From 3a8e136e6b46174f347e088ade020c168fffafad Mon Sep 17 00:00:00 2001

From: Cole Robinson <crobinso@redhat.com>

Date: Wed, 24 Sep 2014 11:47:46 -0400

Subject: [PATCH] security: Fix labelling host devices (bz 1145968)

The check for ISCSI devices was missing a check of subsys type, which

meant we could skip labelling of other host devices as well. This fixes

USB hotplug on F21

https://bugzilla.redhat.com/show_bug.cgi?id=1145968

---

 src/security/security_apparmor.c | 3 ++-

 src/security/security_dac.c      | 6 ++++--

 src/security/security_selinux.c  | 6 ++++--

 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c

index 041ce65..3025284 100644

--- a/src/security/security_apparmor.c

+++ b/src/security/security_apparmor.c

@@ -828,7 +828,8 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,

     /* Like AppArmorRestoreSecurityImageLabel() for a networked disk,

      * do nothing for an iSCSI hostdev

      */

-    if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)

+    if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&

+        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)

         return 0;

     if (profile_loaded(secdef->imagelabel) < 0)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c

index e398d2c..85253af 100644

--- a/src/security/security_dac.c

+++ b/src/security/security_dac.c

@@ -523,7 +523,8 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,

     /* Like virSecurityDACSetSecurityImageLabel() for a networked disk,

      * do nothing for an iSCSI hostdev

      */

-    if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)

+    if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&

+        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)

         return 0;

     cbdata.manager = mgr;

@@ -657,7 +658,8 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,

     /* Like virSecurityDACRestoreSecurityImageLabelInt() for a networked disk,

      * do nothing for an iSCSI hostdev

      */

-    if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)

+    if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&

+        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)

         return 0;

     switch ((virDomainHostdevSubsysType) dev->source.subsys.type) {

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c

index b9efbc5..ea1efc9 100644

--- a/src/security/security_selinux.c

+++ b/src/security/security_selinux.c

@@ -1327,7 +1327,8 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,

     /* Like virSecuritySELinuxSetSecurityImageLabelInternal() for a networked

      * disk, do nothing for an iSCSI hostdev

      */

-    if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)

+    if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&

+        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)

         return 0;

     switch (dev->source.subsys.type) {

@@ -1520,7 +1521,8 @@ virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,

     /* Like virSecuritySELinuxRestoreSecurityImageLabelInt() for a networked

      * disk, do nothing for an iSCSI hostdev

      */

-    if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)

+    if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&

+        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)

         return 0;

     switch (dev->source.subsys.type) {