if (!chr_seclabel && chardevStdioLogd) + if (!chr_seclabel && + dev_source->type == VIR_DOMAIN_CHR_TYPE_FILE && + chardevStdioLogd) return 0; switch ((virDomainChrType) dev_source->type) { diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 26137f6d8d..2e3082b7a8 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2199,7 +2199,9 @@ virSecuritySELinuxSetChardevLabel(virSecurityManagerPtr mgr, if (chr_seclabel && !chr_seclabel->relabel) return 0; - if (!chr_seclabel && chardevStdioLogd) + if (!chr_seclabel && + dev_source->type == VIR_DOMAIN_CHR_TYPE_FILE && + chardevStdioLogd) return 0; if (chr_seclabel) @@ -2274,7 +2276,9 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr, if (chr_seclabel && !chr_seclabel->relabel) return 0; - if (!chr_seclabel && chardevStdioLogd) + if (!chr_seclabel && + dev_source->type == VIR_DOMAIN_CHR_TYPE_FILE && + chardevStdioLogd) return 0; switch (dev_source->type) { -- GitLab