1. Patchew
  2. Libvirt
  3. [PATCH 0/3] qemu: Fix restoring a domain from a block device
  4. View patch

[PATCH 1/3] selinux: Don't remember label for restore path

Michal Privoznik posted 3 patches 5 years, 10 months ago
[PATCH 1/3] selinux: Don't remember label for restore path
Posted by Michal Privoznik 5 years, 10 months ago 
The seclabel for @stdin_path in virSecuritySELinuxSetAllLabel()
is not restored, because at virSecuritySELinuxRestoreAllLabel()
phase it's too late and the caller (QEMU driver) simply doesn't
care. Well, don't remember the label and let the perms leak.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/security/security_selinux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 8aeb6e45a5..f47bfbdba9 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -3233,7 +3233,7 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
 
     if (stdin_path &&
         virSecuritySELinuxSetFilecon(mgr, stdin_path,
-                                     data->content_context, true) < 0)
+                                     data->content_context, false) < 0)
         return -1;
 
     return 0;
-- 
2.24.1
Re: [PATCH 1/3] selinux: Don't remember label for restore path
Posted by Erik Skultety 5 years, 9 months ago 
On Fri, Apr 03, 2020 at 05:58:01PM +0200, Michal Privoznik wrote:
> The seclabel for @stdin_path in virSecuritySELinuxSetAllLabel()
> is not restored, because at virSecuritySELinuxRestoreAllLabel()
> phase it's too late and the caller (QEMU driver) simply doesn't
> care. Well, don't remember the label and let the perms leak.
>
> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
> ---
>  src/security/security_selinux.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 8aeb6e45a5..f47bfbdba9 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -3233,7 +3233,7 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
>
>      if (stdin_path &&
>          virSecuritySELinuxSetFilecon(mgr, stdin_path,
> -                                     data->content_context, true) < 0)
> +                                     data->content_context, false) < 0)

You're removing this whole condition in patch 3/3, so I suggest, you drop this
patch completely.

--
Erik Skultety

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.