From edacf25da7c4eb4e769e8df0b22eb191b6649270 Mon Sep 17 00:00:00 2001 From: Michal Privoznik Date: Tue, 25 Sep 2018 15:46:56 +0200 Subject: [PATCH] virSecuritySELinuxTransactionRun: Implement rollback MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When iterating over list of paths/disk sources to relabel it may happen that the process fails at some point. In that case, for the sake of keeping seclabel refcount (stored in XATTRs) in sync with reality we have to perform rollback. However, if that fails too the only thing we can do is warn user. Signed-off-by: Michal Privoznik Reviewed-by: Daniel P. Berrangé Reviewed-by: Ján Tomko --- src/security/security_selinux.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index f7f90cd656..05efdbc9bf 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -272,7 +272,6 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UNUSED, for (i = 0; i < list->nItems; i++) { virSecuritySELinuxContextItemPtr item = list->items[i]; - /* TODO Implement rollback */ if (!item->restore) { rv = virSecuritySELinuxSetFileconHelper(list->manager, item->path, @@ -289,6 +288,18 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UNUSED, break; } + for (; rv < 0 && i > 0; i--) { + virSecuritySELinuxContextItemPtr item = list->items[i - 1]; + + if (!item->restore) { + virSecuritySELinuxRestoreFileLabel(list->manager, + item->path, + list->lock); + } else { + VIR_WARN("Ignoring failed restore attempt on %s", item->path); + } + } + if (list->lock) virSecurityManagerMetadataUnlock(list->manager, &state); -- GitLab