|
 |
459f93 |
From 07fb786e0d17bd395333d276ebbaad42c72ee358 Mon Sep 17 00:00:00 2001
|
|
|
459f93 |
Message-Id: <07fb786e0d17bd395333d276ebbaad42c72ee358@dist-git>
|
|
|
459f93 |
From: David Michael <david@bigbadwolfsecurity.com>
|
|
|
459f93 |
Date: Tue, 28 Jun 2022 08:33:41 -0400
|
|
|
459f93 |
Subject: [PATCH] security_selinux.c: Relabel existing mode="bind" UNIX sockets
|
|
|
459f93 |
|
|
|
459f93 |
This supports sockets created by libvirt and passed by FD using the
|
|
|
459f93 |
same method as in security_dac.c.
|
|
|
459f93 |
|
|
|
459f93 |
Signed-off-by: David Michael <david@bigbadwolfsecurity.com>
|
|
|
459f93 |
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
459f93 |
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
459f93 |
(cherry picked from commit 9f13f54a6348b54170f7de3595039c99b9da72c7)
|
|
|
459f93 |
|
|
|
459f93 |
https://bugzilla.redhat.com/show_bug.cgi?id=2101575
|
|
|
459f93 |
|
|
|
459f93 |
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
459f93 |
---
|
|
|
459f93 |
src/security/security_selinux.c | 9 +++++++--
|
|
|
459f93 |
tests/securityselinuxlabeldata/chardev.txt | 2 +-
|
|
|
459f93 |
2 files changed, 8 insertions(+), 3 deletions(-)
|
|
|
459f93 |
|
|
|
459f93 |
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
|
|
|
459f93 |
index 0952431064..b90e819fd2 100644
|
|
|
459f93 |
--- a/src/security/security_selinux.c
|
|
|
459f93 |
+++ b/src/security/security_selinux.c
|
|
|
459f93 |
@@ -2545,7 +2545,12 @@ virSecuritySELinuxSetChardevLabel(virSecurityManager *mgr,
|
|
|
459f93 |
break;
|
|
|
459f93 |
|
|
|
459f93 |
case VIR_DOMAIN_CHR_TYPE_UNIX:
|
|
|
459f93 |
- if (!dev_source->data.nix.listen) {
|
|
|
459f93 |
+ if (!dev_source->data.nix.listen ||
|
|
|
459f93 |
+ (dev_source->data.nix.path &&
|
|
|
459f93 |
+ virFileExists(dev_source->data.nix.path))) {
|
|
|
459f93 |
+ /* Also label mode='bind' sockets if they exist,
|
|
|
459f93 |
+ * e.g. because they were created by libvirt
|
|
|
459f93 |
+ * and passed via FD */
|
|
|
459f93 |
if (virSecuritySELinuxSetFilecon(mgr,
|
|
|
459f93 |
dev_source->data.nix.path,
|
|
|
459f93 |
imagelabel,
|
|
|
459f93 |
@@ -2622,7 +2627,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManager *mgr,
|
|
|
459f93 |
case VIR_DOMAIN_CHR_TYPE_UNIX:
|
|
|
459f93 |
if (!dev_source->data.nix.listen) {
|
|
|
459f93 |
if (virSecuritySELinuxRestoreFileLabel(mgr,
|
|
|
459f93 |
- dev_source->data.file.path,
|
|
|
459f93 |
+ dev_source->data.nix.path,
|
|
|
459f93 |
true) < 0)
|
|
|
459f93 |
goto done;
|
|
|
459f93 |
}
|
|
|
459f93 |
diff --git a/tests/securityselinuxlabeldata/chardev.txt b/tests/securityselinuxlabeldata/chardev.txt
|
|
|
459f93 |
index 3f4b6302b9..bdb367f7a5 100644
|
|
|
459f93 |
--- a/tests/securityselinuxlabeldata/chardev.txt
|
|
|
459f93 |
+++ b/tests/securityselinuxlabeldata/chardev.txt
|
|
|
459f93 |
@@ -2,6 +2,6 @@
|
|
|
459f93 |
/plain.dev;system_u:object_r:svirt_image_t:s0:c41,c264
|
|
|
459f93 |
/plain.fifo;system_u:object_r:svirt_image_t:s0:c41,c264
|
|
|
459f93 |
/nolabel.sock;
|
|
|
459f93 |
-/plain.sock;
|
|
|
459f93 |
+/plain.sock;system_u:object_r:svirt_image_t:s0:c41,c264
|
|
|
459f93 |
/yeslabel.sock;system_u:object_r:svirt_image_t:s0:c41,c264
|
|
|
459f93 |
/altlabel.sock;system_u:object_r:svirt_image_custom_t:s0:c41,c264
|
|
|
459f93 |
--
|
|
|
459f93 |
2.35.1
|
|
|
459f93 |
|