From f9bf63e673c11cd189748c29b6ea7d2cf19c8da7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A1n=20Tomko?= Date: Mon, 9 Jun 2014 16:23:52 +0200 Subject: [PATCH] SELinux: don't fail silently when no label is present This fixes startup of a domain with: on a host with selinux and dac drivers and security_default_confined = 0 https://bugzilla.redhat.com/show_bug.cgi?id=1105939 https://bugzilla.redhat.com/show_bug.cgi?id=1102611 --- src/security/security_selinux.c | 98 ++++++++++----------------------- 1 file changed, 29 insertions(+), 69 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 8380bbaee9..008c58c5d4 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -585,7 +585,7 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr, seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); if (seclabel == NULL) - return rc; + return 0; data = virSecurityManagerGetPrivateData(mgr); @@ -739,11 +739,7 @@ virSecuritySELinuxReserveSecurityLabel(virSecurityManagerPtr mgr, virSecurityLabelDefPtr seclabel; seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (seclabel == NULL) { - return -1; - } - - if (seclabel->type == VIR_DOMAIN_SECLABEL_STATIC) + if (!seclabel || seclabel->type == VIR_DOMAIN_SECLABEL_STATIC) return 0; if (getpidcon_raw(pid, &pctx) == -1) { @@ -1060,7 +1056,7 @@ virSecuritySELinuxSetSecurityTPMFileLabel(virSecurityManagerPtr mgr, seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); if (seclabel == NULL) - return -1; + return 0; switch (tpm->type) { case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: @@ -1102,7 +1098,7 @@ virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr mgr, seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); if (seclabel == NULL) - return -1; + return 0; switch (tpm->type) { case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: @@ -1136,7 +1132,7 @@ virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr, seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); if (seclabel == NULL) - return -1; + return 0; disk_seclabel = virDomainDiskDefGetSecurityLabelDef(disk, SECURITY_SELINUX_NAME); @@ -1256,10 +1252,7 @@ virSecuritySELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr, cbdata.manager = mgr; cbdata.secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (cbdata.secdef == NULL) - return -1; - - if (cbdata.secdef->norelabel) + if (!cbdata.secdef || cbdata.secdef->norelabel) return 0; if (virDomainDiskGetType(disk) == VIR_STORAGE_TYPE_NETWORK) @@ -1279,7 +1272,7 @@ virSecuritySELinuxSetSecurityHostdevLabelHelper(const char *file, void *opaque) secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); if (secdef == NULL) - return -1; + return 0; return virSecuritySELinuxSetFilecon(file, secdef->imagelabel); } @@ -1397,7 +1390,7 @@ virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def, secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); if (secdef == NULL) - return -1; + return 0; switch (dev->source.caps.type) { case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: { @@ -1447,10 +1440,7 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN virSecurityLabelDefPtr secdef; secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (secdef == NULL) - return -1; - - if (secdef->norelabel) + if (!secdef || secdef->norelabel) return 0; switch (dev->mode) { @@ -1635,10 +1625,7 @@ virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, virSecurityLabelDefPtr secdef; secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (secdef == NULL) - return -1; - - if (secdef->norelabel) + if (!secdef || secdef->norelabel) return 0; switch (dev->mode) { @@ -1667,14 +1654,14 @@ virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def, int ret = -1; seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (seclabel == NULL) - return -1; + if (!seclabel || seclabel->norelabel) + return 0; if (dev) chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev, SECURITY_SELINUX_NAME); - if (seclabel->norelabel || (chr_seclabel && chr_seclabel->norelabel)) + if (chr_seclabel && chr_seclabel->norelabel) return 0; if (chr_seclabel) @@ -1738,13 +1725,13 @@ virSecuritySELinuxRestoreSecurityChardevLabel(virSecurityManagerPtr mgr, int ret = -1; seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (seclabel == NULL) - return -1; + if (!seclabel || seclabel->norelabel) + return 0; if (dev) chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev, SECURITY_SELINUX_NAME); - if (seclabel->norelabel || (chr_seclabel && chr_seclabel->norelabel)) + if (chr_seclabel && chr_seclabel->norelabel) return 0; switch (dev_source->type) { @@ -1864,7 +1851,7 @@ virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr, secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); if (secdef == NULL) - return -1; + return 0; if (secdef->norelabel || data->skipAllLabel) return 0; @@ -1925,7 +1912,7 @@ virSecuritySELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr, secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); if (secdef == NULL) - return -1; + return 0; if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { if (secdef->label != NULL) { @@ -1953,10 +1940,7 @@ virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virSecurityLabelDefPtr secdef; secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (secdef == NULL) - return -1; - - if (secdef->norelabel) + if (!secdef || secdef->norelabel) return 0; return virSecuritySELinuxSetFilecon(savefile, secdef->imagelabel); @@ -1971,10 +1955,7 @@ virSecuritySELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr, virSecurityLabelDefPtr secdef; secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (secdef == NULL) - return -1; - - if (secdef->norelabel) + if (!secdef || secdef->norelabel) return 0; return virSecuritySELinuxRestoreSecurityFileLabel(mgr, savefile); @@ -1989,7 +1970,7 @@ virSecuritySELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); if (secdef == NULL) - return -1; + return 0; if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) { virReportError(VIR_ERR_INTERNAL_ERROR, @@ -2018,10 +1999,7 @@ virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN virSecurityLabelDefPtr secdef; secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (secdef == NULL) - return -1; - - if (secdef->label == NULL) + if (!secdef || !secdef->label) return 0; VIR_DEBUG("label=%s", secdef->label); @@ -2055,10 +2033,7 @@ virSecuritySELinuxSetSecurityChildProcessLabel(virSecurityManagerPtr mgr ATTRIBU virSecurityLabelDefPtr secdef; secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (secdef == NULL) - return -1; - - if (secdef->label == NULL) + if (!secdef || !secdef->label) return 0; VIR_DEBUG("label=%s", secdef->label); @@ -2088,10 +2063,7 @@ virSecuritySELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBU int rc = -1; secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (secdef == NULL) - return -1; - - if (secdef->label == NULL) + if (!secdef || !secdef->label) return 0; if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) { @@ -2138,10 +2110,7 @@ virSecuritySELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNU int rc = -1; secdef = virDomainDefGetSecurityLabelDef(vm, SECURITY_SELINUX_NAME); - if (secdef == NULL) - return -1; - - if (secdef->label == NULL) + if (!secdef || !secdef->label) return 0; if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) { @@ -2179,10 +2148,7 @@ virSecuritySELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_U virSecurityLabelDefPtr secdef; secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (secdef == NULL) - return -1; - - if (secdef->label == NULL) + if (!secdef || !secdef->label) return 0; if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) { @@ -2264,7 +2230,7 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr, secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); if (secdef == NULL) - return -1; + return 0; if (secdef->norelabel || data->skipAllLabel) return 0; @@ -2337,10 +2303,7 @@ virSecuritySELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virSecurityLabelDefPtr secdef; secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (secdef == NULL) - return -1; - - if (secdef->imagelabel == NULL) + if (!secdef || !secdef->imagelabel) return 0; return virSecuritySELinuxFSetFilecon(fd, secdef->imagelabel); @@ -2358,10 +2321,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr, int rc = -1; secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (secdef == NULL) - return rc; - - if (secdef->label == NULL) + if (!secdef || !secdef->label) return 0; if (fstat(fd, &buf) < 0) { -- GitLab