Ejemplo n.º 1
0
static int
SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
                            const char *path,
                            size_t depth,
                            void *opaque)
{
    const virSecurityLabelDefPtr secdef = opaque;
    int ret;

    if (depth == 0) {
        if (disk->shared) {
            ret = SELinuxSetFilecon(path, default_image_context);
        } else if (disk->readonly) {
            ret = SELinuxSetFilecon(path, default_content_context);
        } else if (secdef->imagelabel) {
            ret = SELinuxSetFilecon(path, secdef->imagelabel);
        } else {
            ret = 0;
        }
    } else {
        ret = SELinuxSetFilecon(path, default_content_context);
    }
    if (ret < 0 &&
        virStorageFileIsSharedFSType(path,
                                     VIR_STORAGE_FILE_SHFS_NFS) == 1)
       ret = 0;
    return ret;
}
Ejemplo n.º 2
0
/* This method shouldn't raise errors, since they'll overwrite
 * errors that the caller(s) are already dealing with */
static int
SELinuxRestoreSecurityFileLabel(const char *path)
{
    struct stat buf;
    security_context_t fcon = NULL;
    int rc = -1;
    char *newpath = NULL;
    char ebuf[1024];

    VIR_INFO("Restoring SELinux context on '%s'", path);

    if (virFileResolveLink(path, &newpath) < 0) {
        VIR_WARN("cannot resolve symlink %s: %s", path,
                 virStrerror(errno, ebuf, sizeof(ebuf)));
        goto err;
    }

    if (stat(newpath, &buf) != 0) {
        VIR_WARN("cannot stat %s: %s", newpath,
                 virStrerror(errno, ebuf, sizeof(ebuf)));
        goto err;
    }

    if (getContext(newpath, buf.st_mode, &fcon) < 0) {
        VIR_WARN("cannot lookup default selinux label for %s", newpath);
    } else {
        rc = SELinuxSetFilecon(newpath, fcon);
    }

err:
    freecon(fcon);
    VIR_FREE(newpath);
    return rc;
}
Ejemplo n.º 3
0
static int
SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
                            const char *path,
                            size_t depth,
                            void *opaque)
{
    virSecuritySELinuxCallbackDataPtr cbdata = opaque;
    const virSecurityLabelDefPtr secdef = cbdata->secdef;
    int ret;
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(cbdata->manager);

    if (disk->seclabel && disk->seclabel->norelabel)
        return 0;

    if (disk->seclabel && !disk->seclabel->norelabel &&
        disk->seclabel->label) {
        ret = SELinuxSetFilecon(path, disk->seclabel->label);
    } else if (depth == 0) {

        if (disk->shared) {
            ret = SELinuxSetFileconOptional(path, data->file_context);
        } else if (disk->readonly) {
            ret = SELinuxSetFileconOptional(path, data->content_context);
        } else if (secdef->imagelabel) {
            ret = SELinuxSetFileconOptional(path, secdef->imagelabel);
        } else {
            ret = 0;
        }
    } else {
        ret = SELinuxSetFileconOptional(path, data->content_context);
    }
    if (ret == 1 && !disk->seclabel) {
        /* If we failed to set a label, but virt_use_nfs let us
         * proceed anyway, then we don't need to relabel later.  */
        if (VIR_ALLOC(disk->seclabel) < 0) {
            virReportOOMError();
            return -1;
        }
        disk->seclabel->norelabel = true;
        ret = 0;
    }
    return ret;
}