static int SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk, const char *path, size_t depth, void *opaque) { const virSecurityLabelDefPtr secdef = opaque; int ret; if (depth == 0) { if (disk->shared) { ret = SELinuxSetFilecon(path, default_image_context); } else if (disk->readonly) { ret = SELinuxSetFilecon(path, default_content_context); } else if (secdef->imagelabel) { ret = SELinuxSetFilecon(path, secdef->imagelabel); } else { ret = 0; } } else { ret = SELinuxSetFilecon(path, default_content_context); } if (ret < 0 && virStorageFileIsSharedFSType(path, VIR_STORAGE_FILE_SHFS_NFS) == 1) ret = 0; return ret; }
/* This method shouldn't raise errors, since they'll overwrite * errors that the caller(s) are already dealing with */ static int SELinuxRestoreSecurityFileLabel(const char *path) { struct stat buf; security_context_t fcon = NULL; int rc = -1; char *newpath = NULL; char ebuf[1024]; VIR_INFO("Restoring SELinux context on '%s'", path); if (virFileResolveLink(path, &newpath) < 0) { VIR_WARN("cannot resolve symlink %s: %s", path, virStrerror(errno, ebuf, sizeof(ebuf))); goto err; } if (stat(newpath, &buf) != 0) { VIR_WARN("cannot stat %s: %s", newpath, virStrerror(errno, ebuf, sizeof(ebuf))); goto err; } if (getContext(newpath, buf.st_mode, &fcon) < 0) { VIR_WARN("cannot lookup default selinux label for %s", newpath); } else { rc = SELinuxSetFilecon(newpath, fcon); } err: freecon(fcon); VIR_FREE(newpath); return rc; }
static int SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk, const char *path, size_t depth, void *opaque) { virSecuritySELinuxCallbackDataPtr cbdata = opaque; const virSecurityLabelDefPtr secdef = cbdata->secdef; int ret; virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(cbdata->manager); if (disk->seclabel && disk->seclabel->norelabel) return 0; if (disk->seclabel && !disk->seclabel->norelabel && disk->seclabel->label) { ret = SELinuxSetFilecon(path, disk->seclabel->label); } else if (depth == 0) { if (disk->shared) { ret = SELinuxSetFileconOptional(path, data->file_context); } else if (disk->readonly) { ret = SELinuxSetFileconOptional(path, data->content_context); } else if (secdef->imagelabel) { ret = SELinuxSetFileconOptional(path, secdef->imagelabel); } else { ret = 0; } } else { ret = SELinuxSetFileconOptional(path, data->content_context); } if (ret == 1 && !disk->seclabel) { /* If we failed to set a label, but virt_use_nfs let us * proceed anyway, then we don't need to relabel later. */ if (VIR_ALLOC(disk->seclabel) < 0) { virReportOOMError(); return -1; } disk->seclabel->norelabel = true; ret = 0; } return ret; }