mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 17:34:18 +03:00
security_selinux.c: Relabel existing mode="bind" UNIX sockets
This supports sockets created by libvirt and passed by FD using the same method as in security_dac.c. Signed-off-by: David Michael <david@bigbadwolfsecurity.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
parent
09010f7e76
commit
9f13f54a63
@ -2541,7 +2541,12 @@ virSecuritySELinuxSetChardevLabel(virSecurityManager *mgr,
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case VIR_DOMAIN_CHR_TYPE_UNIX:
|
case VIR_DOMAIN_CHR_TYPE_UNIX:
|
||||||
if (!dev_source->data.nix.listen) {
|
if (!dev_source->data.nix.listen ||
|
||||||
|
(dev_source->data.nix.path &&
|
||||||
|
virFileExists(dev_source->data.nix.path))) {
|
||||||
|
/* Also label mode='bind' sockets if they exist,
|
||||||
|
* e.g. because they were created by libvirt
|
||||||
|
* and passed via FD */
|
||||||
if (virSecuritySELinuxSetFilecon(mgr,
|
if (virSecuritySELinuxSetFilecon(mgr,
|
||||||
dev_source->data.nix.path,
|
dev_source->data.nix.path,
|
||||||
imagelabel,
|
imagelabel,
|
||||||
@ -2618,7 +2623,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManager *mgr,
|
|||||||
case VIR_DOMAIN_CHR_TYPE_UNIX:
|
case VIR_DOMAIN_CHR_TYPE_UNIX:
|
||||||
if (!dev_source->data.nix.listen) {
|
if (!dev_source->data.nix.listen) {
|
||||||
if (virSecuritySELinuxRestoreFileLabel(mgr,
|
if (virSecuritySELinuxRestoreFileLabel(mgr,
|
||||||
dev_source->data.file.path,
|
dev_source->data.nix.path,
|
||||||
true) < 0)
|
true) < 0)
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
@ -2,6 +2,6 @@
|
|||||||
/plain.dev;system_u:object_r:svirt_image_t:s0:c41,c264
|
/plain.dev;system_u:object_r:svirt_image_t:s0:c41,c264
|
||||||
/plain.fifo;system_u:object_r:svirt_image_t:s0:c41,c264
|
/plain.fifo;system_u:object_r:svirt_image_t:s0:c41,c264
|
||||||
/nolabel.sock;
|
/nolabel.sock;
|
||||||
/plain.sock;
|
/plain.sock;system_u:object_r:svirt_image_t:s0:c41,c264
|
||||||
/yeslabel.sock;system_u:object_r:svirt_image_t:s0:c41,c264
|
/yeslabel.sock;system_u:object_r:svirt_image_t:s0:c41,c264
|
||||||
/altlabel.sock;system_u:object_r:svirt_image_custom_t:s0:c41,c264
|
/altlabel.sock;system_u:object_r:svirt_image_custom_t:s0:c41,c264
|
||||||
|
Loading…
Reference in New Issue
Block a user