render / rpms / libvirt

Forked from rpms/libvirt 9 months ago
Clone
Source Code
GIT

Blame SOURCES/libvirt-security_selinux-Take-privileged-into-account.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-rhel c8-sig-altarch-stream-rhel c8-stream-rhel c8s-sig-hyperscale c8s-stream-rhel c9 c9-beta c9s-sig-hyperscale libvirt-hyperscale-10.4.0 upgrade-hyperscale-libvirt
  1.   2d1356ceae709434705af30d4d4005bbe6ec5183
  2.   SOURCES
  3.   libvirt-security_selinux-Take-privileged-into-account.patch
Blob History Raw
7a3408 
From 3306e7bb963713b01f31a12b61f7166d8412126c Mon Sep 17 00:00:00 2001
7a3408 
Message-Id: <3306e7bb963713b01f31a12b61f7166d8412126c@dist-git>
7a3408 
From: Michal Privoznik <mprivozn@redhat.com>
7a3408 
Date: Tue, 15 Sep 2015 11:51:24 +0200
7a3408 
Subject: [PATCH] security_selinux: Take @privileged into account
7a3408
7a3408 
https://bugzilla.redhat.com/show_bug.cgi?id=1124841
7a3408
7a3408 
If running in session mode it may happen that we fail to set
7a3408 
correct SELinux label, but the image may still be readable to
7a3408 
the qemu process. Take this into account.
7a3408
7a3408 
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
7a3408 
(cherry picked from commit 00e5b967168bab252ea2bef977ad40b4155f08df)
7a3408 
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
7a3408 
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
7a3408 
---
7a3408 
 src/security/security_selinux.c | 126 +++++++++++++++++++++++++---------------
7a3408 
 1 file changed, 78 insertions(+), 48 deletions(-)
7a3408
7a3408 
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
7a3408 
index c6da6b0..c2464c2 100644
7a3408 
--- a/src/security/security_selinux.c
7a3408 
+++ b/src/security/security_selinux.c
7a3408 
@@ -886,7 +886,8 @@ virSecuritySELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
7a3408 
  * return 1 if labelling was not possible.  Otherwise, require a label
7a3408 
  * change, and return 0 for success, -1 for failure.  */
7a3408 
 static int
7a3408 
-virSecuritySELinuxSetFileconHelper(const char *path, char *tcon, bool optional)
7a3408 
+virSecuritySELinuxSetFileconHelper(const char *path, char *tcon,
7a3408 
+                                   bool optional, bool privileged)
7a3408 
 {
7a3408 
     security_context_t econ;
7a3408
7a3408 
@@ -915,7 +916,10 @@ virSecuritySELinuxSetFileconHelper(const char *path, char *tcon, bool optional)
7a3408 
             virReportSystemError(setfilecon_errno,
7a3408 
                                  _("unable to set security context '%s' on '%s'"),
7a3408 
                                  tcon, path);
7a3408 
-            if (security_getenforce() == 1)
7a3408 
+            /* However, don't claim error if SELinux is in Enforcing mode and
7a3408 
+             * we are running as unprivileged user and we really did see EPERM.
7a3408 
+             * Otherwise we want to return error if SELinux is Enforcing. */
7a3408 
+            if (security_getenforce() == 1 && (setfilecon_errno != EPERM || privileged))
7a3408 
                 return -1;
7a3408 
         } else {
7a3408 
             const char *msg;
7a3408 
@@ -939,15 +943,19 @@ virSecuritySELinuxSetFileconHelper(const char *path, char *tcon, bool optional)
7a3408 
 }
7a3408
7a3408 
 static int
7a3408 
-virSecuritySELinuxSetFileconOptional(const char *path, char *tcon)
7a3408 
+virSecuritySELinuxSetFileconOptional(virSecurityManagerPtr mgr,
7a3408 
+                                     const char *path, char *tcon)
7a3408 
 {
7a3408 
-    return virSecuritySELinuxSetFileconHelper(path, tcon, true);
7a3408 
+    bool privileged = virSecurityManagerGetPrivileged(mgr);
7a3408 
+    return virSecuritySELinuxSetFileconHelper(path, tcon, true, privileged);
7a3408 
 }
7a3408
7a3408 
 static int
7a3408 
-virSecuritySELinuxSetFilecon(const char *path, char *tcon)
7a3408 
+virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
7a3408 
+                             const char *path, char *tcon)
7a3408 
 {
7a3408 
-    return virSecuritySELinuxSetFileconHelper(path, tcon, false);
7a3408 
+    bool privileged = virSecurityManagerGetPrivileged(mgr);
7a3408 
+    return virSecuritySELinuxSetFileconHelper(path, tcon, false, privileged);
7a3408 
 }
7a3408
7a3408 
 static int
7a3408 
@@ -1037,7 +1045,7 @@ virSecuritySELinuxRestoreSecurityFileLabel(virSecurityManagerPtr mgr,
7a3408 
         VIR_WARN("cannot lookup default selinux label for %s", newpath);
7a3408 
         rc = 0;
7a3408 
     } else {
7a3408 
-        rc = virSecuritySELinuxSetFilecon(newpath, fcon);
7a3408 
+        rc = virSecuritySELinuxSetFilecon(mgr, newpath, fcon);
7a3408 
     }
7a3408
7a3408 
  err:
7a3408 
@@ -1064,12 +1072,13 @@ virSecuritySELinuxSetSecurityTPMFileLabel(virSecurityManagerPtr mgr,
7a3408 
     switch (tpm->type) {
7a3408 
     case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
7a3408 
         tpmdev = tpm->data.passthrough.source.data.file.path;
7a3408 
-        rc = virSecuritySELinuxSetFilecon(tpmdev, seclabel->imagelabel);
7a3408 
+        rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel);
7a3408 
         if (rc < 0)
7a3408 
             return -1;
7a3408
7a3408 
         if ((cancel_path = virTPMCreateCancelPath(tpmdev)) != NULL) {
7a3408 
-            rc = virSecuritySELinuxSetFilecon(cancel_path,
7a3408 
+            rc = virSecuritySELinuxSetFilecon(mgr,
7a3408 
+                                              cancel_path,
7a3408 
                                               seclabel->imagelabel);
7a3408 
             VIR_FREE(cancel_path);
7a3408 
             if (rc < 0) {
7a3408 
@@ -1223,22 +1232,26 @@ virSecuritySELinuxSetSecurityImageLabelInternal(virSecurityManagerPtr mgr,
7a3408 
         return 0;
7a3408
7a3408 
     if (disk_seclabel && disk_seclabel->relabel && disk_seclabel->label) {
7a3408 
-        ret = virSecuritySELinuxSetFilecon(src->path, disk_seclabel->label);
7a3408 
+        ret = virSecuritySELinuxSetFilecon(mgr, src->path, disk_seclabel->label);
7a3408 
     } else if (first) {
7a3408 
         if (src->shared) {
7a3408 
-            ret = virSecuritySELinuxSetFileconOptional(src->path,
7a3408 
+            ret = virSecuritySELinuxSetFileconOptional(mgr,
7a3408 
+                                                       src->path,
7a3408 
                                                        data->file_context);
7a3408 
         } else if (src->readonly) {
7a3408 
-            ret = virSecuritySELinuxSetFileconOptional(src->path,
7a3408 
+            ret = virSecuritySELinuxSetFileconOptional(mgr,
7a3408 
+                                                       src->path,
7a3408 
                                                        data->content_context);
7a3408 
         } else if (secdef->imagelabel) {
7a3408 
-            ret = virSecuritySELinuxSetFileconOptional(src->path,
7a3408 
+            ret = virSecuritySELinuxSetFileconOptional(mgr,
7a3408 
+                                                       src->path,
7a3408 
                                                        secdef->imagelabel);
7a3408 
         } else {
7a3408 
             ret = 0;
7a3408 
         }
7a3408 
     } else {
7a3408 
-        ret = virSecuritySELinuxSetFileconOptional(src->path,
7a3408 
+        ret = virSecuritySELinuxSetFileconOptional(mgr,
7a3408 
+                                                   src->path,
7a3408 
                                                    data->content_context);
7a3408 
     }
7a3408
7a3408 
@@ -1290,17 +1303,18 @@ virSecuritySELinuxSetSecurityDiskLabel(virSecurityManagerPtr mgr,
7a3408 
     return 0;
7a3408 
 }
7a3408
7a3408 
-
7a3408 
 static int
7a3408 
 virSecuritySELinuxSetSecurityHostdevLabelHelper(const char *file, void *opaque)
7a3408 
 {
7a3408 
     virSecurityLabelDefPtr secdef;
7a3408 
-    virDomainDefPtr def = opaque;
7a3408 
+    virSecuritySELinuxCallbackDataPtr data = opaque;
7a3408 
+    virSecurityManagerPtr mgr = data->mgr;
7a3408 
+    virDomainDefPtr def = data->def;
7a3408
7a3408 
     secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
7a3408 
     if (secdef == NULL)
7a3408 
         return 0;
7a3408 
-    return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
7a3408 
+    return virSecuritySELinuxSetFilecon(mgr, file, secdef->imagelabel);
7a3408 
 }
7a3408
7a3408 
 static int
7a3408 
@@ -1331,13 +1345,14 @@ virSecuritySELinuxSetSecuritySCSILabel(virSCSIDevicePtr dev,
7a3408 
         return 0;
7a3408
7a3408 
     if (virSCSIDeviceGetShareable(dev))
7a3408 
-        return virSecuritySELinuxSetFileconOptional(file,
7a3408 
+        return virSecuritySELinuxSetFileconOptional(mgr, file,
7a3408 
                                                     data->file_context);
7a3408 
     else if (virSCSIDeviceGetReadonly(dev))
7a3408 
-        return virSecuritySELinuxSetFileconOptional(file,
7a3408 
+        return virSecuritySELinuxSetFileconOptional(mgr, file,
7a3408 
                                                     data->content_context);
7a3408 
     else
7a3408 
-        return virSecuritySELinuxSetFileconOptional(file, secdef->imagelabel);
7a3408 
+        return virSecuritySELinuxSetFileconOptional(mgr, file,
7a3408 
+                                                    secdef->imagelabel);
7a3408 
 }
7a3408
7a3408 
 static int
7a3408 
@@ -1350,6 +1365,8 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
7a3408 
     virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
7a3408 
     virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
7a3408 
     virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
7a3408 
+    virSecuritySELinuxCallbackData data = {.mgr = mgr, .def = def};
7a3408 
+
7a3408 
     int ret = -1;
7a3408
7a3408 
     /* Like virSecuritySELinuxSetSecurityImageLabelInternal() for a networked
7a3408 
@@ -1372,7 +1389,7 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
7a3408 
         if (!usb)
7a3408 
             goto done;
7a3408
7a3408 
-        ret = virUSBDeviceFileIterate(usb, virSecuritySELinuxSetSecurityUSBLabel, def);
7a3408 
+        ret = virUSBDeviceFileIterate(usb, virSecuritySELinuxSetSecurityUSBLabel, &data);
7a3408 
         virUSBDeviceFree(usb);
7a3408 
         break;
7a3408 
     }
7a3408 
@@ -1392,10 +1409,10 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
7a3408 
                 virPCIDeviceFree(pci);
7a3408 
                 goto done;
7a3408 
             }
7a3408 
-            ret = virSecuritySELinuxSetSecurityPCILabel(pci, vfioGroupDev, def);
7a3408 
+            ret = virSecuritySELinuxSetSecurityPCILabel(pci, vfioGroupDev, &data);
7a3408 
             VIR_FREE(vfioGroupDev);
7a3408 
         } else {
7a3408 
-            ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def);
7a3408 
+            ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, &data);
7a3408 
         }
7a3408 
         virPCIDeviceFree(pci);
7a3408 
         break;
7a3408 
@@ -1403,7 +1420,6 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
7a3408
7a3408 
     case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
7a3408 
         virDomainHostdevSubsysSCSIHostPtr scsihostsrc = &scsisrc->u.host;
7a3408 
-        virSecuritySELinuxCallbackData data = {.mgr = mgr, .def = def};
7a3408
7a3408 
         virSCSIDevicePtr scsi =
7a3408 
             virSCSIDeviceNew(NULL,
7a3408 
@@ -1433,7 +1449,8 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
7a3408
7a3408
7a3408 
 static int
7a3408 
-virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
7a3408 
+virSecuritySELinuxSetSecurityHostdevCapsLabel(virSecurityManagerPtr mgr,
7a3408 
+                                              virDomainDefPtr def,
7a3408 
                                               virDomainHostdevDefPtr dev,
7a3408 
                                               const char *vroot)
7a3408 
 {
7a3408 
@@ -1455,7 +1472,7 @@ virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
7a3408 
             if (VIR_STRDUP(path, dev->source.caps.u.storage.block) < 0)
7a3408 
                 return -1;
7a3408 
         }
7a3408 
-        ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
7a3408 
+        ret = virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel);
7a3408 
         VIR_FREE(path);
7a3408 
         break;
7a3408 
     }
7a3408 
@@ -1469,7 +1486,7 @@ virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
7a3408 
             if (VIR_STRDUP(path, dev->source.caps.u.misc.chardev) < 0)
7a3408 
                 return -1;
7a3408 
         }
7a3408 
-        ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
7a3408 
+        ret = virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel);
7a3408 
         VIR_FREE(path);
7a3408 
         break;
7a3408 
     }
7a3408 
@@ -1502,7 +1519,8 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
7a3408 
                                                                dev, vroot);
7a3408
7a3408 
     case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
7a3408 
-        return virSecuritySELinuxSetSecurityHostdevCapsLabel(def, dev, vroot);
7a3408 
+        return virSecuritySELinuxSetSecurityHostdevCapsLabel(mgr, def,
7a3408 
+                                                             dev, vroot);
7a3408
7a3408 
     default:
7a3408 
         return 0;
7a3408 
@@ -1707,7 +1725,8 @@ virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
7a3408
7a3408
7a3408 
 static int
7a3408 
-virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
7a3408 
+virSecuritySELinuxSetSecurityChardevLabel(virSecurityManagerPtr mgr,
7a3408 
+                                          virDomainDefPtr def,
7a3408 
                                           virDomainChrDefPtr dev,
7a3408 
                                           virDomainChrSourceDefPtr dev_source)
7a3408
7a3408 
@@ -1737,13 +1756,15 @@ virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
7a3408 
     switch (dev_source->type) {
7a3408 
     case VIR_DOMAIN_CHR_TYPE_DEV:
7a3408 
     case VIR_DOMAIN_CHR_TYPE_FILE:
7a3408 
-        ret = virSecuritySELinuxSetFilecon(dev_source->data.file.path,
7a3408 
+        ret = virSecuritySELinuxSetFilecon(mgr,
7a3408 
+                                           dev_source->data.file.path,
7a3408 
                                            imagelabel);
7a3408 
         break;
7a3408
7a3408 
     case VIR_DOMAIN_CHR_TYPE_UNIX:
7a3408 
         if (!dev_source->data.nix.listen) {
7a3408 
-            if (virSecuritySELinuxSetFilecon(dev_source->data.nix.path,
7a3408 
+            if (virSecuritySELinuxSetFilecon(mgr,
7a3408 
+                                             dev_source->data.nix.path,
7a3408 
                                              imagelabel) < 0)
7a3408 
                 goto done;
7a3408 
         }
7a3408 
@@ -1755,11 +1776,12 @@ virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
7a3408 
             (virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0))
7a3408 
             goto done;
7a3408 
         if (virFileExists(in) && virFileExists(out)) {
7a3408 
-            if ((virSecuritySELinuxSetFilecon(in, imagelabel) < 0) ||
7a3408 
-                (virSecuritySELinuxSetFilecon(out, imagelabel) < 0)) {
7a3408 
+            if ((virSecuritySELinuxSetFilecon(mgr, in, imagelabel) < 0) ||
7a3408 
+                (virSecuritySELinuxSetFilecon(mgr, out, imagelabel) < 0)) {
7a3408 
                 goto done;
7a3408 
             }
7a3408 
-        } else if (virSecuritySELinuxSetFilecon(dev_source->data.file.path,
7a3408 
+        } else if (virSecuritySELinuxSetFilecon(mgr,
7a3408 
+                                                dev_source->data.file.path,
7a3408 
                                                 imagelabel) < 0) {
7a3408 
             goto done;
7a3408 
         }
7a3408 
@@ -2000,7 +2022,7 @@ virSecuritySELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr,
7a3408
7a3408
7a3408 
 static int
7a3408 
-virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
7a3408 
+virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr,
7a3408 
                                      virDomainDefPtr def,
7a3408 
                                      const char *savefile)
7a3408 
 {
7a3408 
@@ -2010,7 +2032,7 @@ virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
7a3408 
     if (!secdef || !secdef->relabel)
7a3408 
         return 0;
7a3408
7a3408 
-    return virSecuritySELinuxSetFilecon(savefile, secdef->imagelabel);
7a3408 
+    return virSecuritySELinuxSetFilecon(mgr, savefile, secdef->imagelabel);
7a3408 
 }
7a3408
7a3408
7a3408 
@@ -2242,14 +2264,16 @@ virSecuritySELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_U
7a3408 
 static int
7a3408 
 virSecuritySELinuxSetSecurityChardevCallback(virDomainDefPtr def,
7a3408 
                                              virDomainChrDefPtr dev,
7a3408 
-                                             void *opaque ATTRIBUTE_UNUSED)
7a3408 
+                                             void *opaque)
7a3408 
 {
7a3408 
+    virSecurityManagerPtr mgr = opaque;
7a3408 
+
7a3408 
     /* This is taken care of by processing of def->serials */
7a3408 
     if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE &&
7a3408 
         dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
7a3408 
         return 0;
7a3408
7a3408 
-    return virSecuritySELinuxSetSecurityChardevLabel(def, dev, &dev->source);
7a3408 
+    return virSecuritySELinuxSetSecurityChardevLabel(mgr, def, dev, &dev->source);
7a3408 
 }
7a3408
7a3408
7a3408 
@@ -2270,10 +2294,11 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
7a3408 
         database = dev->data.cert.database;
7a3408 
         if (!database)
7a3408 
             database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
7a3408 
-        return virSecuritySELinuxSetFilecon(database, data->content_context);
7a3408 
+        return virSecuritySELinuxSetFilecon(mgr, database, data->content_context);
7a3408
7a3408 
     case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
7a3408 
-        return virSecuritySELinuxSetSecurityChardevLabel(def, NULL, &dev->data.passthru);
7a3408 
+        return virSecuritySELinuxSetSecurityChardevLabel(mgr, def, NULL,
7a3408 
+                                                         &dev->data.passthru);
7a3408
7a3408 
     default:
7a3408 
         virReportError(VIR_ERR_INTERNAL_ERROR,
7a3408 
@@ -2330,7 +2355,7 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
7a3408 
     if (virDomainChrDefForeach(def,
7a3408 
                                true,
7a3408 
                                virSecuritySELinuxSetSecurityChardevCallback,
7a3408 
-                               NULL) < 0)
7a3408 
+                               mgr) < 0)
7a3408 
         return -1;
7a3408
7a3408 
     if (virDomainSmartcardDefForeach(def,
7a3408 
@@ -2343,23 +2368,28 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
7a3408 
      * is really a disk, qemu can read and write to it. */
7a3408 
     if (def->os.loader && def->os.loader->nvram &&
7a3408 
         secdef && secdef->imagelabel &&
7a3408 
-        virSecuritySELinuxSetFilecon(def->os.loader->nvram, secdef->imagelabel) < 0)
7a3408 
+        virSecuritySELinuxSetFilecon(mgr, def->os.loader->nvram,
7a3408 
+                                     secdef->imagelabel) < 0)
7a3408 
         return -1;
7a3408
7a3408 
     if (def->os.kernel &&
7a3408 
-        virSecuritySELinuxSetFilecon(def->os.kernel, data->content_context) < 0)
7a3408 
+        virSecuritySELinuxSetFilecon(mgr, def->os.kernel,
7a3408 
+                                     data->content_context) < 0)
7a3408 
         return -1;
7a3408
7a3408 
     if (def->os.initrd &&
7a3408 
-        virSecuritySELinuxSetFilecon(def->os.initrd, data->content_context) < 0)
7a3408 
+        virSecuritySELinuxSetFilecon(mgr, def->os.initrd,
7a3408 
+                                     data->content_context) < 0)
7a3408 
         return -1;
7a3408
7a3408 
     if (def->os.dtb &&
7a3408 
-        virSecuritySELinuxSetFilecon(def->os.dtb, data->content_context) < 0)
7a3408 
+        virSecuritySELinuxSetFilecon(mgr, def->os.dtb,
7a3408 
+                                     data->content_context) < 0)
7a3408 
         return -1;
7a3408
7a3408 
     if (stdin_path &&
7a3408 
-        virSecuritySELinuxSetFilecon(stdin_path, data->content_context) < 0)
7a3408 
+        virSecuritySELinuxSetFilecon(mgr, stdin_path,
7a3408 
+                                     data->content_context) < 0)
7a3408 
         return -1;
7a3408
7a3408 
     return 0;
7a3408 
@@ -2507,7 +2537,7 @@ virSecuritySELinuxGetSecurityMountOptions(virSecurityManagerPtr mgr,
7a3408 
 }
7a3408
7a3408 
 static int
7a3408 
-virSecuritySELinuxDomainSetDirLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
7a3408 
+virSecuritySELinuxDomainSetDirLabel(virSecurityManagerPtr mgr,
7a3408 
                                     virDomainDefPtr def,
7a3408 
                                     const char *path)
7a3408 
 {
7a3408 
@@ -2517,7 +2547,7 @@ virSecuritySELinuxDomainSetDirLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
7a3408 
     if (!seclabel || !seclabel->relabel)
7a3408 
         return 0;
7a3408
7a3408 
-    return virSecuritySELinuxSetFilecon(path, seclabel->imagelabel);
7a3408 
+    return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel);
7a3408 
 }
7a3408
7a3408 
 virSecurityDriver virSecurityDriverSELinux = {
7a3408 
--
7a3408 
2.5.3
7a3408

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation