From b77e9814e4a626f5b26aacc784a2919d8f73b4e9 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Thu, 9 Aug 2012 17:20:25 +0100 Subject: [PATCH] Honour current user and role in SELinux label generation When generating an SELinux context for a VM from the template "system_u:system_r:svirt_t:s0", copy the role + user from the current process instead of the template context. So if the current process is unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 then the VM context ends up as unconfined_u:unconfined_r:svirt_t:s0:c386,c703 instead of system_u:system_r:svirt_t:s0:c177,c424 Ideally the /etc/selinux/targeted/contexts/virtual_domain_context file would have just shown the 'svirt_t' type, and not the full context, but that can't be changed now for compatibility reasons. Signed-off-by: Daniel P. Berrange --- src/security/security_selinux.c | 36 ++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 1b5c02ea02..70685282f4 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -101,9 +101,23 @@ virSecuritySELinuxMCSRemove(virSecurityManagerPtr mgr, static char * virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs) { - context_t context; + context_t context = NULL; char *ret = NULL; char *str; + security_context_t ourSecContext = NULL; + context_t ourContext = NULL; + + if (getcon(&ourSecContext) < 0) { + virReportSystemError(errno, "%s", + _("Unable to get current process SELinux context")); + goto cleanup; + } + if (!(ourContext = context_new(ourSecContext))) { + virReportSystemError(errno, + _("Unable to parse current SELinux context '%s'"), + ourSecContext); + goto cleanup; + } if (!(context = context_new(basecontext))) { virReportSystemError(errno, @@ -112,6 +126,22 @@ virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs) goto cleanup; } + if (context_user_set(context, + context_user_get(ourContext)) != 0) { + virReportSystemError(errno, + _("Unable to set SELinux context user '%s'"), + context_user_get(ourContext)); + goto cleanup; + } + + if (context_role_set(context, + context_role_get(ourContext)) != 0) { + virReportSystemError(errno, + _("Unable to set SELinux context user '%s'"), + context_role_get(ourContext)); + goto cleanup; + } + if (context_range_set(context, mcs) != 0) { virReportSystemError(errno, _("Unable to set SELinux context MCS '%s'"), @@ -127,7 +157,11 @@ virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs) virReportOOMError(); goto cleanup; } + VIR_DEBUG("Generated context '%s' from '%s' and '%s'", + ret, basecontext, ourSecContext); cleanup: + freecon(ourSecContext); + context_free(ourContext); context_free(context); return ret; }