mirror of https://gitee.com/openkylin/libvirt.git
security_selinux.c: Relabel existing mode="bind" UNIX sockets
This supports sockets created by libvirt and passed by FD using the same method as in security_dac.c. Signed-off-by: David Michael <david@bigbadwolfsecurity.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
parent
09010f7e76
commit
9f13f54a63
|
@ -2541,7 +2541,12 @@ virSecuritySELinuxSetChardevLabel(virSecurityManager *mgr,
|
|||
break;
|
||||
|
||||
case VIR_DOMAIN_CHR_TYPE_UNIX:
|
||||
if (!dev_source->data.nix.listen) {
|
||||
if (!dev_source->data.nix.listen ||
|
||||
(dev_source->data.nix.path &&
|
||||
virFileExists(dev_source->data.nix.path))) {
|
||||
/* Also label mode='bind' sockets if they exist,
|
||||
* e.g. because they were created by libvirt
|
||||
* and passed via FD */
|
||||
if (virSecuritySELinuxSetFilecon(mgr,
|
||||
dev_source->data.nix.path,
|
||||
imagelabel,
|
||||
|
@ -2618,7 +2623,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManager *mgr,
|
|||
case VIR_DOMAIN_CHR_TYPE_UNIX:
|
||||
if (!dev_source->data.nix.listen) {
|
||||
if (virSecuritySELinuxRestoreFileLabel(mgr,
|
||||
dev_source->data.file.path,
|
||||
dev_source->data.nix.path,
|
||||
true) < 0)
|
||||
goto done;
|
||||
}
|
||||
|
|
|
@ -2,6 +2,6 @@
|
|||
/plain.dev;system_u:object_r:svirt_image_t:s0:c41,c264
|
||||
/plain.fifo;system_u:object_r:svirt_image_t:s0:c41,c264
|
||||
/nolabel.sock;
|
||||
/plain.sock;
|
||||
/plain.sock;system_u:object_r:svirt_image_t:s0:c41,c264
|
||||
/yeslabel.sock;system_u:object_r:svirt_image_t:s0:c41,c264
|
||||
/altlabel.sock;system_u:object_r:svirt_image_custom_t:s0:c41,c264
|
||||
|
|
Loading…
Reference in New Issue