[libvirt] [PATCH] selinux: Drop needless getfilecon()-s

Michal Privoznik posted 1 patch 4 years, 4 months ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/63427008159d77b8b44fd6a4d4795671a5dce2d5.1574930986.git.mprivozn@redhat.com
src/security/security_selinux.c | 22 ----------------------
1 file changed, 22 deletions(-)
[libvirt] [PATCH] selinux: Drop needless getfilecon()-s
Posted by Michal Privoznik 4 years, 4 months ago
When SELinux support was first introduced the libselinux library
wasn't that advanced and setfilecon_raw() or fsetfilecon_raw()
could fail even when the target context was set. Looking at the
current code [1][2] this is no longer the case. We can drop our
workarounds.

1: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/setfilecon.c#L10
2: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/fsetfilecon.c#L10

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/security/security_selinux.c | 22 ----------------------
 1 file changed, 22 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index e05ef7593e..0bfb6a7fa6 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1249,8 +1249,6 @@ virSecuritySELinuxSetFileconImpl(const char *path,
                                  const char *tcon,
                                  bool privileged)
 {
-    security_context_t econ;
-
     /* Be aware that this function might run in a separate process.
      * Therefore, any driver state changes would be thrown away. */
 
@@ -1259,15 +1257,6 @@ virSecuritySELinuxSetFileconImpl(const char *path,
     if (setfilecon_raw(path, (const char *)tcon) < 0) {
         int setfilecon_errno = errno;
 
-        if (getfilecon_raw(path, &econ) >= 0) {
-            if (STREQ(tcon, econ)) {
-                freecon(econ);
-                /* It's alright, there's nothing to change anyway. */
-                return 1;
-            }
-            freecon(econ);
-        }
-
         /* If the error complaint is related to an image hosted on a (possibly
          * read-only) NFS mount, or a usbfs/sysfs filesystem not supporting
          * labelling, then just ignore it & hope for the best.  The user
@@ -1401,22 +1390,11 @@ virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
 static int
 virSecuritySELinuxFSetFilecon(int fd, char *tcon)
 {
-    security_context_t econ;
-
     VIR_INFO("Setting SELinux context on fd %d to '%s'", fd, tcon);
 
     if (fsetfilecon_raw(fd, tcon) < 0) {
         int fsetfilecon_errno = errno;
 
-        if (fgetfilecon_raw(fd, &econ) >= 0) {
-            if (STREQ(tcon, econ)) {
-                freecon(econ);
-                /* It's alright, there's nothing to change anyway. */
-                return 0;
-            }
-            freecon(econ);
-        }
-
         /* if the error complaint is related to an image hosted on
          * an nfs mount, or a usbfs/sysfs filesystem not supporting
          * labelling, then just ignore it & hope for the best.
-- 
2.23.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] selinux: Drop needless getfilecon()-s
Posted by Daniel P. Berrangé 4 years, 4 months ago
On Thu, Nov 28, 2019 at 09:49:46AM +0100, Michal Privoznik wrote:
> When SELinux support was first introduced the libselinux library
> wasn't that advanced and setfilecon_raw() or fsetfilecon_raw()
> could fail even when the target context was set. Looking at the
> current code [1][2] this is no longer the case. We can drop our
> workarounds.
> 
> 1: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/setfilecon.c#L10
> 2: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/fsetfilecon.c#L10
> 
> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
> ---
>  src/security/security_selinux.c | 22 ----------------------
>  1 file changed, 22 deletions(-)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list