NuKVM/libvirt
3
0
Fork 0
mirror of https://github.com/libvirt/libvirt.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

security: selinux: Take parent security label into account

Browse Source 
Until now we ignored user-provided backing chains and while detecting
the code inherited labels of the parent device. With user provided
chains we should keep this functionality, so label of the parent image
in the backing chain will be applied if an image-specific label is not
present.
This commit is contained in:
Peter Krempa
2017-10-17 08:03:42 +02:00
parent 2742dfee28
commit cc16fa2a85
1 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/security/security_selinux.c
View File

@@ -1597,6 +1597,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
virSecurityLabelDefPtr secdef;
virSecurityDeviceLabelDefPtr disk_seclabel;
virSecurityDeviceLabelDefPtr parent_seclabel = NULL;
int ret;
if (!src->path || !virStorageSourceIsLocalStorage(src))
@@ -1608,12 +1609,20 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
disk_seclabel = virStorageSourceGetSecurityLabelDef(src,
SECURITY_SELINUX_NAME);
if (parent)
parent_seclabel = virStorageSourceGetSecurityLabelDef(parent,
SECURITY_SELINUX_NAME);
if (disk_seclabel && !disk_seclabel->relabel)
return 0;
if (disk_seclabel && (!disk_seclabel->relabel || disk_seclabel->label)) {
if (!disk_seclabel->relabel)
return 0;
if (disk_seclabel && disk_seclabel->relabel && disk_seclabel->label) {
ret = virSecuritySELinuxSetFilecon(mgr, src->path, disk_seclabel->label);
} else if (parent_seclabel && (!parent_seclabel->relabel || parent_seclabel->label)) {
if (!parent_seclabel->relabel)
return 0;
ret = virSecuritySELinuxSetFilecon(mgr, src->path, parent_seclabel->label);
} else if (!parent || parent == src) {
if (src->shared) {
ret = virSecuritySELinuxSetFileconOptional(mgr,