src/security/security_selinux.c | 22 ---------------------- 1 file changed, 22 deletions(-)
When SELinux support was first introduced the libselinux library
wasn't that advanced and setfilecon_raw() or fsetfilecon_raw()
could fail even when the target context was set. Looking at the
current code [1][2] this is no longer the case. We can drop our
workarounds.
1: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/setfilecon.c#L10
2: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/fsetfilecon.c#L10
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
src/security/security_selinux.c | 22 ----------------------
1 file changed, 22 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index e05ef7593e..0bfb6a7fa6 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1249,8 +1249,6 @@ virSecuritySELinuxSetFileconImpl(const char *path,
const char *tcon,
bool privileged)
{
- security_context_t econ;
-
/* Be aware that this function might run in a separate process.
* Therefore, any driver state changes would be thrown away. */
@@ -1259,15 +1257,6 @@ virSecuritySELinuxSetFileconImpl(const char *path,
if (setfilecon_raw(path, (const char *)tcon) < 0) {
int setfilecon_errno = errno;
- if (getfilecon_raw(path, &econ) >= 0) {
- if (STREQ(tcon, econ)) {
- freecon(econ);
- /* It's alright, there's nothing to change anyway. */
- return 1;
- }
- freecon(econ);
- }
-
/* If the error complaint is related to an image hosted on a (possibly
* read-only) NFS mount, or a usbfs/sysfs filesystem not supporting
* labelling, then just ignore it & hope for the best. The user
@@ -1401,22 +1390,11 @@ virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
static int
virSecuritySELinuxFSetFilecon(int fd, char *tcon)
{
- security_context_t econ;
-
VIR_INFO("Setting SELinux context on fd %d to '%s'", fd, tcon);
if (fsetfilecon_raw(fd, tcon) < 0) {
int fsetfilecon_errno = errno;
- if (fgetfilecon_raw(fd, &econ) >= 0) {
- if (STREQ(tcon, econ)) {
- freecon(econ);
- /* It's alright, there's nothing to change anyway. */
- return 0;
- }
- freecon(econ);
- }
-
/* if the error complaint is related to an image hosted on
* an nfs mount, or a usbfs/sysfs filesystem not supporting
* labelling, then just ignore it & hope for the best.
--
2.23.0
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Thu, Nov 28, 2019 at 09:49:46AM +0100, Michal Privoznik wrote: > When SELinux support was first introduced the libselinux library > wasn't that advanced and setfilecon_raw() or fsetfilecon_raw() > could fail even when the target context was set. Looking at the > current code [1][2] this is no longer the case. We can drop our > workarounds. > > 1: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/setfilecon.c#L10 > 2: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/fsetfilecon.c#L10 > > Signed-off-by: Michal Privoznik <mprivozn@redhat.com> > --- > src/security/security_selinux.c | 22 ---------------------- > 1 file changed, 22 deletions(-) Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2024 Red Hat, Inc.