Honour current user and role in SELinux label generation

When generating an SELinux context for a VM from the template "system_u:system_r:svirt_t:s0", copy the role + user from the current process instead of the template context. So if the current process is unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 then the VM context ends up as unconfined_u:unconfined_r:svirt_t:s0:c386,c703 instead of system_u:system_r:svirt_t:s0:c177,c424 Ideally the /etc/selinux/targeted/contexts/virtual_domain_context file would have just shown the 'svirt_t' type, and not the full context, but that can't be changed now for compatibility reasons. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-08-09 17:20:25 +01:00 · 2012-08-09 17:20:25 +01:00 · b77e9814e4
parent cbe67ff9b0
commit b77e9814e4
1 changed files with 35 additions and 1 deletions
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@ -101,9 +101,23 @@ virSecuritySELinuxMCSRemove(virSecurityManagerPtr mgr,
 static char *
 virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
 {
-    context_t context;
+    context_t context = NULL;
    char *ret = NULL;
    char *str;
+    security_context_t ourSecContext = NULL;
+    context_t ourContext = NULL;
+
+    if (getcon(&ourSecContext) < 0) {
+        virReportSystemError(errno, "%s",
+                             _("Unable to get current process SELinux context"));
+        goto cleanup;
+    }
+    if (!(ourContext = context_new(ourSecContext))) {
+        virReportSystemError(errno,
+                             _("Unable to parse current SELinux context '%s'"),
+                             ourSecContext);
+        goto cleanup;
+    }

    if (!(context = context_new(basecontext))) {
        virReportSystemError(errno,
@ -112,6 +126,22 @@ virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
        goto cleanup;
    }

+    if (context_user_set(context,
+                         context_user_get(ourContext)) != 0) {
+        virReportSystemError(errno,
+                             _("Unable to set SELinux context user '%s'"),
+                             context_user_get(ourContext));
+        goto cleanup;
+    }
+
+    if (context_role_set(context,
+                         context_role_get(ourContext)) != 0) {
+        virReportSystemError(errno,
+                             _("Unable to set SELinux context user '%s'"),
+                             context_role_get(ourContext));
+        goto cleanup;
+    }
+
    if (context_range_set(context, mcs) != 0) {
        virReportSystemError(errno,
                             _("Unable to set SELinux context MCS '%s'"),
@ -127,7 +157,11 @@ virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
        virReportOOMError();
        goto cleanup;
    }
+    VIR_DEBUG("Generated context '%s' from '%s' and '%s'",
+              ret, basecontext, ourSecContext);
 cleanup:
+    freecon(ourSecContext);
+    context_free(ourContext);
    context_free(context);
    return ret;
 }