[libvirt] [PATCH 2/3] security: selinux: Set saved state label only if it is available
Check that secdef-imagelabel exists before blindly applying it. --- src/security/security_selinux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index c078cab..cf59d6c 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1962,7 +1962,7 @@ virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virSecurityLabelDefPtr secdef; secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); -if (!secdef || !secdef-relabel) +if (!secdef || !secdef-imagelabel || !secdef-relabel) return 0; return virSecuritySELinuxSetFilecon(savefile, secdef-imagelabel); -- 2.0.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 2/3] security: selinux: Set saved state label only if it is available
On 08/12/2014 03:44 PM, Peter Krempa wrote: Check that secdef-imagelabel exists before blindly applying it. --- src/security/security_selinux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index c078cab..cf59d6c 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1962,7 +1962,7 @@ virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virSecurityLabelDefPtr secdef; secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); -if (!secdef || !secdef-relabel) +if (!secdef || !secdef-imagelabel || !secdef-relabel) return 0; return virSecuritySELinuxSetFilecon(savefile, secdef-imagelabel); I think this is just covers up incorrect usage of this function on shutoff domains, because if a running domain has a selinux label, it should have the imagelabel generated. Jan signature.asc Description: OpenPGP digital signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 2/3] security: selinux: Set saved state label only if it is available
On 08/12/14 17:17, Ján Tomko wrote: On 08/12/2014 03:44 PM, Peter Krempa wrote: Check that secdef-imagelabel exists before blindly applying it. --- src/security/security_selinux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index c078cab..cf59d6c 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1962,7 +1962,7 @@ virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virSecurityLabelDefPtr secdef; secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); -if (!secdef || !secdef-relabel) +if (!secdef || !secdef-imagelabel || !secdef-relabel) return 0; return virSecuritySELinuxSetFilecon(savefile, secdef-imagelabel); I think this is just covers up incorrect usage of this function on shutoff domains, because if a running domain has a selinux label, it should have the imagelabel generated. Fair enough. I'll drop this one. signature.asc Description: OpenPGP digital signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
